Re: [Podofo-users] ABI fix for the fix CVE-2017-5852

2017-11-12 Thread Peter Linnell 
On Fri, 27 Oct 2017 00:54:11 +0200 (CEST)
Matthew Brincke  wrote:

> Hello Mattia,
> 
> > Mattia Rizzolo has written on 23. Oktober 2017 at 11:10:
> > 
> > On Sun, Oct 22, 2017 at 05:20:31PM +0200, Matthew Brincke wrote:  
> > > Debian bug 854600 [2], I wonder why no one answered to the last
> > > post ...)  
> > 
> > My fault.
> > TBH, I totally forgot of that. I suppose I could have come up with
> > simple patch to retain ABI compatibility on my own, but I forgot
> > and I haven't than that.  
> 
> that's likely a typo, what do you mean, please? I see from your Debian
> Maintainer Dashboard
> https://udd.debian.org/dmd/?mattia%40debian.org#todo that there are
> many to-do list entries, yet could you please accept my patch also?
> Could it be that the original one in the Debian bug report wasn't
> accepted for Jessie and later because of the ABI break? With that
> cured by my patch, wouldn't it be acceptable together? If not, please
> tell why not.
> 
> > > I wonder why changing a private method is relevant to ABI at all,
> > > and (at least when you're still unconvinced ;-) to accept) would
> > > welcome your elucidation (if you have come across any, to date),
> > > please ...  
> > 
> > There is a more widespread problem in podofo where all symbols are
> > exported and therefore are formally part of the public ABI (even if
> > not intended to). Even if I suppose no program within Debian uses
> > those symbols (I could check, I haven't), I would not happily break
> > the ABI nonetheless.
> >   
> Thanks for the explanation, there's one aspect I'm still curious
> about: I wonder why any C++ compiler, much less g++, would export any
> private symbols, as they aren't supposed to be accessible from
> anywhere (beyond their class and compilation unit) except for friend
> classes (can those reside in a different library/executable?), so
> maybe they should be marked PODOFO_LOCAL?
> 
> > https://sourceforge.net/p/podofo/mailman/message/35819398/
> > (then, the lack of an actual bug tracker makes those request/reports
> > very hard to track, and I wouldn't be surprised if many missed it,
> > or even if they did completely forgot about it, as many other
> > reports) 
> I concur, I'd also like a tracker for bug reports/feature requests,
> the sf.net one was probably closed because of spam, IIRC. Could maybe
> the bug reports be copied there by someone with the permissions for
> that?
> 

HI all,

I had set up Mantis on SF before.  As Dominic is the only admin, he the
only one with permissions to make changes.

Cheers,
Peter

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] ABI fix for the fix CVE-2017-5852

2017-11-12 Thread Mattia Rizzolo 
On Fri, Oct 27, 2017 at 12:54:11AM +0200, Matthew Brincke wrote:
> > Mattia Rizzolo has written on 23. Oktober 2017 at 11:10:
> > On Sun, Oct 22, 2017 at 05:20:31PM +0200, Matthew Brincke wrote:
> > > Debian bug 854600 [2], I wonder why no one answered to the last post ...)
> > 
> > My fault.
> > TBH, I totally forgot of that. I suppose I could have come up with
> > simple patch to retain ABI compatibility on my own, but I forgot and I
> > haven't than that.
> 
> that's likely a typo, what do you mean, please?

mhh, what typo?

> I see from your Debian
> Maintainer Dashboard https://udd.debian.org/dmd/?mattia%40debian.org#todo
> that there are many to-do list entries,

Please don't let that page fool you: it defaults on showing stuff for
all packages I even glanced upon, including the ones I sponsored ages
ago of which I know nothing about.  See
https://udd.debian.org/dmd/?email1=mattia%40debian.org=on#todo
for a more real "to-do list".  Even so, I don't use the DMD (Debian
Maintainer Dashboard) myself, there is too much data formtted in a way I
can't really parse.

> yet could you please accept my
> patch also? Could it be that the original one in the Debian bug report
> wasn't accepted for Jessie and later because of the ABI break? With that
> cured by my patch, wouldn't it be acceptable together? If not, please
> tell why not.

Yep, your patch is totally acceptable for me, and I've just uploaded it
to Debian unstable (together with two other CVE fixes that were done in
June but didn't notice).

> Thanks for the explanation, there's one aspect I'm still curious about:
> I wonder why any C++ compiler, much less g++, would export any private
> symbols, as they aren't supposed to be accessible from anywhere (beyond
> their class and compilation unit) except for friend classes (can those
> reside in a different library/executable?), so maybe they should be
> marked PODOFO_LOCAL?

So, marking PODOFO_LOCAL still doesn't help by itself apparently: even
after your patch added PODOFO_LOCAL to that method, its symbol was still
exported.  I grepped around and discovered a thing, but I'll write that
in the other thread I started in May.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users