|Summary:||dev-lang/squeak contains internal copies of jpeg, pcre, libmpeg3, libgsm and probably more|
|Product:||Gentoo Linux||Reporter:||Diego Elio Pettenò (RETIRED) <flameeyes>|
|Component:||New packages||Assignee:||Luis Araujo (RETIRED) <araujo>|
|Severity:||normal||CC:||esigra, n-roeser, robbat2, security|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Diego Elio Pettenò (RETIRED) 2008-11-18 13:50:11 UTC
Just check these directories: Squeak-3.10-1/platforms/Cross/plugins/JPEGReadWriter2Plugin Squeak-3.10-1/platforms/Cross/plugins/Mpeg3Plugin/libmpeg Squeak-3.10-1/platforms/Cross/plugins/RePlugin I haven't checked the bundled versions for known vulnerabilities, but anyway something should be done. Thanks, Diego
Comment 1 Luis Araujo (RETIRED) 2008-11-29 13:53:10 UTC
I don't follow, something like what?
Comment 2 Diego Elio Pettenò (RETIRED) 2008-11-29 14:04:54 UTC
Something like making it use system libraries instead.
Comment 3 Luis Araujo (RETIRED) 2008-11-29 16:59:24 UTC
Squeak is a whole system, and these are their system libraries.
Comment 4 Diego Elio Pettenò (RETIRED) 2008-12-29 00:39:04 UTC
Squeak provides system bindings to libraries, but it should not use bundled libraries for that.
Comment 5 Luis Araujo (RETIRED) 2008-12-29 01:34:45 UTC
It's how Squeak works. You should file a bug upstream. I am closing this.
Comment 6 Diego Elio Pettenò (RETIRED) 2008-12-29 01:38:57 UTC
For sure it's not fixed. And it's a breach of policy to use the bundled libraries unless there are very very good reasons to do so. "That's how upstream does it" it's rarely a good enough reason. Often enough upstream does so because they don't know better.
Comment 7 Luis Araujo (RETIRED) 2008-12-29 02:12:59 UTC
There is no benefit , instead , bunch of issues to deal with and error prone situations using system libraries for this. Squeak, as I said, it is a whole different system, and it requires special plugins, specifically written for it; seriously, there is no point of taking these libraries from system. Either you come out with a sane and SAFE way of getting these plugins on the fly (which I still would consider adding) or stop re-opening this bug.
Comment 8 Diego Elio Pettenò (RETIRED) 2008-12-29 02:22:16 UTC
I'm not telling you to get rid of the plugins, but since I don't see much changes out of a quick look at the sources, I bet the plugins can be linked against the system copy of the libraries, and then squeak can load its plugins using those like we do for any other language (Perl, Python, PHP, Ruby, you name it). As for "no benefit": GLSA 200701-05, GLSA 200508-17, and what about the future? What makes Squeak so tremendously different from Perl, Python, PHP, Ruby, TCL, that it cannot use the system libraries for its bindings? "is a whole system" does not really say much, since they are bindings, whether they come in a single huge package or not.
Comment 9 Luis Araujo (RETIRED) 2008-12-29 02:43:37 UTC
Squeak is neither python, ruby, perl, or any other language out there .... Squeak is an Operating-System like language, that contains plenty of plugins maintained by the same Squeak community. Which means that when an user _installs_ Squeak, the user intends to use those plugins, the ones written by the Squeak community. I don't agree with Gentoo changing this situation, it is a very different situation than other language, where they intend to use any library from the host system. So, please, drop this bug already since there is no benefit or point. This is pretty much something up to the Squeak community, I don't intend to re-write or fork Squeak or duplicate work here.
Comment 10 Mark Loeser (RETIRED) 2008-12-29 02:58:01 UTC
This has nothing to do with the plugins. This has to do with squeak repackaging libraries that it should not be. Please stop closing this as invalid since its completely valid. Any package that we install should be using the system versions of the libraries, like libjpeg, libpcre, etc. Thanks
Comment 11 Luis Araujo (RETIRED) 2008-12-29 03:15:51 UTC
(In reply to comment #10) > This has nothing to do with the plugins. This has to do with squeak > repackaging libraries that it should not be. Then complain with squeak. Stop re-opening this bug please. Thanks,
Comment 12 Mark Loeser (RETIRED) 2008-12-29 03:20:13 UTC
If we have to complain upstream, we will do so, but keep this open because the problem is NOT resolved. Thanks
Comment 13 Luis Araujo (RETIRED) 2008-12-29 03:32:23 UTC
I will keep this open if you want... but I thought upstream bugs were supposed to be filled to upstream and not here.
Comment 14 Robin Johnson 2008-12-30 07:22:56 UTC
Just wanted to help araujo in followup on this. He's going to open upstream bugs for the issues, and glancing at it myself, for jpeg+libgsm+pcre there don't look to be actual changes to the codebase, just the squeak authors making a complete mess of including the libraries nicely. jpeg has two sets of new non-binding functions in new files, and aside from the jconfig.h and the binding files, the rest of the source is unmodified. libgsm looks unmodified, but ALL of libgsm is in a single file: sqSoundCodecPluginBasicPrims.c with binding stuff on the end. pcre - minor changes for binding only libmpeg3 - heavy changes, doesn't match up against the main libmpeg3 upstream. We also suspect that the squeak devs will probably ignore the report and never fix it to use external libraries, as they apparently mainly want users to use their binaries. After arajuo has opened the upstream bugs, I'd like to strongly suggest this bug is just marked as RESO/UPSTREAM - the amount of fixing work to really solve it is decided non-trivial. There's not much we can do as Gentoo without getting our hands really dirty.
Comment 15 Samuli Suominen (RETIRED) 2010-03-03 08:18:07 UTC
@security: bundled jpeg is vuln. to GLSA 200606-11, do you want this hardmasked?
Comment 16 Samuli Suominen (RETIRED) 2010-03-03 08:23:52 UTC
(In reply to comment #15) > @security: bundled jpeg is vuln. to GLSA 200606-11, do you want this > hardmasked? > pcre is vuln. to GLSA 200807-03 (verified the vuln. code is present in pcre.c)
Comment 17 Samuli Suominen (RETIRED) 2010-03-03 08:48:49 UTC
# Samuli Suominen <email@example.com> (03 Mar 2010) # Masked for QA, security # # Internal copies of vuln. libraries # GLSA 200606-11, GLSA 200807-03 and likely more # # http://bugs.gentoo.org/show_bug.cgi?id=247363 # # Removed in 60 days dev-lang/squeak
Comment 18 Emmanuel Rosa 2010-03-06 19:16:22 UTC
Is Squeak VM being removed from Gentoo in 60 days or is it the hardmask that is being removed?
Comment 19 Samuli Suominen (RETIRED) 2010-04-06 17:37:19 UTC
And removed from tree.