On Thu, Sep 15, 2016 at 4:20 PM, Josh Boyer <jwbo...@fedoraproject.org> wrote:
> On Thu, Sep 15, 2016 at 3:42 AM, Dan Horák <d...@danny.cz> wrote:
>> On Wed, 14 Sep 2016 20:50:49 +0100
>> Richard Hughes <hughsi...@gmail.com> wrote:
>>> Can we get somebody to revert
>>> https://bodhi.fedoraproject.org/updates/FEDORA-2016-7776983633 please.
>>> The update was built to fix CVE-2015-5203 which fixes a double free
>>> when opening corrupt JPEG-2000 files but in doing-so breaks quite a
>>> few apps in the desktop spin causing them to exit with an assert deep
>>> in libjasper.
>>> In the update the function jas_stream_memopen has been changed:
>>> -jas_stream_t *jas_stream_memopen(char *buf, int bufsize);
>>> +jas_stream_t *jas_stream_memopen(char *buf, size_t bufsize);
>>> Unless I'm misunderstood things dramatically, size_t is basically
>>> *unsigned* long integer, but this function offers a feature where if
>>> the bufsize is -1 the buffer is realloc'd as needed. gdk-pixbuf2 uses
>>> this feature for JPEG-2000 files. However, as size_t represents only
>>> positive numbers, a conversion takes place to some very high number
>>> and the allocation fails.
>> one more case for enabling libabigail tests in bodhi ...
> I agree. This would have been caught by libabigail/abicheck as far as I know.
Yes, see my previous comment for more detail.
> Does anyone know what the blockers are for enabling it in production?
Right now abichecks already run in production on set of packages which are
listed in critpath and can be viewed  or subscribed to. For initial
phase, it has been kept as informational and no packages get blocked if
incompatible ABI changes found. There is already ticket  for
on all c/c++ package updates which I believe will be worked on soon.
devel mailing list