Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.

[Marius Bakke]

Leo Famulari <address@hidden> writes:

> Can you include links to the upstream bug reports in the patch files?

Good catch; added.

> Through cups, this requires ~600 rebuilds. I wonder if we can graft it?
> That is, is the ABI compatible?

Good question. The null pointer dereference patch renames a function,
and I can find it in /gnu/store/...-mupdf-1.10a/lib/libmupdfthird.a. So
I guess not.

There is also /lib/libmupdf.a which I assume most packages use, and does
not seem to use anything from mujs.

This package only provides static libraries, so grafting may not even
work. In most cases I've come across, the static library is embedded
with "ar" in the final package (cups do not retain a rerefence to
mupdf). What to do?

(as an aside, I wonder if we can add an "ar-wrapper" that creates thin
archives by default).

signature.asc
Description: PGP signature