Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

poppler 0.61: patch against CVE-2018-13988 #45916

Merged
merged 1 commit into from Sep 2, 2018
Merged

poppler 0.61: patch against CVE-2018-13988 #45916

merged 1 commit into from Sep 2, 2018

Conversation

ckauhaus
Copy link
Contributor

@ckauhaus ckauhaus commented Sep 1, 2018

Motivation for this change

Out of bounds vulnerability in poppler up to 0.62.

Generally, we use a newer poppler version in NixOS but some pkgs still depend on 0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of pkgs that depend on this change: libreoffice, texlive
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

poppler 0.61: patch against CVE-2018-13988
7b8c00b 
Out of bounds vulnerability in versions up to 0.62.

Generally, we use a newer poppler version but some pkgs still depend on
0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988.
@xeji
Copy link
Contributor

xeji commented Sep 1, 2018

This should go to staging. On master, texlive uses poppler 0.61, which I think is causing a mass rebuild here. texlive in staging uses current poppler, so this may not even be a mass rebuild relative to current staging.

@vcunat vcunat changed the base branch from master to staging September 1, 2018 20:16
@jtojnar
Copy link
Contributor

jtojnar commented Sep 1, 2018

@GrahamcOfBorg eval

@xeji
Copy link
Contributor

xeji commented Sep 1, 2018

@GrahamcOfBorg build poppler_0_61

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: poppler_0_61

Partial log (click to expand)

shrinking /nix/store/lq2v53iyswd351bc7k8kprjw73izrn58-poppler-glib-0.61.0/lib/libpoppler-glib.so.8.9.0
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/lq2v53iyswd351bc7k8kprjw73izrn58-poppler-glib-0.61.0/lib
patching script interpreter paths in /nix/store/lq2v53iyswd351bc7k8kprjw73izrn58-poppler-glib-0.61.0
checking for references to /build in /nix/store/lq2v53iyswd351bc7k8kprjw73izrn58-poppler-glib-0.61.0...
shrinking RPATHs of ELF executables and libraries in /nix/store/669g1pg20dw6rp52bvbwlnkirad5hmf6-poppler-glib-0.61.0-dev
strip is /nix/store/h0lbngpv6ln56hjj59i6l77vxq25flbz-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/669g1pg20dw6rp52bvbwlnkirad5hmf6-poppler-glib-0.61.0-dev/lib
patching script interpreter paths in /nix/store/669g1pg20dw6rp52bvbwlnkirad5hmf6-poppler-glib-0.61.0-dev
checking for references to /build in /nix/store/669g1pg20dw6rp52bvbwlnkirad5hmf6-poppler-glib-0.61.0-dev...

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: poppler_0_61

Partial log (click to expand)

shrinking /nix/store/pz74m7a6sbzam34725cmnjsk17z0c7i9-poppler-glib-0.61.0/lib/libpoppler.so.72.0.0
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/pz74m7a6sbzam34725cmnjsk17z0c7i9-poppler-glib-0.61.0/lib
patching script interpreter paths in /nix/store/pz74m7a6sbzam34725cmnjsk17z0c7i9-poppler-glib-0.61.0
checking for references to /build in /nix/store/pz74m7a6sbzam34725cmnjsk17z0c7i9-poppler-glib-0.61.0...
shrinking RPATHs of ELF executables and libraries in /nix/store/v8xm3yklq7fmc5cq469pqcsadv270k1x-poppler-glib-0.61.0-dev
strip is /nix/store/y4ymnvgxygpq05h03kyzbj572zmh6zla-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/v8xm3yklq7fmc5cq469pqcsadv270k1x-poppler-glib-0.61.0-dev/lib
patching script interpreter paths in /nix/store/v8xm3yklq7fmc5cq469pqcsadv270k1x-poppler-glib-0.61.0-dev
checking for references to /build in /nix/store/v8xm3yklq7fmc5cq469pqcsadv270k1x-poppler-glib-0.61.0-dev...

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: poppler_0_61

Partial log (click to expand)

cannot build derivation '/nix/store/r12d0sf3cr7yrspmkhng0l93p6rmbqcr-apple-framework-CoreText.drv': 5 dependencies couldn't be built
cannot build derivation '/nix/store/bhv5igi2kn2g6y6c4ciln2k8myx0nzfl-apple-framework-ImageIO.drv': 4 dependencies couldn't be built
cannot build derivation '/nix/store/9szq98ajpcsqmfl4fack7kh4if3sxkid-apple-framework-ApplicationServices.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/bhsybg064470idyz9j8cdffgd3gknfwa-apple-framework-CoreVideo.drv': 7 dependencies couldn't be built
cannot build derivation '/nix/store/kcn1qnc0964b6y8s15q3v0izpsmx3nm2-apple-framework-Foundation.drv': 8 dependencies couldn't be built
cannot build derivation '/nix/store/32lmb4ra8ji6j9k7bz89zgm5gwk4lrhb-apple-framework-QuartzCore.drv': 6 dependencies couldn't be built
cannot build derivation '/nix/store/2ahf3q8x9cnqbz7nc2lhjfjm7i06dgwl-apple-framework-Carbon.drv': 9 dependencies couldn't be built
cannot build derivation '/nix/store/5c23vjv4z7704k9wxhncz8hy8pv6qdyg-cairo-1.15.12.drv': 17 dependencies couldn't be built
cannot build derivation '/nix/store/ib79kdyni9mmwbrx6dq57327l6cjvbpg-poppler-glib-0.61.0.drv': 14 dependencies couldn't be built
error: build of '/nix/store/ib79kdyni9mmwbrx6dq57327l6cjvbpg-poppler-glib-0.61.0.drv' failed

@xeji xeji merged commit 542a860 into NixOS:staging Sep 2, 2018
vcunat added a commit that referenced this pull request Sep 3, 2018
@vcunat
poppler: apply a security patch
f737652 
As backported in Ubuntu.  On unstable the issue is solved by #45916.
I couldn't find their source repo working with current data,
even that salsa.debian.org, so I copied the patch from their tarball.
vcunat pushed a commit that referenced this pull request Sep 3, 2018
@vcunat
poppler 0.61: patch against CVE-2018-13988 (#45916)
1845c6e 
Out of bounds vulnerability in versions up to 0.62.

Generally, we use a newer poppler version but some pkgs still depend on
0.61. Patch named in https://nvd.nist.gov/vuln/detail/CVE-2018-13988.

(cherry picked from commit 542a860)
@vcunat vcunat added the 8.has: port to stable A PR already has a backport to the stable release. label Sep 3, 2018
@vcunat
Copy link
Member

vcunat commented Sep 3, 2018

^^ Ported to both stables.

@ckauhaus ckauhaus deleted the cve-2018-13988-poppler branch September 3, 2018 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ckauhaus @xeji @jtojnar @GrahamcOfBorg @vcunat