Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libsixel: mark as insecure #111579

Merged
merged 1 commit into from
Feb 1, 2021
Merged

libsixel: mark as insecure #111579

merged 1 commit into from
Feb 1, 2021

Conversation

dotlambda
Copy link
Member

@dotlambda dotlambda commented Feb 1, 2021
edited
Loading

Motivation for this change

closes #90869 and closes #106204
Upstream has not replied to the issues saitoha/libsixel#134 and saitoha/libsixel#136.

8 packages removed:
ffmpeg-sixel-nightly (†2.3.x) green-pdfviewer-nightly (†2014-04-22) libsixel (†1.8.6) SDL_sixel (†1.2-nightly) termplay (†2.0.6) vp (†1.8) xsw (†0.1.2) zgv (†5.9)

@dotlambda dotlambda added 1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. labels Feb 1, 2021
@dotlambda dotlambda requested a review from vrthra February 1, 2021 15:45
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Feb 1, 2021
danieldk
danieldk approved these changes Feb 1, 2021
View reviewed changes
Copy link
Contributor

@danieldk danieldk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@danieldk danieldk merged commit 73bf313 into NixOS:master Feb 1, 2021
@dotlambda dotlambda deleted the libsixel-insecure branch February 1, 2021 16:13
@dotlambda dotlambda added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Feb 1, 2021
@dotlambda
Copy link
Member Author

backport: efe292a

@ctrlcctrlv
Copy link

How to roll this back?

I'm libsixel's de facto maintainer now.

I fixed one CVE, libsixel/libsixel#8.
I think the other one is invalid, see saitoha/libsixel#134 (comment).

I suppose you'll want a release? What else? You'll have to start pointing to the new repository too I imagine.

@ctrlcctrlv
Copy link

I fixed the one I thought was invalid. I couldn't verify user's posted case, but thought of another. That's libsixel/libsixel#9.

So, both CVE-2020-11721 and CVE-2020-19668 are resolved. Please remove the insecure mark @dotlambda.

@danieldk danieldk mentioned this pull request Jun 9, 2021
Closed
@danieldk
Copy link
Contributor

danieldk commented Jun 9, 2021
edited
Loading

@ctrlcctrlv it's nice to see that maintenance of libsixel is continued. The libsixel package in nixpkgs currently does not have an active maintainer (even though @dotlambda marked the package as insecure, it does not mean that they are necessarily interested in maintaining the package). I have opened a new issue calling for volunteers to take on maintainership of this package and to consider to switch to libsixel/libsixel as the upstream repository: #126388

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danieldk danieldk danieldk approved these changes

@vrthra vrthra Awaiting requested review from vrthra

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
3 participants
@dotlambda @ctrlcctrlv @danieldk