GNU bug report logs -
#27621
Poppler's replacement is ABI-incompatible with the original
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27621 in the body.
You can then email your comments to 27621 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#27621; Package
guix.
(Sat, 08 Jul 2017 16:43:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ben Woodcroft <donttrustben <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 08 Jul 2017 16:43:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Currently Inkscape fails to start as the poppler shared library changes from
libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
to fix this issue?
I'm not quite sure why poppler is grafted in the first place, given there are
so few dependencies (26)? Should it simply be updated?
Thanks, ben
Information forwarded
to
bug-guix <at> gnu.org:
bug#27621; Package
guix.
(Sat, 08 Jul 2017 17:11:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
Previously, inkscape failed to start, attempting to load an incorrect
poppler shared library version.
* gnu/packages/inkscape.scm (inkscape)[inputs]: Replace poppler with
poppler-0.56.0.
* gnu/packages/pdf.scm (poppler-0.56.0): Export it.
---
gnu/packages/inkscape.scm | 3 ++-
gnu/packages/pdf.scm | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/inkscape.scm b/gnu/packages/inkscape.scm
index 0f28e640a..b52c2e1a2 100644
--- a/gnu/packages/inkscape.scm
+++ b/gnu/packages/inkscape.scm
@@ -59,7 +59,8 @@
("gtkmm" ,gtkmm-2)
("gtk" ,gtk+-2)
("gsl" ,gsl)
- ("poppler" ,poppler)
+ ("poppler" ,poppler-0.56.0) ; Use an ungrafted poppler so the correct
+ ; library is loaded.
("libpng" ,libpng)
("libxml2" ,libxml2)
("libxslt" ,libxslt)
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index dce02a7b5..574b223ee 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -130,7 +130,7 @@
(license license:gpl2+)
(home-page "https://poppler.freedesktop.org/")))
-(define poppler-0.56.0
+(define-public poppler-0.56.0
(package (inherit poppler)
(version "0.56.0")
(source
--
2.13.2
Information forwarded
to
bug-guix <at> gnu.org:
bug#27621; Package
guix.
(Sat, 08 Jul 2017 22:05:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 27621 <at> debbugs.gnu.org (full text, mbox):
retitle 27621 Poppler's replacement is ABI-incompatible with the original
severity 27621 important
thanks
Ben Woodcroft <donttrustben <at> gmail.com> writes:
> Currently Inkscape fails to start as the poppler shared library changes from
> libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
> to fix this issue?
The problem is that poppler's replacement is not ABI compatible with the
original. This will likely break any program linked with libpoppler.
This needs to be fixed in poppler. We should not work around this by
changing our inkscape package.
> I'm not quite sure why poppler is grafted in the first place, given there are
> so few dependencies (26)? Should it simply be updated?
How did you count 26? According to "guix refresh -l poppler", poppler
has 1643 dependent packages per platform. That's too many.
The problem originated with the following security update:
leo <at> famulari.name (Leo Famulari) writes:
> lfam pushed a commit to branch master
> in repository guix.
>
> commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf
> Author: Leo Famulari <leo <at> famulari.name>
> Date: Thu Jun 29 03:10:30 2017 -0400
>
> gnu: poppler: Fix CVE-2017-{9775,9776}.
>
> * gnu/packages/pdf.scm (poppler)[replacement]: New field.
> (poppler-0.56.0): New variable.
> (poppler-qt4, poppler-qt5): Use 'package/inherit'.
> ---
> gnu/packages/pdf.scm | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
> index 5ccaa38..dce02a7 100644
> --- a/gnu/packages/pdf.scm
> +++ b/gnu/packages/pdf.scm
> @@ -76,6 +76,7 @@
> (define-public poppler
> (package
> (name "poppler")
> + (replacement poppler-0.56.0)
> (version "0.52.0")
> (source (origin
> (method url-fetch)
Unfortunately, we cannot use poppler-0.56.0 to replace 0.52.0 via
grafting. The shared library major version number bump indicates an ABI
incompatibility.
Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
need to find backported fixes for poppler-0.52.0 (or possibly some newer
version that has the same ABI as 0.52.0), and apply those as patches in
the replacement.
Mark
Changed bug title to 'Poppler's replacement is ABI-incompatible with the original' from '[PATCH] gnu: inkscape: Use ungrafted poppler input.'
Request was from
Mark H Weaver <mhw <at> netris.org>
to
control <at> debbugs.gnu.org.
(Sat, 08 Jul 2017 22:05:02 GMT)
Full text and
rfc822 format available.
Severity set to 'important' from 'normal'
Request was from
Mark H Weaver <mhw <at> netris.org>
to
control <at> debbugs.gnu.org.
(Sat, 08 Jul 2017 22:05:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#27621; Package
guix.
(Sun, 09 Jul 2017 06:31:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 27621 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
> Ben Woodcroft <donttrustben <at> gmail.com> writes:
>
> > Currently Inkscape fails to start as the poppler shared library changes from
> > libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
> > to fix this issue?
> The problem originated with the following security update:
>
> leo <at> famulari.name (Leo Famulari) writes:
> > lfam pushed a commit to branch master
> > in repository guix.
> >
> > commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf
> > Author: Leo Famulari <leo <at> famulari.name>
> > Date: Thu Jun 29 03:10:30 2017 -0400
> >
> > gnu: poppler: Fix CVE-2017-{9775,9776}.
> >
> > * gnu/packages/pdf.scm (poppler)[replacement]: New field.
> > (poppler-0.56.0): New variable.
> > (poppler-qt4, poppler-qt5): Use 'package/inherit'.
Sorry about this mistake.
> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
> need to find backported fixes for poppler-0.52.0 (or possibly some newer
> version that has the same ABI as 0.52.0), and apply those as patches in
> the replacement.
I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
patch for CVE-2017-9776 onto the poppler 0.52.0 source code.
We'll need to write and test our own patch for CVE-2017-9775 that will
apply to the source of poppler 0.52.0, or wait for someone else to do
it and copy theirs.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Mark H Weaver <mhw <at> netris.org>:
You have taken responsibility.
(Sun, 09 Jul 2017 21:26:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ben Woodcroft <donttrustben <at> gmail.com>:
bug acknowledged by developer.
(Sun, 09 Jul 2017 21:26:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 27621-done <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.
Thank you! :)
> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.
I looked, but backporting the fix to 0.52.0 seems non-trivial. Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.
http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26
They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0. I'll look into adding this patch to our
poppler.
FWIW, Fedora considers CVE-2017-9775 to be of low severity:
https://access.redhat.com/security/cve/cve-2017-9775
Anyway, I'm closing this bug now. Thanks again for your tireless
efforts to keep us safe, Leo!
Mark
Information forwarded
to
bug-guix <at> gnu.org:
bug#27621; Package
guix.
(Mon, 10 Jul 2017 01:49:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 27621-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote:
> They did, however, cherry-pick an upstream patch to fix a null pointer
> dereference bug in 0.52.0. I'll look into adding this patch to our
> poppler.
Thanks! Let us know how it goes.
> FWIW, Fedora considers CVE-2017-9775 to be of low severity:
>
> https://access.redhat.com/security/cve/cve-2017-9775
The disclosure on the freedesktop bug tracker [0] says:
"Due to some restrictions in the lines after the bug, an attacker can't
control the values written in the stack so it unlikely this could lead
to a code execution."
So, not great but, if their estimation is right, not that bad either.
[0] https://bugs.freedesktop.org/show_bug.cgi?id=101540
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#27621; Package
guix.
(Mon, 10 Jul 2017 17:08:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 27621-done <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote:
>> They did, however, cherry-pick an upstream patch to fix a null pointer
>> dereference bug in 0.52.0. I'll look into adding this patch to our
>> poppler.
>
> Thanks! Let us know how it goes.
Pushed to master as commit ef019092b98e1337acac51525e8e4e092267f69c.
Mark
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 08 Aug 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 261 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.