Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xpdf: 4.00 -> 4.02 #68616

Merged
merged 2 commits into from Nov 22, 2019
Merged

xpdf: 4.00 -> 4.02 #68616

merged 2 commits into from Nov 22, 2019

Conversation

sikmir
Copy link
Member

@sikmir sikmir commented Sep 12, 2019

Motivation for this change
CVE-2018-7173: fixed in 4.01 [JBIG2Stream.cc]
CVE-2018-7174: fixed in 4.01 [XRef.cc]
CVE-2018-7175: fixed in 4.01 [JPXStream.cc]
CVE-2018-7452: fixed in 4.01 [JPXStream.cc]
CVE-2018-7454: fixed in 4.01 [XFAForm.cc]
CVE-2018-16368: fixed in 4.01 [Splash.cc]
CVE-2018-18651: fixed in 4.01 [Catalog.cc]
...
  • knownVulnerabilities (will be fixed in 5.00)
CVE-2018-7453: loop in PDF objects
CVE-2018-16369: loop in PDF objects
CVE-2019-9587: loop in PDF objects; will be fixed in 5.00
CVE-2019-9588: loop in PDF objects; will be fixed in 5.00
CVE-2019-16088: loop in PDF objects; will be fixed in 5.00
  • Xpdf no longer uses t1lib (since 3.04)
  • Printing support is enabled by default
  • Add .desktop file
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
$ nix path-info -Sh /nix/store/r3ws1zl6iwg267n74sh5saxm1xcqqnsy-xpdf-4.00
/nix/store/r3ws1zl6iwg267n74sh5saxm1xcqqnsy-xpdf-4.00	 539.3M
$ nix path-info -Sh /nix/store/9bclywymaxygr2cwsqaqjna5f618qzd2-xpdf-4.02
/nix/store/9bclywymaxygr2cwsqaqjna5f618qzd2-xpdf-4.02	 277.6M

@sikmir sikmir changed the title xpdf: 4.00 -> 4.01.01 xpdf: 4.00 -> 4.02 Oct 16, 2019
@sikmir
Copy link
Member Author

sikmir commented Oct 16, 2019

Updated to 4.02

@jonringer
Copy link
Contributor

jonringer commented Oct 16, 2019

is it still insecure after the update?

@sikmir
Copy link
Member Author

sikmir commented Oct 16, 2019

Yes, 2 issues will be fixed in 5.00.

@sikmir
Copy link
Member Author

sikmir commented Nov 12, 2019

@jonringer Why we can't update to 4.02? Not waiting for 5.00. Current version 4.00 has around 45 CVEs and no one mentioned in knownVulnerabilities, but 4.02 has only 5 CVE. That's much better.

@jonringer
Copy link
Contributor

oh, i didn't mean to block, i was just curious

@jonringer
Copy link
Contributor

The main thing for me is, that previous to this, i could install xpdf fine, after this, I have to opt into allowing known vulnerabilities to install the package. Which some power users may care about, but I think most people don't. @worldofpeace what do you think?

@worldofpeace
Copy link
Contributor

worldofpeace commented Nov 12, 2019

@sikmir You're waiting on a 5.0 release that will have patches for those cve's, or is it that patches have been committed but they're not included in a release? If they're committed we could just apply those here.

Though looking at https://www.xpdfreader.com/download.html, I don't see a source repo.

The main thing for me is, that previous to this, i could install xpdf fine, after this, I have to opt into allowing known vulnerabilities to install the package. Which some power users may care about, but I think most people don't. @worldofpeace what do you think?

I think this change should be backported, but without permittedInsecurePackages it won't evaluate.
I do think we should use this meta attribute feature, but to be backported to stable we can't use it because it will fail to evaluate for current users. Hopefully before 20.03 there will be a release.

@sikmir Can you move the knownVulnerabilities to a separate commit? Otherwise LGTM.

I should investigate #68616 (comment) also.
#68616 (comment)

@sikmir
Copy link
Member Author

sikmir commented Nov 12, 2019

@sikmir You're waiting on a 5.0 release that will have patches for those cve's, or is it that patches have been committed but they're not included in a release? If they're committed we could just apply those here.

I don't wait for 5.0, as far as I have no idea about when 5.0 is going out or when fixes will be done, I've just quoted official security fixes page.

@sikmir Can you move the knownVulnerabilities to a separate commit? Otherwise LGTM.

Done.

@risicle
Copy link
Contributor

risicle commented Nov 21, 2019

I think this is an improvement on the existing situation - what's the hold up?

@worldofpeace
Copy link
Contributor

I think this is an improvement on the existing situation - what's the hold up?

Me forgetting to merge, thanks for the reminder 😄

@worldofpeace worldofpeace merged commit a5dba2f into NixOS:master Nov 22, 2019
@sikmir sikmir deleted the xpdf branch November 22, 2019 14:05
@worldofpeace
Copy link
Contributor

backported the update in 3dd7ed3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants