FS#52229 - Make openjpeg2, libtiff, libwmf optional dependencies

Attached to Project: Arch Linux
Opened by Lukas B (teateawhy) - Wednesday, 21 December 2016, 17:32 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 21 December 2016, 18:07 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

These are deprecated file formats which are seldomly used in practice and have long standing / multiple security issues.

Package libwmf is affected by ["CVE-2016-9011", "CVE-2015-4696", "CVE-2015-4695", "CVE-2015-4588", "CVE-2015-0848", "CVE-2009-3546", "CVE-2009-1364", "CVE-2007-3477", "CVE-2007-3473", "CVE-2007-3472", "CVE-2007-2756", "CVE-2007-0455", "CVE-2006-3376"]. VULNERABLE!
Package libtiff is affected by ["CVE-2015-7554"]. VULNERABLE!
Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. VULNERABLE!
This task depends upon

Closed by  Antonio Rojas (arojas)
Wednesday, 21 December 2016, 18:07 GMT
Reason for closing:  Not a bug
Comment by Antonio Rojas (arojas) - Wednesday, 21 December 2016, 17:41 GMT
optional dependencies of what?
Comment by Lukas B (teateawhy) - Wednesday, 21 December 2016, 17:56 GMT
Which ever application actually needs them, and not half of the repository, as it currently is.

Just a few examples:
gtk3 -> gdk-pixbuf2 -> libtiff
qt5-base -> libcups -> libtiff
weston -> poppler-glib -> poppler -> "openjpeg2" -> "libtiff"

EDIT:
The provided fix is only for libwmf, not libtiff nor openjpeg2, thus a partial solution.
If a feature creates a long standing security issue, and is mostly obsolete, why not remove it?
Are you are unable to do so?
I have already deleted the shared libraries installed by these packages which seems to achieve exactly that.
Applications that i use are not affected by this, which can of course not be generalized.

Comment by Paul Bredbury (brebs) - Wednesday, 21 December 2016, 18:03 GMT Comment by Antonio Rojas (arojas) - Wednesday, 21 December 2016, 18:07 GMT
That's not how shared libraries work, you can't magically make them optional if binaries are linked to them. If you know of a package that wrongly depends on them, file a report *against that package*

Loading...