GNU bug report logs - #27621
Poppler's replacement is ABI-incompatible with the original

Previous Next

Package: guix;

Reported by: Ben Woodcroft <donttrustben <at> gmail.com>

Date: Sat, 8 Jul 2017 16:43:02 UTC

Severity: important

Tags: patch

Done: Mark H Weaver <mhw <at> netris.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ben Woodcroft <donttrustben <at> gmail.com>
Subject: bug#27621: closed (Re: bug#27621: Poppler's replacement is
 ABI-incompatible with the original)
Date: Sun, 09 Jul 2017 21:26:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#27621: Poppler's replacement is ABI-incompatible with the original

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 27621 <at> debbugs.gnu.org.

-- 
27621: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=27621
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ben Woodcroft <donttrustben <at> gmail.com>, 27621-done <at> debbugs.gnu.org
Subject: Re: bug#27621: Poppler's replacement is ABI-incompatible with the
 original
Date: Sun, 09 Jul 2017 17:25:07 -0400

Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

Thank you! :)

> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.

I looked, but backporting the fix to 0.52.0 seems non-trivial.  Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.

  http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26

They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0.  I'll look into adding this patch to our
poppler.

FWIW, Fedora considers CVE-2017-9775 to be of low severity:

  https://access.redhat.com/security/cve/cve-2017-9775

Anyway, I'm closing this bug now.  Thanks again for your tireless
efforts to keep us safe, Leo!

      Mark


[Message part 3 (message/rfc822, inline)]
From: Ben Woodcroft <donttrustben <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: [PATCH] gnu: inkscape: Use ungrafted poppler input.
Date: Sat,  8 Jul 2017 21:08:33 +1000

Currently Inkscape fails to start as the poppler shared library changes from
libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
to fix this issue?

I'm not quite sure why poppler is grafted in the first place, given there are
so few dependencies (26)? Should it simply be updated?

Thanks, ben
This bug report was last modified 7 years and 321 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.