bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27621: Poppler's replacement is ABI-incompatible with the original

From: Leo Famulari
Subject: bug#27621: Poppler's replacement is ABI-incompatible with the original
Date: Sun, 9 Jul 2017 02:30:49 -0400
User-agent: Mutt/1.8.3 (2017-05-23) 
On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
> Ben Woodcroft <address@hidden> writes:
> 
> > Currently Inkscape fails to start as the poppler shared library changes from
> > libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
> > to fix this issue?

> The problem originated with the following security update:
> 
> address@hidden (Leo Famulari) writes:
> > lfam pushed a commit to branch master
> > in repository guix.
> >
> > commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf
> > Author: Leo Famulari <address@hidden>
> > Date:   Thu Jun 29 03:10:30 2017 -0400
> >
> >     gnu: poppler: Fix CVE-2017-{9775,9776}.
> >     
> >     * gnu/packages/pdf.scm (poppler)[replacement]: New field.
> >     (poppler-0.56.0): New variable.
> >     (poppler-qt4, poppler-qt5): Use 'package/inherit'.

Sorry about this mistake.

> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
> need to find backported fixes for poppler-0.52.0 (or possibly some newer
> version that has the same ABI as 0.52.0), and apply those as patches in
> the replacement.

I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

We'll need to write and test our own patch for CVE-2017-9775 that will
apply to the source of poppler 0.52.0, or wait for someone else to do
it and copy theirs.

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]