[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#974966: debian-installer: please check for libgdk_pixbuf_xlib-2.0 dependencies

On Tue, Nov 17, 2020 at 7:31 AM Simon McVittie <smcv@debian.org> wrote:
>
> On Tue, 17 Nov 2020 at 07:13:55 -0800, Jose R R wrote:
> > FYI: clamscan shows
> > tests/test-images/gif-test-suite/max-width.gif:
> > BC.Gif.Exploit.Agent-1425366.Agent FOUND
>
> I'm not really surprised that antivirus software thinks a ridiculously
> wide GIF is trying to exploit browser bugs. It's in the test data
> precisely to make sure gdk-pixbuf doesn't crash if people try to load
> broken and potentially malicious GIFs.
>
> See: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/150
>
>     smcv
Thanks. Now for the last couple of days I had been generating minimal
netboot reiser4 installers with kernel 5.9.3-x thus I had a relevant
set up already.

I rebuilt Gdk-Pixbuf 2.40.0 essentially for Debian backports by
fetching and using your debian directory, thus generating:
libgdk-pixbuf-2.0-0-udeb_2.40.0+dfsg-6.1_amd64.udeb
libgdk-pixbuf2.0-0-udeb_2.40.0+dfsg-6.1_amd64.udeb

Placed the above UDEBs in debian-installer*/build/localudebs/.
Made sure d-i would prioritize them by referencing them in
debian-instller*/build/pkg-lists/netboot/amd64.cfg

Proceeded to test by generating a build_netboot-gtk

Just verifying that the above UDEBs were used:
grep -n 2.40.0+dfsg-6.1
../metztli-5.9.3-2+reiser4~5.1.3-with-parted-v3.3-and-libgdk-pixbuf.out1
224:Get:95 copy:/usr/tzinti/build/metztli-reiser5/tekitl-d-i_buster5/debian-installer-20190702+deb10u5-sfrn-5-libgdk-pixbuf-2/build
localudebs/ libgdk-pixbuf-2.0-0-udeb 2.40.0+dfsg-6.1 [360 kB]
232:Get:103 copy:/usr/tzinti/build/metztli-reiser5/tekitl-d-i_buster5/debian-installer-20190702+deb10u5-sfrn-5-libgdk-pixbuf-2/build
localudebs/ libgdk-pixbuf2.0-0-udeb 2.40.0+dfsg-6.1 [944 B]
840:Unpacking libgdk-pixbuf-2.0-0-udeb (2.40.0+dfsg-6.1) ...
844:Unpacking libgdk-pixbuf2.0-0-udeb (2.40.0+dfsg-6.1) ...

GTK PoC d-i with your integrated UDEBs:
< https://metztli.it/buster-reiser5/metztli-reiser4-sfrn5-gtk.iso >
< https://metztli.it/buster-reiser5/metztli-reiser4-sfrn5-gtk.iso.SHA256SUM >

A few screenshots from installation into VirtualBox 6.1.16 on reiser4
-enabled Debian Backports:
< https://metztli.it/buster-reiser5/gtk-test/1.png >
< https://metztli.it/buster-reiser5/gtk-test/2.png >
< https://metztli.it/buster-reiser5/gtk-test/3.png >
< https://metztli.it/buster-reiser5/gtk-test/4.png >

Best Professional Regards.

-- 
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Buster w/ Linux 5.9.3 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/
Reply to: