Re: My pending RFSs (xpdf)
Hi,
After your explanation and some investigation, this may not be as big
changes as they looked. If I get clear answer to 2 missing patches pointed
out as below, I may sponsor this unless Moritz Muehlenhoff tells me not
to do this.
On Fri, Jul 16, 2010 at 01:07:11PM -0400, Michael Gilbert wrote:
> On Sat, 17 Jul 2010 01:56:14 +0900, Osamu Aoki wrote:
> > On Fri, Jul 16, 2010 at 12:10:14PM -0400, Michael Gilbert wrote:
> > > > Is this because you are using poppler?
> > >
> > > yes. the vulnerabilities exist only in the xpdf codebase that became
> > > poppler. i no longer build any of that affected code (dynamically
> > > linking to it in poppler instead where it is already patched), so there
> > > is no need to retain those patches.
> >
> > I build -8, and looking good.
> >
> > Are you contacting upstream so these patches get into the upstream?
> > (With so much "sed", maybe not...)
>
> i haven't yet, but i plan to for the current bug fixes.
I see quite a bit of bug fixes and feature enhancements which should be
non-confrontational to the upstream.
11-fix-hyphens-in-manpages.patch
fix-408502.patch
fix-437725.patch
fix-458468.patch
fix-479467.patch
fix-577031.patch
fix-580495.patch (See below for this impact)
They all look sort of safe ... but it is getting to be too much to keep
them in Debian only patches.
I see 2 patches not used for building this package now.
=== 02-permissions.patch ===
This has no chance of upstream integration as I see per upstream
position. This was dropped from packaging very quietly without comment
in changelog. I only find initial inclusion log as:
xpdf (3.00-13) unstable; urgency=low
...
* Added note to header of source files modified to remove PDF
permission checking as requested by upstream in bug#298584
-- Hamish Moffatt <hamish@debian.org> Tue, 22 Mar 2005 23:33:52 +1100
This BTS entry seems to suggest that this is a Debian patch we should keep.
I see this activated in the current uploaded package. I am not quite
sure what is going on here. Since ENFORCE_PERMISSIONS is not defined in
normal package building of Debian, I think this disables
ENFORCE_PERMISSIONS codes as expected.
=== xpdf-zoom-height.patch ===
This is dropped with explanation in recent changelog.
* Revert zoomFitHeight patch since it breaks zoomFitPage and zoomFitWidth
(closes: #576543, 578892).
But the bottom of http://bugs.debian.org/578892 seem to have a patch
which keeps this feature enhancement valid. Since new feature
enhancement fix-580495.patch from Rogério Brito <rbrito@ime.usp.br>
touches around here, these needs to be fixed together properly as a
feature enhancement.
>upstream
> adoption of the poppler compatibility patches is rather unlikely since
> they have no interest in following what poppler does.
...
I agree with this assessment and that was the reason for my reservation
"maybe not...". For Debian, it is better to use the common poppler
library so security team does not need to handle the same problem twice.
Thanks for this important work.
Osamu
Reply to:
- References:
- My pending RFSs (xpdf, ushare, protoaculous, gordon, checksec)
- From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: My pending RFSs (xpdf, ushare, protoaculous, gordon, checksec)
- From: Osamu Aoki <osamu@debian.org>
- Re: My pending RFSs (xpdf, ushare, protoaculous, gordon, checksec)
- From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: My pending RFSs (xpdf, ushare, protoaculous, gordon, checksec)
- From: Osamu Aoki <osamu@debian.org>
- Re: My pending RFSs (xpdf, ushare, protoaculous, gordon, checksec)
- From: Michael Gilbert <michael.s.gilbert@gmail.com>