Bug #14729

Feature #5630: Reproducible builds

Fix gdk-pixbuf vulnerability (CVE-2017-2862)

Added by cypherpunks 20 days ago. Updated 19 days ago.

Target version:
Start date:
Due date:
% Done:


QA Check:
Feature Branch:
Type of work:
Affected tool:


the custom tails packages needs to be patched (2.36.5-2.0tails2)

Related issues

Related to Tails - Bug #13442: gdk-pixbuf's loaders.cache not reproducible Resolved 07/07/2017
Related to Tails - Feature #14728: Track security updates during the Tails code freeze Confirmed 09/26/2017


#1 Updated by intrigeri 20 days ago

  • Subject changed from gdk-pixbuf vulnerability to Fix gdk-pixbuf vulnerability (CVE-2017-2862)
  • Status changed from New to Confirmed
  • Assignee set to anonym
  • Priority changed from Normal to Elevated
  • Target version set to Tails_3.3
  • Parent task set to #5630

#2 Updated by intrigeri 20 days ago

  • Related to Bug #13442: gdk-pixbuf's loaders.cache not reproducible added

#3 Updated by intrigeri 20 days ago

  • Related to Feature #14728: Track security updates during the Tails code freeze added

#4 Updated by anonym 19 days ago

I was just wondering how I could have missed this when preparing the 3.1 security advisory (for the 3.2 release, yesterday) and here's the post-mortem:

I apparently optimize this process in an unsafe way (at least to detect issues like this). I didn't do it the obvious way and look at the list of recent advisories affecting Debian and then look at which of the affected packages we install. Instead I first looked at the .packages diff between 3.1 and 3.2, and then I investigated the packages that differed further vs the Debian advisories. This time there actually was a difference for the gdk-pixbuf packages, but I remembered that I had uploaded it a few weeks ago for the reproducibility fix, so this difference was expected, and not related to security updates, so I didn't even look it up...

So, clearly the right way to do it is to go the other way around, i.e. look at the Debian advisories and the see which packages installed in Tails that are affected. Shame on me! But the real fix would of course be to automate the generation of advisories affecting Tails (given its .packages list), so the human (perhaps I'm generalizing?) tendency to optimize away security guards is out of the picture.

Also available in: Atom PDF