Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.

Sun, 15 Jan 2017 15:06:07 -0800 

Hi Leo,

Leo Famulari <l...@famulari.name> writes:

> From 34cc0dc9d9451d540f8733ebca2a3db54a073aa0 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mba...@fastmail.com>
> Date: Thu, 12 Jan 2017 19:06:55 +0100
> Subject: [PATCH 1/2] gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs.
>
> * gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch,
> gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/pdf.scm (mupdf)[replacement]: New field.

We should indeed add a 'replacement' field to 'mupdf', but that part of
the patch seems to have gotten lost:

> diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
> index 9b3571e67..5efc5e6d1 100644
> --- a/gnu/packages/pdf.scm
> +++ b/gnu/packages/pdf.scm
> @@ -6,10 +6,11 @@
>  ;;; Copyright © 2016 Roel Janssen <r...@gnu.org>
>  ;;; Coypright © 2016 ng0 <n...@we.make.ritual.n0.is>
>  ;;; Coypright © 2016 Efraim Flashner <efr...@flashner.co.il>
> -;;; Coypright © 2016 Marius Bakke <mba...@fastmail.com>
> +;;; Coypright © 2016, 2017 Marius Bakke <mba...@fastmail.com>
>  ;;; Coypright © 2016 Ludovic Courtès <l...@gnu.org>
>  ;;; Coypright © 2016 Julien Lepiller <jul...@lepiller.eu>
>  ;;; Copyright © 2016 Arun Isaac <arunis...@systemreboot.net>
> +;;; Copyright © 2017 Leo Famulari <l...@famulari.name>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -538,6 +539,18 @@ line tools for batch rendering (pdfdraw), rewriting 
> files (pdfclean),
>  and examining the file structure (pdfshow).")
>      (license license:agpl3+)))
>  
> +(define mupdf/fixed
> +  (package
> +    (inherit mupdf)
> +    (source
> +      (origin
> +        (inherit (package-source mupdf))
> +        (patches
> +          (append
> +            (origin-patches (package-source mupdf))
> +            (search-patches "mupdf-mujs-CVE-2016-10132.patch"
> +                            "mupdf-mujs-CVE-2016-10133.patch")))))))
> +
>  (define-public qpdf
>    (package
>     (name "qpdf")

Also, you should probably add a "Co-authored-by:" header in the commit
log for yourself :)

Otherwise it looks good to me.
Thanks to both of you for working on it!

      Mark

Reply via email to