Public bug reported: [Impact]
* jansson 2.13 has a symbol conflict with json-c library.(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966398 & https://github.com/akheron/jansson/issues/523). So an application is linking to both jansson and json-c, there will be 50% of chance that it reference to a wrong symbol, which need to SIGSEGV * In order to fix this issue, both json-c and jansson need to add symbol versioning. jansson library added this in 2.14(not yet in jammy) while json-c added in 0.15 (already in jammy) * And the affecting application should rebuild against the latest json-c and jansson libraries in order to have the correct symbol linked [Test Plan] * jansson is basically available in all of the cpu architecture. So the 1st test will be building in a personal ppa and see if it can be built in every platform. * Some of the library mentioned in the upstream issue checker can be used to verify the fix. But since I am working on a package in a private project which is hitting the issue. I am testing with my private packages(which is on arm64 platform) * Looking into the packages that depends on jansson. There are a large number of packages including network-manager. So I tried to pick 2 packages on my desktop to verify if there is regression 1. network-manager, since it is widely used in Ubuntu 2. emacs, since jansson is a JSON parser, so I pick an application that I can do some operation on JSON(e.g. formatting in emacs) [Where problems could occur] * jansson upstream is well maintained and there is also CI test job. jansson 2.14 is also packaged and maintained by Debian community. It is available for a few months already. So in general, the risk of regression is low in that perspective. * When looking into the changes between 2.13 and 2.14. There are changes in test coverage and some tidy up on the build scripts. The changes look safe but certainly there can be mistake and behaviour changes. But jansson do not depends on other packages and so this kind of regression on build script should be easily caught by test builds in different architecture and a simple integration test with package that depends on jansson. * On the library itself, it added symbol versioning to fix the bug and at the same time there are 3 new API added in 2.14. But these changes should be backward compatible. But since there is new symbols added, there can be new symbol conflict with other library but the impact should just be similar to the original bug that it is already conflict with json-c. There are alos misc fixes in like snprintf checking which looks to be safe. ** Affects: jansson (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to jansson in Ubuntu. https://bugs.launchpad.net/bugs/1987678 Title: Update jansson 2.14 in jammy Status in jansson package in Ubuntu: New Bug description: [Impact] * jansson 2.13 has a symbol conflict with json-c library.(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966398 & https://github.com/akheron/jansson/issues/523). So an application is linking to both jansson and json-c, there will be 50% of chance that it reference to a wrong symbol, which need to SIGSEGV * In order to fix this issue, both json-c and jansson need to add symbol versioning. jansson library added this in 2.14(not yet in jammy) while json-c added in 0.15 (already in jammy) * And the affecting application should rebuild against the latest json-c and jansson libraries in order to have the correct symbol linked [Test Plan] * jansson is basically available in all of the cpu architecture. So the 1st test will be building in a personal ppa and see if it can be built in every platform. * Some of the library mentioned in the upstream issue checker can be used to verify the fix. But since I am working on a package in a private project which is hitting the issue. I am testing with my private packages(which is on arm64 platform) * Looking into the packages that depends on jansson. There are a large number of packages including network-manager. So I tried to pick 2 packages on my desktop to verify if there is regression 1. network-manager, since it is widely used in Ubuntu 2. emacs, since jansson is a JSON parser, so I pick an application that I can do some operation on JSON(e.g. formatting in emacs) [Where problems could occur] * jansson upstream is well maintained and there is also CI test job. jansson 2.14 is also packaged and maintained by Debian community. It is available for a few months already. So in general, the risk of regression is low in that perspective. * When looking into the changes between 2.13 and 2.14. There are changes in test coverage and some tidy up on the build scripts. The changes look safe but certainly there can be mistake and behaviour changes. But jansson do not depends on other packages and so this kind of regression on build script should be easily caught by test builds in different architecture and a simple integration test with package that depends on jansson. * On the library itself, it added symbol versioning to fix the bug and at the same time there are 3 new API added in 2.14. But these changes should be backward compatible. But since there is new symbols added, there can be new symbol conflict with other library but the impact should just be similar to the original bug that it is already conflict with json-c. There are alos misc fixes in like snprintf checking which looks to be safe. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jansson/+bug/1987678/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
