[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A "cosmetic changes" commit that removes security fixes
From: |
Mark H Weaver |
Subject: |
A "cosmetic changes" commit that removes security fixes |
Date: |
Wed, 21 Apr 2021 17:11:03 -0400 |
Hello Guix,
Raghav Gururajan has pushed another misleading "cosmetic changes"
commit. This one is *far* worse than the examples I gave before.
This one removes the security fixes for CVE-2018-19876 and
cairo-CVE-2020-35492 that I had applied in commit
bc16eacc99e801ac30cbe2aa649a2be3ca5c102a.
Behold, Raghav's "cosmetic changes" to our 'cairo' package:
https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a
With this in mind, does anyone else find it worrisome that Raghav has
commit access?
Mark
>From d975ed975456a2c8e855eb024b5487c4c460684a Mon Sep 17 00:00:00 2001
From: Raghav Gururajan <raghavgururajan@disroot.org>
Date: Fri, 4 Dec 2020 00:48:43 -0500
Subject: [PATCH] gnu: cairo: Make some cosmetic changes.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* gnu/packages/patches/cairo-CVE-2018-19876.patch,
gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches.
* gnu/local.mk (dist_patch_DATA): Unregister them.
* gnu/packages/gtk.scm (cairo): Make some cosmetic changes.
[replacement]: Remove.
(cairo/fixed): Remove.
Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net>
---
gnu/local.mk | 2 -
gnu/packages/gtk.scm | 92 +++++++++----------
.../patches/cairo-CVE-2018-19876.patch | 37 --------
.../patches/cairo-CVE-2020-35492.patch | 49 ----------
4 files changed, 41 insertions(+), 139 deletions(-)
delete mode 100644 gnu/packages/patches/cairo-CVE-2018-19876.patch
delete mode 100644 gnu/packages/patches/cairo-CVE-2020-35492.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index e01e7970d2..e93ce45f5a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -877,8 +877,6 @@ dist_patch_DATA =
\
%D%/packages/patches/bpftrace-disable-bfd-disasm.patch \
%D%/packages/patches/busybox-CVE-2021-28831.patch \
%D%/packages/patches/byobu-writable-status.patch \
- %D%/packages/patches/cairo-CVE-2018-19876.patch \
- %D%/packages/patches/cairo-CVE-2020-35492.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/calibre-remove-test-sqlite.patch \
%D%/packages/patches/calibre-remove-test-unrar.patch \
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 2699b97b49..ff0c1296e1 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -123,67 +123,57 @@ tools have full access to view and control running
applications.")
(define-public cairo
(package
- (name "cairo")
- (version "1.16.0")
- (replacement cairo/fixed)
- (source (origin
- (method url-fetch)
- (uri (string-append "https://cairographics.org/releases/cairo-"
- version ".tar.xz"))
- (sha256
- (base32
- "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy"))))
- (build-system gnu-build-system)
- (propagated-inputs
- `(("fontconfig" ,fontconfig)
- ("freetype" ,freetype)
- ("glib" ,glib)
- ("libpng" ,libpng)
- ("libx11" ,libx11)
- ("libxext" ,libxext)
- ("libxrender" ,libxrender)
- ("pixman" ,pixman)))
- (inputs
- `(("ghostscript" ,ghostscript)
- ("libspectre" ,libspectre)
- ("poppler" ,poppler)
- ("xorgproto" ,xorgproto)
- ("zlib" ,zlib)))
- (native-inputs
- `(("pkg-config" ,pkg-config)
- ("python" ,python-wrapper)))
+ (name "cairo")
+ (version "1.16.0")
+ (source
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append "https://cairographics.org/releases/cairo-"
+ version ".tar.xz"))
+ (sha256
+ (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy"))))
+ (build-system gnu-build-system)
(arguments
- `(#:tests? #f ; see
http://lists.gnu.org/archive/html/bug-guix/2013-06/msg00085.html
- #:configure-flags '("--enable-tee" ;needed for GNU Icecat
- "--enable-xml" ;for cairo-xml support
- "--disable-static")))
- (synopsis "2D graphics library")
- (description
- "Cairo is a 2D graphics library with support for multiple output devices.
-Currently supported output targets include the X Window System (via both
-Xlib and XCB), Quartz, Win32, image buffers, PostScript, PDF, and SVG file
+ `(#:tests? #f ; see
http://lists.gnu.org/archive/html/bug-guix/2013-06/msg00085.html
+ #:configure-flags
+ (list
+ "--enable-tee" ;needed for GNU Icecat
+ "--enable-xml" ;for cairo-xml support
+ "--disable-static")))
+ (native-inputs
+ `(("pkg-config" ,pkg-config)
+ ("python" ,python-wrapper)))
+ (inputs
+ `(("ghostscript" ,ghostscript)
+ ("libspectre" ,libspectre)
+ ("poppler" ,poppler)
+ ("xorgproto" ,xorgproto)
+ ("zlib" ,zlib)))
+ (propagated-inputs
+ `(("fontconfig" ,fontconfig)
+ ("freetype" ,freetype)
+ ("glib" ,glib)
+ ("libpng" ,libpng)
+ ("libx11" ,libx11)
+ ("libxext" ,libxext)
+ ("libxrender" ,libxrender)
+ ("pixman" ,pixman)))
+ (synopsis "2D graphics library")
+ (description "Cairo is a 2D graphics library with support for multiple
output
+devices. Currently supported output targets include the X Window System (via
+both Xlib and XCB), Quartz, Win32, image buffers, PostScript, PDF, and SVG file
output. Experimental backends include OpenGL, BeOS, OS/2, and DirectFB.
-
Cairo is designed to produce consistent output on all output media while
taking advantage of display hardware acceleration when available
eg. through the X Render Extension).
-
The cairo API provides operations similar to the drawing operators of
PostScript and PDF. Operations in cairo including stroking and filling cubic
Bézier splines, transforming and compositing translucent images, and
antialiased text rendering. All drawing operations can be transformed by any
affine transformation (scale, rotation, shear, etc.).")
- (license license:lgpl2.1) ; or Mozilla Public License 1.1
- (home-page "https://cairographics.org/")))
-
-(define cairo/fixed
- (package
- (inherit cairo)
- (source (origin
- (inherit (package-source cairo))
- (patches (append (search-patches "cairo-CVE-2018-19876.patch"
- "cairo-CVE-2020-35492.patch")
- (origin-patches (package-source cairo))))))))
+ (home-page "https://cairographics.org/")
+ (license license:lgpl2.1))) ; or Mozilla Public License 1.1
(define-public cairo-sans-poppler
;; Variant used to break the dependency cycle between Poppler and Cairo.
diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch
b/gnu/packages/patches/cairo-CVE-2018-19876.patch
deleted file mode 100644
index c0fba2ecaa..0000000000
--- a/gnu/packages/patches/cairo-CVE-2018-19876.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Copied from Debian.
-
-From: Carlos Garcia Campos <cgarcia@igalia.com>
-Date: Mon, 19 Nov 2018 12:33:07 +0100
-Subject: ft: Use FT_Done_MM_Var instead of free when available in
- cairo_ft_apply_variations
-
-Fixes a crash when using freetype >= 2.9
-
-[This is considered to be security-sensitive because WebKitGTK+ sets its
-own memory allocator, which is not compatible with system free(), making
-this a remotely triggerable denial of service or memory corruption.]
-
-Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645
-Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5
-Bug-Debian: https://bugs.debian.org/916389
-Bug-CVE: CVE-2018-19876
----
- src/cairo-ft-font.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
-index 325dd61..981973f 100644
---- a/src/cairo-ft-font.c
-+++ b/src/cairo-ft-font.c
-@@ -2393,7 +2393,11 @@ skip:
- done:
- free (coords);
- free (current_coords);
-+#if HAVE_FT_DONE_MM_VAR
-+ FT_Done_MM_Var (face->glyph->library, ft_mm_var);
-+#else
- free (ft_mm_var);
-+#endif
- }
- }
-
diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch
b/gnu/packages/patches/cairo-CVE-2020-35492.patch
deleted file mode 100644
index e8b90fa5c5..0000000000
--- a/gnu/packages/patches/cairo-CVE-2020-35492.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Copied from Debian.
-
-From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
-From: Heiko Lewin <heiko.lewin@worldiety.de>
-Date: Tue, 15 Dec 2020 16:48:19 +0100
-Subject: [PATCH] Fix mask usage in image-compositor
-
-[trimmed test case, since not used in Debian build]
-
----
- src/cairo-image-compositor.c | 8 ++--
-
---- cairo-1.16.0.orig/src/cairo-image-compositor.c
-+++ cairo-1.16.0/src/cairo-image-compositor.c
-@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende
- unsigned num_spans)
- {
- cairo_image_span_renderer_t *r = abstract_renderer;
-- uint8_t *m;
-+ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
- int x0;
-
- if (num_spans == 0)
- return CAIRO_STATUS_SUCCESS;
-
- x0 = spans[0].x;
-- m = r->_buf;
-+ m = base;
- do {
- int len = spans[1].x - spans[0].x;
- if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
-@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende
- spans[0].x, y,
- spans[1].x - spans[0].x, h);
-
-- m = r->_buf;
-+ m = base;
- x0 = spans[1].x;
- } else if (spans[0].coverage == 0x0) {
- if (spans[0].x != x0) {
-@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende
- #endif
- }
-
-- m = r->_buf;
-+ m = base;
- x0 = spans[1].x;
- } else {
- *m++ = spans[0].coverage;
--
2.31.1
- A "cosmetic changes" commit that removes security fixes,
Mark H Weaver <=