Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net-libs/pjproject: Version 2.12.1 (security release). #21761

Closed
wants to merge 1 commit into from
Closed

net-libs/pjproject: Version 2.12.1 (security release). #21761

wants to merge 1 commit into from

Conversation

jkroonza
Copy link
Contributor

Whilst I submitted version yesterday back-porting the security fixes,
and official release has now been made available, bump to it instead.

Bug: https://bugs.gentoo.org/803614
Package-Manager: Portage-3.0.20, Repoman-3.0.2
Signed-off-by: Jaco Kroon jaco@uls.co.za

@gentoo-bot
Copy link

Pull Request assignment

Submitter: @jkroonza
Areas affected: ebuilds
Packages affected: net-libs/pjproject

net-libs/pjproject: @jkroonza, @gentoo/proxy-maint

Linked bugs

Bugs linked: 803614

In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of ConductCopyright policy (expl.) ● DevmanualGitHub PRsProxy-maint guide

@gentoo-bot gentoo-bot added self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else) assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. security PR that needs to be merged promptly as it addresses security issues labels Jul 24, 2021
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-07-24 08:49 UTC
Newest commit scanned: 7dc78e5
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/033050e329/output.html

ionenwks
ionenwks reviewed Jul 25, 2021
View reviewed changes
Copy link
Contributor

@ionenwks ionenwks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't seem to be able build asterisk[pjproject] with this version (2.10 is fine)

/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lpjsua2
collect2: error: ld returned 1 exit status
make[1]: *** [/tmp/portage/net-misc/asterisk-18.5.1/work/asterisk-18.5.1/Makefile.rules:193: chan_pjsip.so] Error 1

And indeed there's no libpjsua2.so installed with 2.11, but it's there with 2.10.

Also (not a new issue, this could wait for another time):

 * QA Notice: Files built without respecting LDFLAGS have been detected
 *  Please include the following list of files in your report:
 * /usr/lib64/libg7221codec.so.2
 * /usr/lib64/libilbccodec.so.2
 * /usr/lib64/libwebrtc.so.2
 * /usr/lib64/libyuv.so.2

@jkroonza
Copy link
Contributor Author

I can't seem to be able build asterisk[pjproject] with this version (2.10 is fine)

/usr/lib/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lpjsua2
collect2: error: ld returned 1 exit status
make[1]: *** [/tmp/portage/net-misc/asterisk-18.5.1/work/asterisk-18.5.1/Makefile.rules:193: chan_pjsip.so] Error 1

And indeed there's no libpjsua2.so installed with 2.11, but it's there with 2.10.

Also (not a new issue, this could wait for another time):

 * QA Notice: Files built without respecting LDFLAGS have been detected
 *  Please include the following list of files in your report:
 * /usr/lib64/libg7221codec.so.2
 * /usr/lib64/libilbccodec.so.2
 * /usr/lib64/libwebrtc.so.2
 * /usr/lib64/libyuv.so.2

Upstream parallel build issue I've not been able to track down. Reference https://bugs.gentoo.org/765799

I'm not convinced just using -j1 is any such case is the right fix as it's dependent on the way in which make resolves dependencies (tomorrow it could decide to build in a different order then the issue is back).

Two (three) options:

  1. I can force non-parallel build (emake -j1);
  2. This being a security bump we ignore the issue for now; or
  3. I need help tracking the missing dependency issue (I really dislike these "distibuted Makefile" type makefiles using recursive builds to achieve things ... in my experience it causes more problems than it solves).

@ionenwks
Copy link
Contributor

Upstream parallel build issue I've not been able to track down. Reference https://bugs.gentoo.org/765799

The log snipplet I shown was from asterisk with USE=pjproject, not pjproject itself. pjproject built fine, but one library is missing causing asterisk to fail.

@ionenwks
Copy link
Contributor

i.e.

$ qlist -e =pjproject-2.10-r2 | grep 'libpjsua'
/usr/lib64/libpjsua2.so.2
/usr/lib64/libpjsua2.so
/usr/lib64/libpjsua.so.2
/usr/lib64/libpjsua.so

$ qlist -e =pjproject-2.11.1 | grep 'libpjsua'
/usr/lib64/libpjsua.so.2
/usr/lib64/libpjsua.so

Where did libpjsua2.so go? If it breaks its only rdep there's probably not much sense in merging this as-is.

@jkroonza
Copy link
Contributor Author

I'm going to take this to draft, doesn't look like asterisk will currently compile with 2.11, I did however back-port the asterisk-affecting security patch to 2.10-r2 in 93f6d97. (After an initial round on -r1 which we should probably at this point remove)

@jkroonza jkroonza marked this pull request as draft August 31, 2021 08:02
@jkroonza jkroonza changed the title net-libs/pjproject: Version 2.11.1 (security release). net-libs/pjproject: Version 2.12.1 (security release). Jun 9, 2022
@jkroonza jkroonza marked this pull request as ready for review June 9, 2022 20:41
@jkroonza
Copy link
Contributor Author

jkroonza commented Jun 9, 2022

Known problem:

 *  Please include the following list of files in your report:
 * /usr/lib64/libg7221codec.so.2
 * /usr/lib64/libilbccodec.so.2
 * /usr/lib64/libresample.so.2
 * /usr/lib64/libwebrtc.so.2
 * /usr/lib64/libyuv.so.2

Previously these were all just silent failure not working at all, so in my opinion still an improvement, need some sleep now though.

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2022-06-09 20:55 UTC
Newest commit scanned: 2f8f8e7
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/eab064ea6f/output.html

@jkroonza
net-libs/pjproject: Version 2.12.1.
2fcce0e 
Upstream release.

Remove the need for custom patches (which is still required but no
longer applies, instead, rely on ./configure detecting openssl, we do
depend on it, and only --disable-ssl works, passing --enable-ssl also
effectively disables ssl).

Compile tested asterisk 13, 16 and 18 (in-tree versions) against this.
Would appreciate a double-check on this one.  One version from each is
sufficient.

Since the two libraries that were the target of parallel build failures
are now one, I believe the parallel build issue is fixed too.

Included patch for CVE-2022-31031

Closes: https://bugs.gentoo.org/833765
Closes: https://bugs.gentoo.org/817803
Closes: https://bugs.gentoo.org/808099
Closes: https://bugs.gentoo.org/834491
Bug: https://bugs.gentoo.org/803614
Bug: https://bugs.gentoo.org/765799
Bug: https://bugs.gentoo.org/829894
Package-Manager: Portage-3.0.20, Repoman-3.0.2
Signed-off-by: Jaco Kroon <jaco@uls.co.za>
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2022-06-09 21:16 UTC
Newest commit scanned: 2fcce0e
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/8aaa181a9d/output.html

juippis
juippis approved these changes Jun 15, 2022
View reviewed changes
Copy link
Member

@juippis juippis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work now.

net-libs/pjproject/pjproject-2.12.1.ebuild
Comment on lines +1 to +4
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ionenwks ionenwks ionenwks left review comments

@juippis juippis juippis approved these changes

Assignees
No one assigned
Labels
assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. security PR that needs to be merged promptly as it addresses security issues self-maintained The PR changes only packages that are maintained by the submitter (i.e. no need to ask anybody else)
Projects
None yet
Milestone
No milestone
5 participants
@jkroonza @gentoo-bot @gentoo-repo-qa-bot @ionenwks @juippis