Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[r19.03 backport] leptonica: patch multiple CVEs #61217

Merged
merged 1 commit into from
May 11, 2019
Merged

[r19.03 backport] leptonica: patch multiple CVEs #61217

merged 1 commit into from
May 11, 2019
+127 −7

Conversation

risicle
Copy link
Contributor

@risicle risicle commented May 9, 2019
edited
Loading

Motivation for this change

As I note in #60392 (comment) (whose PR should really be merged), the commits fixing CVE-2018-7441 & CVE-2018-7442 don't feel practical to backport and the fix for CVE-2017-18196 is yet to be found.

However this should fix CVE-2018-3836, CVE-2018-7186, CVE-2018-7247 & CVE-2018-7440.

I've also enabled the tests to give me some confidence that I'm not completely butchering the code.

Haven't yet completed a nox-review for this. Builds for me non-nixos linux x86_64

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@c0bw3b c0bw3b added 1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable A PR already has a backport to the stable release. labels May 10, 2019
@c0bw3b
Copy link
Contributor

c0bw3b commented May 10, 2019

@GrahamcOfBorg build leptonica

@risicle
Copy link
Contributor Author

risicle commented May 10, 2019

Huh I'm getting this wrong output hash problem on another machine of mine too - maybe I made a mistake...

@risicle
leptonica: patch multiple CVEs
0861ad5 
this should fix CVE-2018-3836, CVE-2018-7186, CVE-2018-7247 & CVE-2018-7440

a fix for CVE-2018-7441 & CVE-2018-7442 is *not* included as its patches
are very wide-ranging

also enable tests to give confidence that I'm not completely butchering
the code
@risicle risicle force-pushed the ris-leptonica-fix-19.03-backport branch from 1443930 to 0861ad5 Compare May 10, 2019 18:35
@risicle
Copy link
Contributor Author

risicle commented May 10, 2019

Yup must have poisoned my cache somehow - fixed now.

@risicle
Copy link
Contributor Author

risicle commented May 10, 2019

And I've also checked nox-review works on macos now.

@c0bw3b
Copy link
Contributor

c0bw3b commented May 10, 2019

@GrahamcOfBorg build leptonica

@c0bw3b
Copy link
Contributor

c0bw3b commented May 11, 2019

Result of nix-review pr 61217 1

14 package were build:
  • fmbt (tesseract3)
  • gImageReader (tesseract3)
  • invoice2data (tesseract3)
  • jbig2enc (tesseract3)
  • k2pdfopt (tesseract3)
  • leptonica (tesseract3)
  • paperwork (tesseract3)
  • python27Packages.pytesseract (tesseract3)
  • python37Packages.paperwork-backend (tesseract3)
  • python37Packages.pyocr (tesseract3)
  • python37Packages.pytesseract (tesseract3)
  • tesseract (tesseract3)
  • tesseract4 (tesseract3)
  • vobsub2srt (tesseract3)

@c0bw3b c0bw3b merged commit 0f50b68 into NixOS:release-19.03 May 11, 2019
@risicle risicle deleted the ris-leptonica-fix-19.03-backport branch May 11, 2019 12:44
@risicle
Copy link
Contributor Author

risicle commented May 11, 2019

It should be noted that k2pdfopt overrides its leptonica, removing all patches.

This was referenced May 11, 2019
Merged
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c0bw3b c0bw3b

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@risicle @c0bw3b