| | <<<Back 1 day (to 2018/01/29) | 20180130 |
| anthraxx | Looks like there are severan CVE worthy issues fixed in master since the last release. coinsidence or not, but the mentioned bug tickets are all marked 'private' whats the point ? why not get some CVE Ids assigned, make bug tickets public when fixes are available and actually help distributions to pick up security fixes? | 00:32.38 |
| sebras | anthraxx: they are marked private because they were reported as security issues. | 00:33.24 |
| anthraxx | sebras: well the code is public, same goes for the fixes so its easy to see the issue there. just read. like i did | 00:33.51 |
| sebras | anthraxx: I know, I fixed a number of them. | 00:34.07 |
| | anthraxx: I think the bug reports will be unmarked as private, but I have no idea when that happens. | 00:34.33 |
| anthraxx | IMHO it should be made public asap and CVE ids assigned plus at best a mail dropped to [oss-security] so OSS is aware of this and distros backport fixes. that makes everyone more secure then sitting on them | 00:34.49 |
| | sebras: thx for fixing them through :p | 00:35.13 |
| sebras | anthraxx: someone has been registering CVEs for our bugs, and adding those numbers in comments in bugzilla when the bugs are public is fine if someone wants to do some tracking. | 00:35.13 |
| anthraxx | well i could drop a bunch of commits since last tag that are very much likely security issues :P | 00:35.58 |
| sebras | anthraxx: drop? | 00:36.10 |
| anthraxx | i mean post. just trying to make a point this should be pushed public as bad guys can do the same and going public when patches are available just improves security for users of mupdf as distros pick them up | 00:36.54 |
| sebras | anthraxx: the bug reports will be made public eventually, but I don't know when. (it is not done by me.) | 00:38.41 |
| anthraxx | (i'm one of them trying to backport relevant fixes, but its really a hassle as there are obviously more then CVE ids assigned) | 00:38.52 |
| | well don't care too much about the bug reports, a mail with CVE ids and commit links to [oss-secuirty] would be much more welcome from all destributions packaging mupdf | 00:39.22 |
| sebras | anthraxx: I know that some bugs have CVEs, like this one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-5759 but I have no idea who registered it or why and whom they might have been talking to. | 00:42.13 |
| | anthraxx: it wasn't me anyway. :) | 00:42.21 |
| anthraxx | these are the authorities: https://cve.mitre.org/cve/cna.html but easiest nowdays to fill the webform https://cveform.mitre.org/ best is when the project itself takes care to do so as they have the best oversight about commits and issues | 00:44.18 |
| | when an CVE id got assigned a simple mail to oss-security mailinglist with the ID and the commit link will be enough so every bigger distro will pick up the patch | 00:44.55 |
| | actually im here because of 2018-5759, but thought i read some of the diffs and well... found at very least 3 other commits | 00:45.34 |
| sebras | anthraxx: I'm working on a number of other bugs, those won't be the last ones. | 00:50.10 |
| anthraxx | sebras: sounds like improvements :) | 00:51.11 |
| | i (and im dead sure other distros) would highly appreciate the process described in those 3 lines. it will make everyones life easier, mupdf served in all distros more secure and helps issuing advisories to distro users about fixes issues and important updates | 00:52.18 |
| | sebras: thx for fixing them :p | 00:53.38 |
| sebras | anthraxx: who would handle the backporting of the commits? | 00:54.25 |
| anthraxx | sebras: the distros itself. every one has a dedicated security team. I'm one from Arch Linux doing exactly that | 00:55.19 |
| | one mail to mentioned mailinglist is enough to trigger them http://oss-security.openwall.org/wiki/mailing-lists/oss-security | 00:56.36 |
| | sebras: any chance to get a list what you also think are security relevant patches since 1.12.0 ? | 01:28.01 |
| sebras | anthraxx: the bugs that have seen reported as security bugs or reported ASAN issues they are quite obvious, but I have no idea how to judge whether each of the 50 or so commit may some how be exploitable. | 01:34.29 |
| | anthraxx: s/seen/been/ | 01:35.15 |
| | anthraxx: do you mind coming back tomorrow? I'm heading to bed about now (it's 2:30 am). | 01:35.44 |
| anthraxx | sebras: sure, pushing a hitfix with the obvious stuff till then | 01:38.40 |
| | sebras: good night | 01:38.42 |
| sebras | anthraxx: most of the devs are here during european business hours. (I'm not sure where you are located so that may or may not be convenient for you). | 01:39.11 |
| | anthraxx: good night. | 01:39.20 |
| paulgardiner | I'm stuck. I have no idea in what way I'm breaking this Makefile. Something is badly wrong because the second make in "make; touch pdfapp.c; make" says Nothing to be done. That happens only with HAVE_LIBCRYPTO builds. | 10:55.03 |
| tor8 | paulgardiner: which commit? I can take a look. | 10:57.43 |
| paulgardiner | signature-support-reorganisation^ | 10:58.20 |
| | Thanks tor8 | 10:58.41 |
| tor8 | paulgardiner: I believe the source/helpers/%.o : source/helpers/%.c rule also catches subdirectories | 11:00.37 |
| | to answer your other question from yesterday | 11:00.46 |
| paulgardiner | Ah. Okay. | 11:01.27 |
| | That change is possibly still worth making to avoid adding $(THREADING_CFLAGS) for the pkcs7 files. | 11:02.39 |
| tor8 | paulgardiner: which libcrypto do you use? the system one? | 11:03.18 |
| | paulgardiner: yes. the change is good. it just reminded me of your other question. | 11:03.35 |
| | pkg-config --version on my debian says 0.28 | 11:04.41 |
| paulgardiner | My system libcrypto is too old, so I've been following some advice of sebras to use a version installed in tmp | 11:04.54 |
| tor8 | and d'oh that's just user error | 11:05.09 |
| | that's the pkg-config version >.< | 11:05.14 |
| paulgardiner | It is possible that make for the HAVE_LIBCRYPTO case was already broken, so the offending lines could be in Makerules. | 11:06.25 |
| tor8 | pkg-config --modversion libcrypto lists 1.0.1t | 11:07.52 |
| | which I guess is too old? | 11:07.58 |
| paulgardiner | Yeah. Need 1.1.0x | 11:08.09 |
| tor8 | that will be...awkward. I guess I need to build from source and install locally. | 11:09.17 |
| | paulgardiner: okay, I got that installed. | 11:17.07 |
| | make; touch platform/x11/pdfapp.c; make rebuilds | 11:17.18 |
| | and it is built and linked with libcrypto.so.1.1 | 11:17.58 |
| paulgardiner | Weird. So it seems to be working for you. | 11:26.59 |
| | Could it be because I'm defining PKG_CONFIG_LIBDIR and LD_LIBDIR_PATH on the command line? I think I need to do that because of installing to tmp | 11:28.14 |
| tor8 | I did export PKG_CONFIG_PATH and LD_LIBRARY_PATH before running make | 11:36.30 |
| | to pick up the local openssl install | 11:36.37 |
| paulgardiner | Maybe a quirk of my system then. | 11:37.18 |
| tor8 | export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig | 11:37.21 |
| | export LD_LIBRARY_PATH=/opt/openssl/lib | 11:37.27 |
| | make; touch platform/x11/pdfapp.c; make | 11:37.38 |
| | have you got timestamp skew? | 11:37.47 |
| | check the timestamps of build/release/platform/x11/pdfapp.o with platform/x11/pdfapp.c | 11:38.23 |
| paulgardiner | It gets weirder: I can't find pdfapp.o anywhere | 11:41.41 |
| | build/release/platform/x11/curl is empty. | 11:42.54 |
| | build/release/platform/x11 is empty other than curl | 11:43.14 |
| tor8 | build/release/platform/x11/curl is empty for me too... but that's because curl isn't built by default | 11:43.48 |
| | just to double check, you are building for release right? | 11:44.06 |
| paulgardiner | yep. build contains only release. | 11:44.34 |
| tor8 | and you are building mupdf-x11 successfully? | 11:44.55 |
| paulgardiner | I just did make nuke; make and still x11 contains nothing other than curl | 11:45.01 |
| tor8 | the 'curl' directory is always created (all the build directories are created always) | 11:45.29 |
| | paulgardiner: run "pkg-config --exists x11 xext && echo yes" | 11:46.17 |
| | does that say yes or remain silent? | 11:46.24 |
| | I suspect you may not be building mupdf-x11 at all | 11:46.34 |
| paulgardiner | Silent. And as you say, I'm not managing to build it. Strange because It built yesterday and I think it builds when I don't override PKG_CONFIG_PATH | 11:48.30 |
| | I think I wont worry about it, so long as it is working for you | 11:51.05 |
| tor8 | paulgardiner: try make HAVE_X11=yes | 11:51.35 |
| paulgardiner | Now it tries to build mupdf-x11 but fails... which seems reasonable. But, I still don't understand how I was building and testing it yesterday | 11:57.24 |
| | And I'm pretty sure it was building without the PKG_CONFIG_PATH override | 11:59.05 |
| tor8 | paulgardiner: you could probably do it without pkg-config overrides | 12:00.31 |
| | just set HAVE_LIBCRYPTO and SYS_LIBCRYPTO_LIBS and SYS_LIBCRYPTO_CFLAGS manually | 12:01.04 |
| paulgardiner | Yeah. Still, I'm happy if it's working for you. | 12:01.28 |
| tor8 | paulgardiner: you should set PKG_CONFIG_PATH and *not* PKG_CONFIG_LIBDIR | 12:01.39 |
| paulgardiner | I wasn't setting PKG_CONFIG_LIBDIR, but I was setting LD_LIBRARY_PATH. | 12:02.32 |
| | tor8 sebras: signature-support-reorganisation is now ready for review when you have a spare moment. | 13:00.03 |
| mcfl | Is it possible that there is a command line argument to open a file with mupdf-gl in Inverted color mode - it's not listed in the documentation, but I just wanted to be sure | 16:29.47 |
| tor8 | mcfl: -I | 16:50.58 |
| mcfl | wow - that hard, eh? :) Thanks! | 17:15.53 |
| | Forward 1 day (to 2018/01/31)>>> | |
Log of #mupdf at irc.freenode.net.