MantisBT - Doomseeker |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0003297 | Doomseeker | [All Projects] Suggestion | public | 2017-10-08 02:19 | 2018-10-27 22:55 |
|
| Reporter | WubTheCaptain | |
| Assigned To | Zalewa | |
| Priority | normal | Severity | exploit | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 1.1 | |
| Target Version | 1.1 | Fixed in Version | 1.2 | |
|
| Summary | 0003297: Update bundled (and possibly vulnerable) zlib 1.2.7 dependency |
| Description | Doomseeker source bundles a private fork of zlib 1.2.7.
I propose it to be updated to a recent version. |
| Steps To Reproduce | |
| Additional Information | The README file incorrectly suggests the bundled zlib dependency version to be 1.2.5.
Suggested downstream by Gentoo GNU/Linux:'https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies#What_to_do_upstream [^]'
Quote from Gentoo Wiki
When keeping dependency D bundled make sure to follow the upstream of D closely and update your copy to a recent version of D on every minor (and major) release to at least reduce the damage done to people using your bundled version a little.
Current release available is zlib 1.2.11.'http://zlib.net/ [^]'
Note: Vulnerabilities were discovered in zlib 1.2.8 (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843). Pre-cautionary exploit severity. |
| Tags | No tags attached. |
| Relationships | | related to | 0003238 | closed | | Split Doomseeker's build dependencies off source archive distribution, distribute seperately | | child of | 0003246 | acknowledged | | Debian packaging |
|
| Attached Files |  diffoscope.log (34,005) 2017-11-09 05:45
/tracker/file_download.php?file_id=2276&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2017-10-08 02:19 | WubTheCaptain | New Issue | |
| 2017-10-08 02:20 | WubTheCaptain | Relationship added | related to 0003238 |
| 2017-11-04 01:22 | WubTheCaptain | Target Version | => 1.1 |
| 2017-11-04 01:24 | WubTheCaptain | Summary | Update bundled zlib 1.2.7 dependency => Update bundled (and possibly vulnerable) zlib 1.2.7 dependency |
| 2017-11-04 01:27 | WubTheCaptain | Relationship added | child of 0003279 |
| 2017-11-04 01:44 | WubTheCaptain | Relationship deleted | child of 0003279 |
| 2017-11-04 01:44 | WubTheCaptain | Relationship added | child of 0003246 |
| 2017-11-04 09:17 | Zalewa | Assigned To | => Zalewa |
| 2017-11-04 09:17 | Zalewa | Status | new => assigned |
| 2017-11-08 21:39 | Zalewa | Note Added: 0018825 | |
| 2017-11-08 21:39 | Zalewa | Status | assigned => feedback |
| 2017-11-09 03:54 | Blzut3 | Note Added: 0018834 | |
| 2017-11-09 05:13 | WubTheCaptain | Note Added: 0018835 | |
| 2017-11-09 05:13 | WubTheCaptain | Status | feedback => assigned |
| 2017-11-09 05:21 | WubTheCaptain | Note Added: 0018836 | |
| 2017-11-09 05:21 | WubTheCaptain | Status | assigned => needs review |
| 2017-11-09 05:45 | WubTheCaptain | File Added: diffoscope.log | |
| 2017-11-09 05:45 | WubTheCaptain | Note Added: 0018837 | |
| 2017-11-09 05:46 | WubTheCaptain | Note Edited: 0018837 | bug_revision_view_page.php?bugnote_id=18837#r11319 |
| 2017-11-09 05:48 | WubTheCaptain | Note Edited: 0018837 | bug_revision_view_page.php?bugnote_id=18837#r11320 |
| 2017-11-09 05:50 | WubTheCaptain | Note Edited: 0018837 | bug_revision_view_page.php?bugnote_id=18837#r11321 |
| 2017-11-11 11:18 | Zalewa | Note Added: 0018854 | |
| 2017-11-13 08:57 | Blzut3 | Note Added: 0018867 | |
| 2017-11-13 11:15 | WubTheCaptain | Note Added: 0018868 | |
| 2017-11-13 17:16 | Zalewa | Status | needs review => resolved |
| 2017-11-13 17:16 | Zalewa | Fixed in Version | => 1.2 |
| 2017-11-13 17:16 | Zalewa | Resolution | open => fixed |
| 2018-10-27 22:55 | WubTheCaptain | Status | resolved => closed |
|
Notes |
|
|
(0018825)
|
|
Zalewa
|
|
2017-11-08 21:39
|
|
|
|
|
(0018834)
|
|
Blzut3
|
|
2017-11-09 03:54
|
|
|
Are there any issues with switching it over? I can't imagine it would be that difficult to use the already existing targets. |
|
|
|
|
There's a lot other things that go to Mendeley's code: An older repository without any license (no grant of rights, later relicensed at upstream under Expat license), CPOL-licensed dependencies, etc. It'd be best to file bugs upstream to Mendeley in that case, else leave it rot because of downstream consequences (wasted time opportunities in maintaining a private fork). (These issues don't have subtickets of 0003237 yet.)
You can obviously tell I don't like Mendeley at all, and my preference is to replace it completely (with something like 0003292, yes MSI can be network installed by admin and silent upgrades too).
Another ticket, 0003238, would've been my preference of resolution (as said in the Gentoo GNU/Linux wiki article), but that's apparently no go because of Microsoft Windows operating system family.
I'm unable to test this patch without much effort, because qtmultimedia5-dev package depends on zlib1g-dev and so I cannot build without using system library zlib (1.2.8) in Debian. I guess I'll run a diffoscope later to verify, but I have good faith in this to be resolved. |
|
|
|
|
Forgot there's FORCE_INTERNAL_ZLIB option to cmake:
cmake -DFORCE_INTERNAL_ZLIB=YES $DOOMSEEKER_SOURCE
Builds fine with zlib 1.2.11 for me. |
|
|
|
(0018837)
|
|
WubTheCaptain
|
2017-11-09 05:45
(edited on: 2017-11-09 05:50) |
|
diffoscope log passes for me. Notice algorithm.txt, example.c and zlib.vcproj though. (The lattermost is a Doomseeker "feature".)
This is unexplained to be a Doomseeker thing:
if( CMAKE_C_COMPILER_ID STREQUAL "GNU" OR CMAKE_C_COMPILER_ID STREQUAL "Clang"
)
set( CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC" )
endif()
It was probably in the old version too, though.
|
|
|
|
(0018854)
|
|
Zalewa
|
|
2017-11-11 11:18
|
|
|
|
|
(0018867)
|
|
Blzut3
|
|
2017-11-13 08:57
|
|
|
Appears to be fine on Mac. |
|
|
|
|
Guess this is resolved, then.
Only a remaining question to be answered: What's the target version for this? 1.1 patch release or 1.2? |
|