Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autotrace: mark as insecure #30988

Merged
merged 1 commit into from Nov 1, 2017
Merged

autotrace: mark as insecure #30988

merged 1 commit into from Nov 1, 2017

Conversation

pbogdan
Copy link
Member

@pbogdan pbogdan commented Oct 30, 2017
edited by disassembler

Motivation for this change

This is both a PR but also a question about policy of when it' appropriate to mark a package as insecure as I wasn't able to find any documentation or guidance on this topic. Please feel free to close this if it's not in line with said policy.
The package in question doesn't appear to be maintained upstream (no release in well over a decade) and I wasn't able to locate any patches from other distributions. As a single data point Gentoo dropped support for the package. At this time I'm not aware of any working exploits related to the CVE's listed.

/cc maintainer @Hodapp87

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@disassembler disassembler merged commit 73fe832 into NixOS:master Nov 1, 2017
@disassembler
Copy link
Member

Errors out by default as expected:

error: Package ‘autotrace-0.31.1’ in /home/sam/nixpkgs/master/pkgs/applications/graphics/autotrace/default.nix:65 is marked as insecure, refusing to evaluate.


Known issues:

 - CVE-2017-9200
...

With insecure enabled for the package, builds fine. I'm merging. Thanks for the update!

@orivej
Copy link
Contributor

orivej commented Nov 1, 2017

OK, thank you for the decision. The problem is that it opens the possibility for the build of this package to silently break in the future, while whether autotrace is considered vulnerable or not depends on its use.

@disassembler
Copy link
Member

Yes, the knownVulnerabilties will introduce silent breakage, but an unmaintained application with 52 related CVE's I think is a good reason to use that attribute. I also think we should just remove this completely after 18.03.

@orivej
Copy link
Contributor

orivej commented Nov 1, 2017

Why? It is not a network application. It may run arbitrary code from a specially crafted malformed file, but it is certainly safe to use on the images I draw myself or on the pictures that I take, and it is reasonably likely safe to use on images that were displayed without errors by a browser or another program.

@disassembler
Copy link
Member

Do you want me to revert and we can open it up for discussion with security team?

@orivej
Copy link
Contributor

orivej commented Nov 1, 2017

No, unless any other user complains; so far either decision about this issue seems acceptable. (Personally I use the vectorizer built into Inkscape.)

@pbogdan pbogdan deleted the autotrace-insecure branch December 3, 2019 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pbogdan @disassembler @orivej