Feature #5630: Reproducible builds
Fix gdk-pixbuf vulnerability (CVE-2017-2862)
the custom tails packages needs to be patched (2.36.5-2.0tails2)
Enable the bugfix-14729-gdk-pixbuf-cve-2017-2862 APT overlay (refs: #14729).
Ensure we install the correct version of packages built from src:gdk-pixbuf (refs: #14729)
2.36.5-2+deb9u1.0tails1 << 2.36.5-2.0tails2
so without this we would keep installing 2.36.5-2.0tails2
instead of the one we want (currently 2.36.5-2+deb9u1.0tails1).
I was just wondering how I could have missed this when preparing the 3.1 security advisory (for the 3.2 release, yesterday) and here's the post-mortem:
I apparently optimize this process in an unsafe way (at least to detect issues like this). I didn't do it the obvious way and look at the list of recent advisories affecting Debian and then look at which of the affected packages we install. Instead I first looked at the
.packages diff between 3.1 and 3.2, and then I investigated the packages that differed further vs the Debian advisories. This time there actually was a difference for the
gdk-pixbuf packages, but I remembered that I had uploaded it a few weeks ago for the reproducibility fix, so this difference was expected, and not related to security updates, so I didn't even look it up...
So, clearly the right way to do it is to go the other way around, i.e. look at the Debian advisories and the see which packages installed in Tails that are affected. Shame on me! But the real fix would of course be to automate the generation of advisories affecting Tails (given its
.packages list), so the human (perhaps I'm generalizing?) tendency to optimize away security guards is out of the picture.