Anonymous | Login | Signup for a new account | 2024-04-24 13:08 UTC |
My View | View Issues | Change Log | Roadmap | Doomseeker Issue Support Ranking | Rules | My Account |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0003297 | Doomseeker | [All Projects] Suggestion | public | 2017-10-08 02:19 | 2018-10-27 22:55 | ||||
Reporter | WubTheCaptain | ||||||||
Assigned To | Zalewa | ||||||||
Priority | normal | Severity | exploit | Reproducibility | have not tried | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 1.1 | ||||||||
Target Version | 1.1 | Fixed in Version | 1.2 | ||||||
Summary | 0003297: Update bundled (and possibly vulnerable) zlib 1.2.7 dependency | ||||||||
Description | Doomseeker source bundles a private fork of zlib 1.2.7. I propose it to be updated to a recent version. | ||||||||
Additional Information | The README file incorrectly suggests the bundled zlib dependency version to be 1.2.5. Suggested downstream by Gentoo GNU/Linux:'https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies#What_to_do_upstream [^]' Quote from Gentoo Wiki Current release available is zlib 1.2.11.'http://zlib.net/ [^]' Note: Vulnerabilities were discovered in zlib 1.2.8 (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843). Pre-cautionary exploit severity. | ||||||||
Attached Files | diffoscope.log [^] (34,005 bytes) 2017-11-09 05:45 | ||||||||
Relationships | |||||||||||
|
Notes | |
(0018825) Zalewa (developer) 2017-11-08 21:39 |
I updated the dependencies/zlib to 1.2.11 as requested:'https://bitbucket.org/Doomseeker/doomseeker/commits/8443d61cf99d504a4a8cd6d0c3a7c74c65772109 [^]' I wonder if we should take care of the other zlib copy that is in Mendeley Updater's code. We feed the updater with known archives, so exploitation risk is non-existant (?), but keeping & using another build of the same thing seems like asking for trouble. |
(0018834) Blzut3 (administrator) 2017-11-09 03:54 |
Are there any issues with switching it over? I can't imagine it would be that difficult to use the already existing targets. |
(0018835) WubTheCaptain (reporter) 2017-11-09 05:13 |
There's a lot other things that go to Mendeley's code: An older repository without any license (no grant of rights, later relicensed at upstream under Expat license), CPOL-licensed dependencies, etc. It'd be best to file bugs upstream to Mendeley in that case, else leave it rot because of downstream consequences (wasted time opportunities in maintaining a private fork). (These issues don't have subtickets of 0003237 yet.) You can obviously tell I don't like Mendeley at all, and my preference is to replace it completely (with something like 0003292, yes MSI can be network installed by admin and silent upgrades too). Another ticket, 0003238, would've been my preference of resolution (as said in the Gentoo GNU/Linux wiki article), but that's apparently no go because of Microsoft Windows operating system family. I'm unable to test this patch without much effort, because qtmultimedia5-dev package depends on zlib1g-dev and so I cannot build without using system library zlib (1.2.8) in Debian. I guess I'll run a diffoscope later to verify, but I have good faith in this to be resolved. |
(0018836) WubTheCaptain (reporter) 2017-11-09 05:21 |
Forgot there's FORCE_INTERNAL_ZLIB option to cmake:cmake -DFORCE_INTERNAL_ZLIB=YES $DOOMSEEKER_SOURCE Builds fine with zlib 1.2.11 for me. |
(0018837) WubTheCaptain (reporter) 2017-11-09 05:45 edited on: 2017-11-09 05:50 |
diffoscope log passes for me. Notice algorithm.txt, example.c and zlib.vcproj though. (The lattermost is a Doomseeker "feature".) This is unexplained to be a Doomseeker thing: if( CMAKE_C_COMPILER_ID STREQUAL "GNU" OR CMAKE_C_COMPILER_ID STREQUAL "Clang" ) set( CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC" ) endif() It was probably in the old version too, though. |
(0018854) Zalewa (developer) 2017-11-11 11:18 |
The unexplained Doomseeker thing should be explained now. Moreover, I removed zlib and bzip2 convenience copies from Mendeley's "external" directory. Blzut, you should check if it didn't break anything on Mac, especially when "use internals" are off. |
(0018867) Blzut3 (administrator) 2017-11-13 08:57 |
Appears to be fine on Mac. |
(0018868) WubTheCaptain (reporter) 2017-11-13 11:15 |
Guess this is resolved, then. Only a remaining question to be answered: What's the target version for this? 1.1 patch release or 1.2? |
This issue is already marked as resolved. If you feel that is not the case, please reopen it and explain why. |
|
Supporters: | No one explicitly supports this issue yet. |
Opponents: | No one explicitly opposes this issue yet. |
Issue History | |||
Date Modified | Username | Field | Change |
2017-10-08 02:19 | WubTheCaptain | New Issue | |
2017-10-08 02:20 | WubTheCaptain | Relationship added | related to 0003238 |
2017-11-04 01:22 | WubTheCaptain | Target Version | => 1.1 |
2017-11-04 01:24 | WubTheCaptain | Summary | Update bundled zlib 1.2.7 dependency => Update bundled (and possibly vulnerable) zlib 1.2.7 dependency |
2017-11-04 01:27 | WubTheCaptain | Relationship added | child of 0003279 |
2017-11-04 01:44 | WubTheCaptain | Relationship deleted | child of 0003279 |
2017-11-04 01:44 | WubTheCaptain | Relationship added | child of 0003246 |
2017-11-04 09:17 | Zalewa | Assigned To | => Zalewa |
2017-11-04 09:17 | Zalewa | Status | new => assigned |
2017-11-08 21:39 | Zalewa | Note Added: 0018825 | |
2017-11-08 21:39 | Zalewa | Status | assigned => feedback |
2017-11-09 03:54 | Blzut3 | Note Added: 0018834 | |
2017-11-09 05:13 | WubTheCaptain | Note Added: 0018835 | |
2017-11-09 05:13 | WubTheCaptain | Status | feedback => assigned |
2017-11-09 05:21 | WubTheCaptain | Note Added: 0018836 | |
2017-11-09 05:21 | WubTheCaptain | Status | assigned => needs review |
2017-11-09 05:45 | WubTheCaptain | File Added: diffoscope.log | |
2017-11-09 05:45 | WubTheCaptain | Note Added: 0018837 | |
2017-11-09 05:46 | WubTheCaptain | Note Edited: 0018837 | View Revisions |
2017-11-09 05:48 | WubTheCaptain | Note Edited: 0018837 | View Revisions |
2017-11-09 05:50 | WubTheCaptain | Note Edited: 0018837 | View Revisions |
2017-11-11 11:18 | Zalewa | Note Added: 0018854 | |
2017-11-13 08:57 | Blzut3 | Note Added: 0018867 | |
2017-11-13 11:15 | WubTheCaptain | Note Added: 0018868 | |
2017-11-13 17:16 | Zalewa | Status | needs review => resolved |
2017-11-13 17:16 | Zalewa | Fixed in Version | => 1.2 |
2017-11-13 17:16 | Zalewa | Resolution | open => fixed |
2018-10-27 22:55 | WubTheCaptain | Status | resolved => closed |
Copyright © 2000 - 2024 MantisBT Team |