GNU bug report logs - #27621
Poppler's replacement is ABI-incompatible with the original

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Mark H Weaver <mhw <at> netris.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#27621: closed (Poppler's replacement is ABI-incompatible with
 the original)
Date: Sun, 09 Jul 2017 21:26:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sun, 09 Jul 2017 17:25:07 -0400
with message-id <87pod98frg.fsf <at> netris.org>
and subject line Re: bug#27621: Poppler's replacement is ABI-incompatible with the original
has caused the debbugs.gnu.org bug report #27621,
regarding Poppler's replacement is ABI-incompatible with the original
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
27621: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=27621
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ben Woodcroft <donttrustben <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: [PATCH] gnu: inkscape: Use ungrafted poppler input.
Date: Sat,  8 Jul 2017 21:08:33 +1000

Currently Inkscape fails to start as the poppler shared library changes from
libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
to fix this issue?

I'm not quite sure why poppler is grafted in the first place, given there are
so few dependencies (26)? Should it simply be updated?

Thanks, ben

[Message part 3 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ben Woodcroft <donttrustben <at> gmail.com>, 27621-done <at> debbugs.gnu.org
Subject: Re: bug#27621: Poppler's replacement is ABI-incompatible with the
 original
Date: Sun, 09 Jul 2017 17:25:07 -0400

Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

Thank you! :)

> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.

I looked, but backporting the fix to 0.52.0 seems non-trivial.  Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.

  http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26

They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0.  I'll look into adding this patch to our
poppler.

FWIW, Fedora considers CVE-2017-9775 to be of low severity:

  https://access.redhat.com/security/cve/cve-2017-9775

Anyway, I'm closing this bug now.  Thanks again for your tireless
efforts to keep us safe, Leo!

      Mark

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.