Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable

To: Markus Koschany <apo@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable
From: Mattia Rizzolo <mattia@debian.org>
Date: Wed, 3 May 2017 11:11:13 +0200
Message-id: <[🔎] 20170503091110.yrwtfdgssxsexulc@mapreri.org>
Mail-followup-to: Mattia Rizzolo <mattia@debian.org>, Markus Koschany <apo@debian.org>, debian-lts@lists.debian.org
In-reply-to: <d2753568-eccc-cd53-2352-e1aaac2fe050@debian.org>
References: <E1d4YEE-0001UP-DC@seger.debian.org> <20170429215045.vo3bdr7ndhufdbyf@mapreri.org> <d2753568-eccc-cd53-2352-e1aaac2fe050@debian.org>

Here is why:

On Sun, Apr 30, Mattia Rizzolo:
> On Sun, Apr 30, 2017 at 01:40:13AM +0200, Markus Koschany wrote:
> > Am 29.04.2017 um 23:50 schrieb Mattia Rizzolo:
> > > Hi Markus.
> > > 
> > > Thank you for the upload!
> > > 
> > > Although, I'd have liked if you sent me a debdiff before uploading it,
> > > if nothing else becase I am planning to do an upload to unstable fixing
> > > a first round a CVEs, and I would have liked to do something similar for
> > > all the suites...
> > 
> > You're welcome. When I saw that nobody worked on libpodofo in Wheezy,
> > even some CVEs got marked as no-dsa, I decided to step up and fix what
> > could be reasonably fixed in time. I forgot that you would have
> > preferred to look over the changes, sorry about that, I will remember
> > that for the next time.
> 
> Anyhow, upstream has no consideration for ABI stability (feels like they
> taking breaking ABI every single new release as a feature…) so every
> cherry pick from upstream has to be checked in this regard (all the
> commits till now are fine, IIRC).

QED.

You LTS upload broke libpodofo ABI.  The symbol
_ZNK6PoDoFo7PdfPage25GetInheritedKeyFromObjectEPKcPKNS_9PdfObjectE@Base
as present in the wheezy version (libpodofo0.9.0_0.9.0-1.1+b1_amd64.deb)
became
_ZNK6PoDoFo7PdfPage25GetInheritedKeyFromObjectEPKcPKNS_9PdfObjectEi@Base
in wheezy-security (libpodofo0.9.0_0.9.0-1.1+deb7u1_amd64.deb).

Now, I do not know what's LTS policy about silent ABI breakage, but I
doubt you are OK with that.


That's in particular caused by
https://anonscm.debian.org/git/collab-maint/libpodofo.git/tree/debian/patches/CVE-2017-5852.patch?h=debian/0.9.0-1.1%2bdeb7u1#n123

-    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; 
+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const;


ATM, I don't know how to fix that CVE without breaking the ABI.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable
  - From: Markus Koschany <apo@debian.org>
- Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: April report
Next by Date: Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable
Previous by thread: Re: Wheezy update of libxstream-java?
Next by thread: Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable
Index(es):
- Date
- Thread