Re: ibus/CVE-2019-14822/glibc

To: Emilio Pozuelo Monfort <pochu@debian.org>, debian-lts@lists.debian.org
Subject: Re: ibus/CVE-2019-14822/glibc
From: Brian May <bam@debian.org>
Date: Mon, 06 Jan 2020 17:18:22 +1100
Message-id: <[🔎] 87o8vh6rbl.fsf@silverfish.pri>
In-reply-to: <249f6fff-4f52-00a9-04e9-5092503894fc@debian.org>
References: <87k1741xt6.fsf@silverfish.pri> <87zhfwhm6s.fsf@silverfish.pri> <249f6fff-4f52-00a9-04e9-5092503894fc@debian.org>

Emilio Pozuelo Monfort <pochu@debian.org> writes:

> I have been looking at this, but building glib with only the two fix commits
> (not the tests one) makes the build hang on the network-monitor tests. I haven't
> investigated much yet, but I wonder if it may be an issue with my local
> configuration. Did you glib build succeed? If so can you publish the source and
> debs? I'd like to test that with some qt5 apps to verify the regression fix.

I just tried compiling with all patches. The 3rd patch kills it for it,
it references a _g_dbus_hexencode function that does not appear to
exist.

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I/<<PKGBUILDDIR>>/./gio -I.. -DG_LOG_DOMAIN=\"GLib-GIO\" -I.. -I../glib -I/<<PKGBUILDDIR>>/./glib -I/<<PKGBUILDDIR>>/. -I/<<PKGBUILDDIR>>/./gmodule -DG_DISABLE_CAST_CHECKS -DGIO_COMPILATION -DGIO_MODULE_DIR=\"/usr/lib/x86_64-linux-gnu/gio/modules\" -D_FORTIFY_SOURCE=2 -pthread -Wall -Wstrict-prototypes -Werror=declaration-after-statement -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=pointer-arith -Werror=init-self -Werror=format=2 -Werror=missing-include-dirs -fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -c /<<PKGBUILDDIR>>/./gio/gdbusauth.c  -fPIC -DPIC -o .libs/libgio_2_0_la-gdbusauth.o
/<<PKGBUILDDIR>>/./gio/gdbusauth.c: In function ‘client_choose_mech_and_send_initial_response’:
/<<PKGBUILDDIR>>/./gio/gdbusauth.c:520:7: error: implicit declaration of function ‘_g_dbus_hexencode’ [-Werror=implicit-function-declaration]
       encoded = _g_dbus_hexencode (initial_response, initial_response_len);
       ^
/<<PKGBUILDDIR>>/./gio/gdbusauth.c:520:15: warning: assignment makes pointer from integer without a cast
       encoded = _g_dbus_hexencode (initial_response, initial_response_len);
               ^
/<<PKGBUILDDIR>>/./gio/gdbusauth.c: In function ‘_g_dbus_auth_run_client’:
/<<PKGBUILDDIR>>/./gio/gdbusauth.c:812:32: warning: assignment makes pointer from integer without a cast
                   encoded_data = _g_dbus_hexencode (data, data_len);
                                ^
/<<PKGBUILDDIR>>/./gio/gdbusauth.c: In function ‘_g_dbus_auth_run_server’:
/<<PKGBUILDDIR>>/./gio/gdbusauth.c:1187:42: warning: assignment makes pointer from integer without a cast
                             encoded_data = _g_dbus_hexencode (data, data_len);
                                          ^
cc1: some warnings being treated as errors
Makefile:3465: recipe for target 'libgio_2_0_la-gdbusauth.lo' failed


The patch removes a function called "hexencode" and replaces it with
"_g_dbus_hexencode". I wonder if it would be sufficient just to reverse
this bit of the change?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: ibus/CVE-2019-14822/glibc
  - From: Brian May <bam@debian.org>

Prev by Date: RFT: Linux 3.16.80 package
Next by Date: Re: ibus/CVE-2019-14822/glibc
Previous by thread: RFT: Linux 3.16.80 package
Next by thread: Re: ibus/CVE-2019-14822/glibc
Index(es):
- Date
- Thread