[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bzip2 download and CVE-2019-12900 fix?

To: noloader@gmail.com
Subject: Re: Bzip2 download and CVE-2019-12900 fix?
From: Mark Wielaard <mark@klomp.org>
Date: Thu, 27 Jun 2019 15:52:14 +0200
Authentication-results: sourceware.org; auth=none
Cc: bzip2-devel@sourceware.org
Delivered-to: listarch-bzip2-devel@sourceware.org
Delivered-to: mailing list bzip2-devel@sourceware.org
In-reply-to: <CAH8yC8nzC0gwiVP8rjpxhGtGom-+-+Qq0+7FRTQo-zSTo53FNw@mail.gmail.com>
List-help: <mailto:bzip2-devel-help@sourceware.org>
List-id: <bzip2-devel.sourceware.org>
List-post: <mailto:bzip2-devel@sourceware.org>
List-subscribe: <mailto:bzip2-devel-subscribe@sourceware.org>
Mailing-list: contact bzip2-devel-help@sourceware.org; run by ezmlm
References: <CAH8yC8=vPyxghZML-sKPdoqKDzjadJ7Pinr2K_RNC3YW5sHkHA@mail.gmail.com> <fb3f4744252ab965f64ad27fd902ac00c96e777b.camel@klomp.org> <CAH8yC8nzC0gwiVP8rjpxhGtGom-+-+Qq0+7FRTQo-zSTo53FNw@mail.gmail.com>
Sender: bzip2-devel-owner@sourceware.org

On Wed, 2019-06-26 at 11:15 -0400, Jeffrey Walton wrote:
> There's a lot to the msg00014.html list message. I run with a patched
> version of Bzip2. Makefile and Makefile-libbz2_so need some polishing
> to get them to respect CFLAGS and LDFLAGS. Otherwise they ignore our
> flags.
> 
> Also, the recipe for libbz2.so.1.0.6 breaks on non-Linux systems
> because -Wl,-soname is a GNU ld thing.
> 
> You can get an idea of the Makefile changes by comparing with
> https://github.com/noloader/bzip2-noloader. Also see
> https://www.gnu.org/prep/standards/html_node/Command-Variables.html

Thanks. And yes, the current Makefiles are horrible. I am certainly not
arguing for not updating the build system to something more sane :)

It is just that if we are going to do a quick 1.0.7 release for the
latest CVE I think it should not mess up anything else, but just
contain those bug/security fixes (and remove all traces from the old
lost domain so people know it has been migrated to sourceware.org).
People have been using these horrible Makefiles either as is or have
known workarounds for them.

But yes, please lets also do a revamped 1.1.x release that makes some
tough decisions about what build system to adopt, possibly mess with
the SONAME, etc.

Cheers,

Mark

References:
- Bzip2 download and CVE-2019-12900 fix?
  - From: Jeffrey Walton <noloader@gmail.com>
- Re: Bzip2 download and CVE-2019-12900 fix?
  - From: Mark Wielaard <mark@klomp.org>
- Re: Bzip2 download and CVE-2019-12900 fix?
  - From: Jeffrey Walton <noloader@gmail.com>

Prev by Date: Re: Bzip2 download and CVE-2019-12900 fix?
Next by Date: Re: Releasing bzip2 1.0.7 and 1.1.0 ? Was: [PATCH] bzip2: Fix return value when combining --test,-t and -q.
Previous by thread: Re: Bzip2 download and CVE-2019-12900 fix?
Next by thread: [website updated] Update downloads with a section on the 'classic' and 'modern' releases.
Index(es):
- Date
- Thread