[depends] expat 2.2.0, ccache 3.3.1, fontconfig 2.12.1 #8423

pull fanquake wants to merge 3 commits into bitcoin:master from fanquake:expat-ccache-jul changing 3 files +7 −7

fanquake commented at 3:00 AM on July 29, 2016: member

CVE-2016-0718 (issue 537) - Fix crash on malformed input
CVE-2016-4472 - Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 2.1.1
CVE-2016-5300 (issue 499) - Use more entropy for hash initialization than the original fix to CVE-2012-0876
CVE-2012-6702 (issue 519) - Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)
Fix uninitialized reads of size 1 (e.g. in little2_updatePosition)
Fix detection of UTF-8 character boundaries

ccache 3.3.1 - release notes

fontconfig 2.12.1 - release notes

laanwj assigned theuni on Jul 29, 2016
laanwj added the label Build system on Jul 29, 2016
sipa commented at 7:44 PM on July 29, 2016: member

Concept ACK for 0.14. I don't think there is anything urgent here for 0.13?
laanwj commented at 8:54 AM on July 30, 2016: member

@sipa Neither expat nor ccache is directly used in the Bitcoin Core executable, but part of tools (expat is used for the protobuf compiler) / building. So no, I don't see any reason why this would be urgent. We could bump them for 0.14.
theuni commented at 4:33 PM on July 31, 2016: member

ut ack.
laanwj commented at 11:35 AM on August 4, 2016: member

HM I was wrong above - expat is not used for protobuf, but used for the dbus, and also a part of fontconfig. I vaguely remember we could drop dbus as a dependency as Qt loads it dynamically? Any hope of getting rid of expat @theuni?
fanquake commented at 1:07 PM on August 4, 2016: member

From memory we had to wait until we moved to Qt 5.7. Although that could all be rolled into 0.14.0?
laanwj commented at 1:17 PM on August 4, 2016: member

Ah yes Qt 5.7 there's an issue open for that: #8237

After that we can get rid of dbus, but can we get rid of expat? What is it used for in fontconfig?
theuni commented at 5:54 PM on August 4, 2016: member

@laanwj Yes, we can get rid of dbus. IIRC we can do that already, I'll take a look and PR it if possible.

Unfortunately, I think we're stuck with expat in fontconfig. It's one of the libs that we use to link, then throw away.
fanquake force-pushed on Aug 26, 2016
fanquake commented at 10:24 AM on August 29, 2016: member

ccache 3.3 has been released, I'll update this PR to include it. @theuni is this going to clash with your Qt5.7 work?
laanwj commented at 2:18 PM on August 31, 2016: member

Unfortunately, I think we're stuck with expat in fontconfig. It's one of the libs that we use to link, then throw away.

Would help to have a list of packages whose CVE's affect the final binary, and which don't, to avoid unpleasant surprises.
fanquake force-pushed on Sep 3, 2016
fanquake commented at 7:30 AM on September 3, 2016: member

Rebased, updated ccache to 3.3.0 and added a commit for fontconfig 2.12.1
fanquake renamed this:
~~[depends] expat 2.2.0, ccache 3.2.7~~
[depends] expat 2.2.0, ccache 3.2.7, fontconfig 2.12.1
on Sep 3, 2016
fanquake force-pushed on Sep 3, 2016
[depends] expat 2.2.0 6b6cbddb4c
[depends] ccache 3.3.1 9616ac8a40
[depends] fontconfig 2.12.1 86d410d91b
fanquake force-pushed on Sep 16, 2016
fanquake renamed this:
~~[depends] expat 2.2.0, ccache 3.2.7, fontconfig 2.12.1~~
[depends] expat 2.2.0, ccache 3.3.1, fontconfig 2.12.1
on Sep 16, 2016
laanwj commented at 5:54 AM on September 22, 2016: member

utACK 86d410d
laanwj merged this on Sep 22, 2016
laanwj closed this on Sep 22, 2016
laanwj referenced this in commit 3166dff48f on Sep 22, 2016
fanquake deleted the branch on Oct 6, 2016
codablock referenced this in commit 0545b2fabb on Sep 19, 2017
codablock referenced this in commit 801c9e259d on Jan 11, 2018
MarcoFalke locked this on Sep 8, 2021

Contributors

Labels

Linked (view graph)

#8639 Docs: Minimum required dependencies and current CVEs