Hello,
I'm orphaning lcms, this package has seen few security issue and upstream claim it's deprecated over lcms2
rhel 7 doesn't depends on it for the few package, so it might be an option not to build lcms support for certain package
# repoquery --whatrequires liblcms.so.1 --source DevIL-1.7.8-16.fc20.src.rpm cinepaint-1.4-5.fc20.src.rpm cmyktool-0.1.6-0.6.pre1.fc20.src.rpm entangle-0.5.3-2.fc20.src.rpm f-spot-0.8.2-11.fc20.src.rpm geeqie-1.1-13.fc20.src.rpm gimp-separate+-0.5.8-10.fc20.src.rpm hylafax+-5.5.4-1.fc20.src.rpm libmng-1.0.10-12.fc20.src.rpm rawstudio-2.0-12.fc20.src.rpm mate-image-viewer-1.6.2-2.fc20.src.rpm oyranos-0.4.0-12.fc20.src.rpm photoprint-0.4.2-0.12.pre2.fc20.src.rpm python-pillow-2.2.1-4.fc20.src.rpm rawstudio-2.0-12.fc20.src.rpm sK1-0.9.1-0.8.pre_rev730.fc20.src.rpm
Thx
On Mon, Jun 02, 2014 at 10:39:56PM +0200, Nicolas Chauvet wrote:
python-pillow-2.2.1-4.fc20.src.rpm
This one can be fixed by upgrading to 2.3.0 (or greater. 2.4.0 is current). 2.4.0 is what's in rawhide. Not sure if that's safe to push back to f20 and earlier. (Although I see that there's an insecure use of tempfile CVE that was ficed in 2.3.1 so maybe it makes sense to update even if there is API breakage.)
@smani: Do you have more information here?
-Toshio
On 02.06.2014 23:07, Toshio Kuratomi wrote:
On Mon, Jun 02, 2014 at 10:39:56PM +0200, Nicolas Chauvet wrote:
python-pillow-2.2.1-4.fc20.src.rpm
This one can be fixed by upgrading to 2.3.0 (or greater. 2.4.0 is current). 2.4.0 is what's in rawhide. Not sure if that's safe to push back to f20 and earlier. (Although I see that there's an insecure use of tempfile CVE that was ficed in 2.3.1 so maybe it makes sense to update even if there is API breakage.)
@smani: Do you have more information here?
-Toshio
The API has never been broken as far as I can tell. I guess we could update to 2.4.0 (although given the number of packages which depend on pillow I wasn't planning to do so in a stable release), or otherwise we could backport [1]. But, more generally, why introduce such a change in a stable release? Can't lcms just be removed for F21+?
Sandro
https://apps.fedoraproject.org/packages/lcms/bugs/all lists a CVE. If lcms-11 is no longer going to be maintained in Fedora that (and any other) security flaws won't be addressed. It's therefore advisable for them to update to the new version of lcms if feasible. The affected packager would likely want to take ownership of lcms-1 and patch the security issues.
-Toshio
On 03.06.2014 23:20, Toshio Kuratomi wrote:
https://apps.fedoraproject.org/packages/lcms/bugs/all lists a CVE. If lcms-11 is no longer going to be maintained in Fedora that (and any other) security flaws won't be addressed. It's therefore advisable for them to update to the new version of lcms if feasible. The affected packager would likely want to take ownership of lcms-1 and patch the security issues.
-Toshio
If it is a matter of patching security issues for the remaining lifetime of F19 and F20, I don't mind doing so if no-one of the current maintainers will.
Sandro
On Mon, Jun 02, 2014 at 10:39:56PM +0200, Nicolas Chauvet wrote:
# repoquery --whatrequires liblcms.so.1 --source cinepaint-1.4-5.fc20.src.rpm cmyktool-0.1.6-0.6.pre1.fc20.src.rpm DevIL-1.7.8-16.fc20.src.rpm entangle-0.5.3-2.fc20.src.rpm f-spot-0.8.2-11.fc20.src.rpm geeqie-1.1-13.fc20.src.rpm gimp-separate+-0.5.8-10.fc20.src.rpm hylafax+-5.5.4-1.fc20.src.rpm libmng-1.0.10-12.fc20.src.rpm mate-image-viewer-1.6.2-2.fc20.src.rpm oyranos-0.4.0-12.fc20.src.rpm photoprint-0.4.2-0.12.pre2.fc20.src.rpm python-pillow-2.2.1-4.fc20.src.rpm rawstudio-2.0-12.fc20.src.rpm rawstudio-2.0-12.fc20.src.rpm sK1-0.9.1-0.8.pre_rev730.fc20.src.rpm
There are inkscape and imageinfo missing in the list:
Depending on: lcms DevIL (maintained by: jwrdegoede) DevIL-1.7.8-17.fc21.i686 requires liblcms.so.1 DevIL-1.7.8-17.fc21.src requires lcms-devel = 1.19-11.fc21 DevIL-ILUT-1.7.8-17.fc21.i686 requires liblcms.so.1
cinepaint (maintained by: jcapik) cinepaint-1.4-5.fc21.i686 requires liblcms.so.1 cinepaint-1.4-5.fc21.src requires lcms-devel = 1.19-11.fc21 cinepaint-libs-1.4-5.fc21.i686 requires liblcms.so.1, liboyranos.so.0, liboyranos_config.so.0, liboyranos_core.so.0, liboyranos_modules.so.0, liboyranos_object.so.0
cmyktool (maintained by: duffy) cmyktool-0.1.6-0.6.pre1.fc20.i686 requires liblcms.so.1 cmyktool-0.1.6-0.6.pre1.fc20.src requires pkgconfig(lcms) = 1.19
cups-filters (maintained by: twaugh, jkoncick, jpopelka) cups-filters-1.0.53-2.fc21.src requires pkgconfig(lcms) = 1.19
f-spot (maintained by: chkr, alexl, caolanm, hadess, johnp, mbarnes, rhughes, rstrode, ssp, xiphmont) f-spot-0.8.2-11.fc20.i686 requires lcms-libs = 1.19-11.fc21, liblcms.so.1 f-spot-0.8.2-11.fc20.src requires lcms-devel = 1.19-11.fc21
gimp-separate+ (maintained by: hanecak, design-sw) gimp-separate+-0.5.8-10.fc21.i686 requires liblcms.so.1 gimp-separate+-0.5.8-10.fc21.src requires lcms-devel = 1.19-11.fc21
hylafax+ (maintained by: faxguy, msuchy) hylafax+-5.5.5-1.fc21.i686 requires liblcms.so.1 hylafax+-5.5.5-1.fc21.src requires lcms-devel = 1.19-11.fc21 hylafax+-client-5.5.5-1.fc21.i686 requires liblcms.so.1
imageinfo (maintained by: brendt) imageinfo-0.05-20.fc21.src requires lcms-devel = 1.19-11.fc21
inkscape (maintained by: limb, duffy, lkundrak) inkscape-0.48.4-16.fc21.src requires lcms-devel = 1.19-11.fc21
rawstudio (maintained by: giallu) librawstudio-2.0-13.fc21.i686 requires liblcms.so.1 rawstudio-2.0-13.fc21.i686 requires liblcms.so.1 rawstudio-2.0-13.fc21.src requires lcms-devel = 1.19-11.fc21
oyranos (maintained by: cicku) oyranos-0.9.5-2.fc21.src requires lcms-devel = 1.19-11.fc21
photoprint (maintained by: mdomsch) photoprint-0.4.2-0.12.pre2.fc20.i686 requires liblcms.so.1 photoprint-0.4.2-0.12.pre2.fc20.src requires lcms-devel = 1.19-11.fc21
sK1 (maintained by: itamarjp) sK1-0.9.1-0.9.pre_rev730.fc21.i686 requires liblcms.so.1, python-lcms = 1.19-11.fc21 sK1-0.9.1-0.9.pre_rev730.fc21.src requires lcms-devel = 1.19-11.fc21
Regards Till
On Mon, Jun 2, 2014 at 5:23 PM, Till Maas opensource@till.name wrote:
On Mon, Jun 02, 2014 at 10:39:56PM +0200, Nicolas Chauvet wrote:
# repoquery --whatrequires liblcms.so.1 --source cinepaint-1.4-5.fc20.src.rpm cmyktool-0.1.6-0.6.pre1.fc20.src.rpm DevIL-1.7.8-16.fc20.src.rpm entangle-0.5.3-2.fc20.src.rpm f-spot-0.8.2-11.fc20.src.rpm geeqie-1.1-13.fc20.src.rpm gimp-separate+-0.5.8-10.fc20.src.rpm hylafax+-5.5.4-1.fc20.src.rpm libmng-1.0.10-12.fc20.src.rpm mate-image-viewer-1.6.2-2.fc20.src.rpm oyranos-0.4.0-12.fc20.src.rpm photoprint-0.4.2-0.12.pre2.fc20.src.rpm python-pillow-2.2.1-4.fc20.src.rpm rawstudio-2.0-12.fc20.src.rpm rawstudio-2.0-12.fc20.src.rpm sK1-0.9.1-0.8.pre_rev730.fc20.src.rpm
Ther inkscape (maintained by: limb, duffy, lkundrak) inkscape-0.48.4-16.fc21.src requires lcms-devel = 1.19-11.fc21
rawstudio (maintained by: giallu)Regards Till -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
libmng uses lcms2 in rawhide, and I just updated inkscape to do the same.
On Ter, 2014-06-03 at 08:54 -0500, Jon Ciesla wrote:
Ther inkscape (maintained by: limb, duffy, lkundrak) inkscape-0.48.4-16.fc21.src requires lcms-devel = 1.19-11.fc21
rawstudio (maintained by: giallu)
Hi, rawstudio is a little unmaintained upstream last release is from 2011 .
Critical bugs aren't fixed for example: http://bugzilla.rawstudio.org/show_bug.cgi?id=601
I tried build rawstudio from svn but don't have isn't better, also just build with osm-gps-map-0.7.3 and Fedora 20 have 1.0.1 [1] , so I suspect now is a FTBFS
[1] http://bugzilla.rawstudio.org/show_bug.cgi?id=627
Hi,
On 06/02/2014 10:39 PM, Nicolas Chauvet wrote:
Hello,
I'm orphaning lcms, this package has seen few security issue and upstream claim it's deprecated over lcms2
rhel 7 doesn't depends on it for the few package, so it might be an option not to build lcms support for certain package
# repoquery --whatrequires liblcms.so.1 --source DevIL-1.7.8-16.fc20.src.rpm
I've just kicked of a build of DevIL which drops the use of lcms, so DevIL can be taken of the list.
Regards,
Hans
On Mon, Jun 02, 2014 at 10:39:56PM +0200, Nicolas Chauvet wrote:
Hello,
I'm orphaning lcms, this package has seen few security issue and upstream claim it's deprecated over lcms2
# repoquery --whatrequires liblcms.so.1 --source entangle-0.5.3-2.fc20.src.rpm
FYI the repo you're pointing to is outdated - current Fedora 20 updates is on version 0.6.0, which uses lcms2 instead.
Regards, Daniel
-
Daniel P. Berrange -
Hans de Goede -
Jon Ciesla -
Michael Schwendt -
Nicolas Chauvet -
Sandro Mani -
Sérgio Basto -
Till Maas -
Toshio Kuratomi