Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[r19.03 backport] leptonica: patch multiple CVEs #61217

Merged

Conversation

risicle
Copy link
Contributor

@risicle risicle commented May 9, 2019

Motivation for this change

As I note in #60392 (comment) (whose PR should really be merged), the commits fixing CVE-2018-7441 & CVE-2018-7442 don't feel practical to backport and the fix for CVE-2017-18196 is yet to be found.

However this should fix CVE-2018-3836, CVE-2018-7186, CVE-2018-7247 & CVE-2018-7440.

I've also enabled the tests to give me some confidence that I'm not completely butchering the code.

Haven't yet completed a nox-review for this. Builds for me non-nixos linux x86_64

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@c0bw3b
Copy link
Contributor

c0bw3b commented May 10, 2019

@GrahamcOfBorg build leptonica

@risicle
Copy link
Contributor Author

risicle commented May 10, 2019

Huh I'm getting this wrong output hash problem on another machine of mine too - maybe I made a mistake...

this should fix CVE-2018-3836, CVE-2018-7186, CVE-2018-7247 & CVE-2018-7440

a fix for CVE-2018-7441 & CVE-2018-7442 is *not* included as its patches
are very wide-ranging

also enable tests to give confidence that I'm not completely butchering
the code
@risicle risicle force-pushed the ris-leptonica-fix-19.03-backport branch from 1443930 to 0861ad5 Compare May 10, 2019 18:35
@risicle
Copy link
Contributor Author

risicle commented May 10, 2019

Yup must have poisoned my cache somehow - fixed now.

@risicle
Copy link
Contributor Author

risicle commented May 10, 2019

And I've also checked nox-review works on macos now.

@c0bw3b
Copy link
Contributor

c0bw3b commented May 10, 2019

@GrahamcOfBorg build leptonica

@c0bw3b
Copy link
Contributor

c0bw3b commented May 11, 2019

Result of nix-review pr 61217 1

14 package were build:
  • fmbt (tesseract3)
  • gImageReader (tesseract3)
  • invoice2data (tesseract3)
  • jbig2enc (tesseract3)
  • k2pdfopt (tesseract3)
  • leptonica (tesseract3)
  • paperwork (tesseract3)
  • python27Packages.pytesseract (tesseract3)
  • python37Packages.paperwork-backend (tesseract3)
  • python37Packages.pyocr (tesseract3)
  • python37Packages.pytesseract (tesseract3)
  • tesseract (tesseract3)
  • tesseract4 (tesseract3)
  • vobsub2srt (tesseract3)

@c0bw3b c0bw3b merged commit 0f50b68 into NixOS:release-19.03 May 11, 2019
@risicle risicle deleted the ris-leptonica-fix-19.03-backport branch May 11, 2019 12:44
@risicle
Copy link
Contributor Author

risicle commented May 11, 2019

It should be noted that k2pdfopt overrides its leptonica, removing all patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants