| Summary: | [UPDATE REQUEST 2016.1] librsvg 2.40.18-1 -> 2.40.20-2 | ||
|---|---|---|---|
| Product: | [ROSA-based products] ROSA Fresh | Reporter: | Giovanni Mariani <mc2374> |
| Component: | Packages from Main | Assignee: | ROSA Linux Bugs <bugs> |
| Status: | RESOLVED FIXED | QA Contact: | ROSA Linux Bugs <bugs> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrey.bondrov, v.potapov |
| Version: | GNOME | Flags: | v.potapov:
qa_verified+
andrey.bondrov: published+ |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Platform: | --- | ROSA Vulnerability identifier: | |
| RPM Package: | librsvg-2.40.18-1.src.rpm | ISO-related: | |
| Bad POT generating: | Upstream: | ||
| Bug Depends on: | |||
| Bug Blocks: | 9124 | ||
|
Description
Giovanni Mariani
2018-08-06 15:28:03 MSK
Advisory: Update librsvg to the release 2.42.0. Packages for Rosa 2016.1 / Main: https://abf.rosalinux.ru/build_lists/2940902 https://abf.rosalinux.ru/build_lists/2940903 (In reply to Giovanni Mariani from comment #1) > Advisory: > Update librsvg to the release 2.42.0. > > Packages for Rosa 2016.1 / Main: > https://abf.rosalinux.ru/build_lists/2940902 > https://abf.rosalinux.ru/build_lists/2940903 And why is not version 2.42.5 assembled? Version 2.42.0 does not contain any distributions. https://pkgs.org/download/librsvg (In reply to Vladimir Potapov from comment #2) > (In reply to Giovanni Mariani from comment #1) > > Advisory: > > Update librsvg to the release 2.42.0. > > > > Packages for Rosa 2016.1 / Main: > > https://abf.rosalinux.ru/build_lists/2940902 > > https://abf.rosalinux.ru/build_lists/2940903 > And why is not version 2.42.5 assembled? > Version 2.42.0 does not contain any distributions. > https://pkgs.org/download/librsvg As I wrote already, any release > 2.42.0 needs a more recent release of rust (1.26) and cairo (something in the 1.15.x field IIRC)... Now, packaging the latter would near surely require the rebuild of lot of depending packages; moreover I am under the impression that an "official" upgrade of fundamental packages (such cairo) only happens when preparing a new distro release, and I would rather not wait too much time to fix a CVE. Given all the above, I choose to package a librsvg release that have the needed fix but not requires yet a new cairo e a new rust compiler: the 2.42.5 needs at least the latter IIRC (it was the first one I tried after the 2.43.x build failed because of rust & cairo requirements)... Bottom line: I would like to publish now this one to fix ASAP the CVE described in bug #9124. As soon as we open the works for the next Rosa Fresh (2018.1? 2019.1?), we can update all the needed packages to their latest release... main distros not update to major 2.42. may be build 2.40.20 with CVE fixes? (In reply to Vladimir Potapov from comment #4) > main distros not update to major 2.42. may be build 2.40.20 with CVE fixes? Uhu? Cooker has 2.42.5, Mageia 2.42.6 Fedora 28 2.42.6 and Rawhide 2.43.1. I cannot see why or how this should prevent us to use 2.42.0, because, according to ABI tracker, ABI-wise all the librsvg releases are the same (of course they change feature-wise...). Anyway, I think your proposal is doable, but it requires much more work: 2.40.20 is rather old and there are many, many commits between this tag and the commit we need to fix the CVE at hand... I fear that it would not be trivial port that commit to a code-base so old... Even if I cannot see what is the technical merit of your request, if you really think that going this way is better I can give it a try... With major update there are strange problems. For example, after the turbo-jpeg update, the chromium-browser not build If the version does not exactly match any distribution, you will have to write the patches yourself. (In reply to Vladimir Potapov from comment #6) > With major update there are strange problems. > For example, after the turbo-jpeg update, the chromium-browser not build > If the version does not exactly match any distribution, you will have to > write the patches yourself. OK, I will try the hard way... no promises, though. Advisory: Update librsvg to release 2.40.20 to pick up fix for bug #9124. It turns out not a difficult task at all: release 2.42.20 has the needed fix and that Pulfer already merged that in the main tree (for his work on GNOME3, I guess), but an updated package is not present in Rosa 2016.1 repositories: so build it and bump release. According to ABI Tracker (https://abi-laboratory.pro/index.php?view=timeline&l=librsvg), the updated should be completely safe and no rebuild of depending packages should be needed. Packages for Rosa 2016.1 / Main: https://abf.rosalinux.ru/build_lists/2941083 https://abf.rosalinux.ru/build_lists/2941084 The update is sent to expanded testing ************************************** librsvg-2.40.20-2 https://abf.rosalinux.ru/build_lists/2941083 https://abf.rosalinux.ru/build_lists/2941084 *********************************** Advisory **************************** Update librsvg to release 2.40.20 to pick up fix for bug #9124. ************************************************************************* QA Verified |