New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poppler 0.61: patch against CVE-2018-13988 #45916
Conversation
Out of bounds vulnerability in versions up to 0.62. Generally, we use a newer poppler version but some pkgs still depend on 0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988.
This should go to staging. On master, texlive uses poppler 0.61, which I think is causing a mass rebuild here. texlive in staging uses current poppler, so this may not even be a mass rebuild relative to current staging. |
@GrahamcOfBorg eval |
@GrahamcOfBorg build poppler_0_61 |
Success on x86_64-linux (full log) Attempted: poppler_0_61 Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: poppler_0_61 Partial log (click to expand)
|
Timed out, unknown build status on x86_64-darwin (full log) Attempted: poppler_0_61 Partial log (click to expand)
|
As backported in Ubuntu. On unstable the issue is solved by #45916. I couldn't find their source repo working with current data, even that salsa.debian.org, so I copied the patch from their tarball.
Out of bounds vulnerability in versions up to 0.62. Generally, we use a newer poppler version but some pkgs still depend on 0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988. (cherry picked from commit 542a860)
^^ Ported to both stables. |
Motivation for this change
Out of bounds vulnerability in poppler up to 0.62.
Generally, we use a newer poppler version in NixOS but some pkgs still depend on 0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988.
Things done
sandbox
innix.conf
on non-NixOS)./result/bin/
)nix path-info -S
before and after)