--- Begin Message ---
Subject: |
[PATCH] gnu: inkscape: Use ungrafted poppler input. |
Date: |
Sat, 8 Jul 2017 21:08:33 +1000 |
Currently Inkscape fails to start as the poppler shared library changes from
libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
to fix this issue?
I'm not quite sure why poppler is grafted in the first place, given there are
so few dependencies (26)? Should it simply be updated?
Thanks, ben
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#27621: Poppler's replacement is ABI-incompatible with the original |
Date: |
Sun, 09 Jul 2017 17:25:07 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Leo Famulari <address@hidden> writes:
> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.
Thank you! :)
> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.
I looked, but backporting the fix to 0.52.0 seems non-trivial. Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.
http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26
They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0. I'll look into adding this patch to our
poppler.
FWIW, Fedora considers CVE-2017-9775 to be of low severity:
https://access.redhat.com/security/cve/cve-2017-9775
Anyway, I'm closing this bug now. Thanks again for your tireless
efforts to keep us safe, Leo!
Mark
--- End Message ---