Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 79704 - media-libs/libextractor-0.4.1 fixes a security issue (inherited from xpdf)
Summary: media-libs/libextractor-0.4.1 fixes a security issue (inherited from xpdf)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on: 79543
  Show dependency tree
Reported: 2005-01-27 05:25 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-06-09 10:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Workaround for ole2 linking problem (libextractor-disable-ole2.patch,330 bytes, patch)
2005-03-01 17:05 UTC, Glenn L. McGrath
no flags Details | Diff
libextractor-0.5.0 emerge log (3317-libextractor-0.5.0.log,118.00 KB, text/plain)
2005-05-30 01:44 UTC, Martin von Gagern
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-01-27 05:25:07 UTC 

Seems like it's time to have a "xpf issue" list.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 05:48:08 UTC
net-p2p, please bump.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 08:39:13 UTC
net-p2p: We may need to mask this (and gnunet) if it isn't patched soon.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 05:46:18 UTC
No reaction from net-p2p.

Please mask this package.
Comment 4 solar (RETIRED) gentoo-dev 2005-02-13 06:25:04 UTC
package.masked media-libs/libextractor by request of the security team.
Comment 5 solar (RETIRED) gentoo-dev 2005-02-13 07:27:44 UTC
Does gnunet need to be masked also?
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 07:35:15 UTC
FYI tried bumping to 0.4.1 with the following changes:


But it does not compile.
Comment 7 Maurice van der Pot (RETIRED) gentoo-dev 2005-02-13 08:39:05 UTC
Here is some extra info for whoever wants to solve this.

It fails because it tries to link against a static gobject-2.0, which we don't 
have on our systems.

libextractor-0.4.1/src/plugins/ole2/ specifies:

# Ok, linking this one is complicated, see Mantis #787.
libextractor_ole2_la_LDFLAGS = \
  -Wl,-Bstatic -Wl,-lgobject-2.0 -Wl,-lglib-2.0 -Wl,-Bdynamic \
  -Wl,-Bsymbolic -avoid-version -module

The issue the author refers to can be found here:

As a test I changed the makefile to build without -Bstatic and it succeeded.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-02-13 09:51:23 UTC
gnunet requires libextractor (and is the only package that does) so it's broken for the time being, I would say mask it too.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-16 11:38:28 UTC
Temporary solution found --> enhancement status
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-02-24 07:34:20 UTC
libextractor 0.4.2 is out.
Comment 11 Jon Hood (RETIRED) gentoo-dev 2005-02-27 21:01:08 UTC
I'm sorry, some things came up and I was out-of-service. I appologize, I should have coordinated better.
Anyways, 0.4.2 is now in portage. Test away :)
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 00:40:47 UTC
x86, sparc: please test and mark libextractor-0.4.2 stable. I suppose you can test it using gnunet...

Comment 13 Olivier Crete (RETIRED) gentoo-dev 2005-02-28 12:44:14 UTC
for some reason, libextractor tries to build with "-Wl,-Bstatic -Wl,-lgobject-2.0 -Wl,-lglib-2.0" .. but on x86 at least we dont have a static libgobject.. so it fails. 
Comment 14 Olivier Crete (RETIRED) gentoo-dev 2005-02-28 13:29:01 UTC
alright its the same problem as comment 7... but its not fixed for x86... Can't mark stable.. should probably go back to ebuild status... 
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 13:33:17 UTC
squinky86: could you please look into that ?
Comment 16 Glenn L. McGrath 2005-03-01 17:05:52 UTC
Created attachment 52426 [details, diff]
Workaround for ole2 linking problem

Disabling glib support disbables the ole2 plugin which avoids the linking

tested on amd64
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-03 10:43:10 UTC
The Changelog also mentions:

Sun Feb 20 16:36:17 EST 2005
	Fixed similar problem in REAL extractor.  Added support
	for new Helix/Real format to REAL extractor.

Sun Feb 20 12:48:15 EST 2005
	Fixed (rare) integer overflow bug in PNG extractor.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-03 13:44:57 UTC
Sorry for the confusion, back to ebuild status. Squinky please provide a fixed ebuild.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-03-15 07:43:02 UTC
Package remains masked until maintainer comes back to fix it.
Comment 20 Olivier Crete (RETIRED) gentoo-dev 2005-04-12 16:33:58 UTC
removed x86.. get us back if this is ever fixed.... 
Comment 21 Karol Wojtaszek (RETIRED) gentoo-dev 2005-05-29 12:54:58 UTC
Bumped libextractor to 0.5.0. I added patch which fixes above problems.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-05-29 13:03:44 UTC
x86, sparc: please test and mark libextractor-0.5.0 stable before we unmask it.
Comment 23 Olivier Crete (RETIRED) gentoo-dev 2005-05-29 19:00:29 UTC
0.5.0 fails on x86 with FEATURES=test :
make[4]: Entering directory
'libextractor_ole2' plugin failed: cannot open shared
object file: No such file or directory
Loading 'libextractor_ogg' plugin failed: cannot open
shared object file: No such file or directory
Loading 'libextractor_qt' plugin failed: cannot open shared
object file: No such file or directory
Loading 'libextractor_html' plugin failed: cannot open
shared object file: No such file or directory
Loading 'libextractor_man' plugin failed: cannot open
shared object file: No such file or directory
Loading 'libextractor_oo' plugin failed: cannot open shared
object file: No such file or directory
Loading 'libextractor_asf' plugin failed: cannot open
shared object file: No such file or directory
Failed to load default plugins!
FAIL: multiload
3 of 4 tests failed

and without the tests if fails in src_install with the following error.. for
some reason it puts the name of the install script instead of a lib path..

creating build/lib.linux-i686-2.3
i686-pc-linux-gnu-gcc -pthread -shared -fno-strict-aliasing -march=pentium4 -O2
-pipe build/temp.linux-i686-2.3/libextractor_python.o -lextractor -o build/lib.linux-i686-2.3/
cannot find -lextractor
collect2: ld returned 1 exit status
error: command 'i686-pc-linux-gnu-gcc' failed with exit status 1
make[4]: *** [install-exec-local] Error 1
make[4]: Leaving directory

So it should stay un p.mask at least until this is fixed.. 
Comment 24 Martin von Gagern 2005-05-30 01:44:56 UTC
Created attachment 60172 [details]
libextractor-0.5.0 emerge log

Install phase failed.
It tried to do a lot of work for a simple install, in my opinion.
Comment 25 Karol Wojtaszek (RETIRED) gentoo-dev 2005-05-30 13:56:10 UTC
Just commited new patch which fixes linking problems.
Comment 26 Olivier Crete (RETIRED) gentoo-dev 2005-05-30 14:37:18 UTC
the tests are still broken, but it seems to install ok...
Comment 27 Martin von Gagern 2005-05-31 00:39:54 UTC
Install OK for me, too.
Comment 28 Karol Wojtaszek (RETIRED) gentoo-dev 2005-05-31 12:23:45 UTC
Do we really need to fix problems with test? i don't know why it crashes.
Comment 29 Olivier Crete (RETIRED) gentoo-dev 2005-05-31 12:59:00 UTC
just add an empty src_test() {}  and I'll x86 it tonight
Comment 30 Olivier Crete (RETIRED) gentoo-dev 2005-05-31 16:45:17 UTC
I disabled the tests and marked it stable on x86.. 
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2005-06-03 08:19:22 UTC
gustavoz said sparc doesn't need it stable, as it's not needed by any stable
package anyway.

so we just need to unmask libextractor and gnunet, and maybe remove the affected
versions of libextractor. sekretarz: can you do it ?
Comment 32 Gustavo Zacarias (RETIRED) gentoo-dev 2005-06-03 08:21:37 UTC
Yup, fine with sparc since only gnunet depends on it and there's no single
version stable for us.
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 01:32:35 UTC
gnunet and libextractor have been unmasked. libextractor is ready for GLSA.
Comment 34 Thierry Carrez (RETIRED) gentoo-dev 2005-06-09 10:51:10 UTC
GLSA 200506-06