guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.

From: Mark H Weaver
Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.
Date: Thu, 12 Jan 2017 19:59:40 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
Leo Famulari <address@hidden> writes:

> On Thu, Jan 12, 2017 at 08:46:52PM +0100, Marius Bakke wrote:
>> Leo Famulari <address@hidden> writes:
>> 
>> > Through cups, this requires ~600 rebuilds. I wonder if we can graft it?
>> > That is, is the ABI compatible?
>> 
>> Good question. The null pointer dereference patch renames a function,
>> and I can find it in /gnu/store/...-mupdf-1.10a/lib/libmupdfthird.a. So
>> I guess not.
>> 
>> There is also /lib/libmupdf.a which I assume most packages use, and does
>> not seem to use anything from mujs.
>> 
>> This package only provides static libraries, so grafting may not even
>> work. In most cases I've come across, the static library is embedded
>> with "ar" in the final package (cups do not retain a rerefence to
>> mupdf). What to do?
>
> If we can't graft it, we should build it on a branch on Hydra.
>
> Mark, what do you think?

Here's what we can do: in addition to mupdf itself, we can also add a
graft for cups-filters (our only package that includes mupdf as an
input).  The replacement for cups-filters would change its mupdf input
to refer directly to the fixed version of mupdf.

What do you think?

      Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]