Project

General

Profile

Bug #14729

Feature #5630: Reproducible builds

Fix gdk-pixbuf vulnerability (CVE-2017-2862)

Added by cypherpunks 3 months ago. Updated 27 days ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
09/26/2017
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
bugfix/14729-gdk-pixbuf-cve-2017-2862
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

https://www.debian.org/security/2017/dsa-3978

the custom tails packages needs to be patched (2.36.5-2.0tails2)


Related issues

Related to Tails - Bug #13442: gdk-pixbuf's loaders.cache not reproducible Resolved 07/07/2017
Related to Tails - Feature #14728: Track security updates during the Tails code freeze Confirmed 09/26/2017

Associated revisions

Revision a2c960ba (diff)
Added by intrigeri about 1 month ago

Enable the bugfix-14729-gdk-pixbuf-cve-2017-2862 APT overlay (refs: #14729).

Revision a35d1d9c (diff)
Added by intrigeri about 1 month ago

Ensure we install the correct version of packages built from src:gdk-pixbuf (refs: #14729)

2.36.5-2+deb9u1.0tails1 << 2.36.5-2.0tails2
so without this we would keep installing 2.36.5-2.0tails2
instead of the one we want (currently 2.36.5-2+deb9u1.0tails1).

Revision 488a1751
Added by anonym about 1 month ago

Merge remote-tracking branch 'origin/bugfix/14729-gdk-pixbuf-cve-2017-2862' into stable

Fix-committed: #14729

History

#1 Updated by intrigeri 3 months ago

  • Subject changed from gdk-pixbuf vulnerability to Fix gdk-pixbuf vulnerability (CVE-2017-2862)
  • Status changed from New to Confirmed
  • Assignee set to anonym
  • Priority changed from Normal to Elevated
  • Target version set to Tails_3.3
  • Parent task set to #5630

#2 Updated by intrigeri 3 months ago

  • Related to Bug #13442: gdk-pixbuf's loaders.cache not reproducible added

#3 Updated by intrigeri 3 months ago

  • Related to Feature #14728: Track security updates during the Tails code freeze added

#4 Updated by anonym 3 months ago

I was just wondering how I could have missed this when preparing the 3.1 security advisory (for the 3.2 release, yesterday) and here's the post-mortem:

I apparently optimize this process in an unsafe way (at least to detect issues like this). I didn't do it the obvious way and look at the list of recent advisories affecting Debian and then look at which of the affected packages we install. Instead I first looked at the .packages diff between 3.1 and 3.2, and then I investigated the packages that differed further vs the Debian advisories. This time there actually was a difference for the gdk-pixbuf packages, but I remembered that I had uploaded it a few weeks ago for the reproducibility fix, so this difference was expected, and not related to security updates, so I didn't even look it up...

So, clearly the right way to do it is to go the other way around, i.e. look at the Debian advisories and the see which packages installed in Tails that are affected. Shame on me! But the real fix would of course be to automate the generation of advisories affecting Tails (given its .packages list), so the human (perhaps I'm generalizing?) tendency to optimize away security guards is out of the picture.

#5 Updated by intrigeri about 1 month ago

  • Priority changed from Elevated to High

This is your only remaining task on the list of what we want to complete by the end of the contract, so raising priority. ETA?

#6 Updated by intrigeri about 1 month ago

  • Assignee changed from anonym to intrigeri

#7 Updated by intrigeri about 1 month ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/14729-gdk-pixbuf-cve-2017-2862

#8 Updated by intrigeri about 1 month ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Last builds have the expected package. Jenkins test suite runs pass modulo #14927.

#9 Updated by anonym about 1 month ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

#10 Updated by anonym about 1 month ago

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

Source diff looks good, Jenkins' build + test + repro successful => merged!

#11 Updated by anonym 27 days ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF