Bug#864082: Improved patch

Roland Clobus rclobus at rclobus.nl
Fri Jan 28 17:22:17 GMT 2022 

Sorry about the noise,

The long mail was sent only to control at ... and therefore invisible.

With kind regards,
Roland Clobus


-------- Forwarded Message --------
Subject: Improved patch
Date: Fri, 28 Jan 2022 18:08:28 +0100
From: Roland Clobus <rclobus at rclobus.nl>
To: control at bugs.debian.org

reopen 864082 =
thanks

Hello maintainers,

Thanks for releasing a new version of fontconfig with the patch for the 
reproducible cache files 
(0001-Ensure-cache-checksums-are-determinstic.patch).

Unfortunately, I see side-effects of the applied patch (as shown in the 
live-build images [1])

* Potential out-ouf-bounds-read issue: The function uuid_generate_sha1 
is called with an incorrect second argument.

    The second argument must be guaranteed to be of length 16 (or 
longer), which is the size of a uuid.
    E.g. /root/.fonts is only 12 bytes, which means that some random 
bytes at the end of the string will be used for the sha1 sum.

    The updated patch uses the null namespace as the basis for the sha1 sum.

   ... or should I have use one of the predefine namespaces instead?

* The patch adds new compiler warnings. I've added some casts to remove 
compiler warnings

* There is a second scenario: initramfs with fonts:
    plymouth-set-default-theme tribar --rebuild-initrd
      or
    update-initramfs -k all -u

    The value for 'target' is contains a random part:
    /var/tmp/mkinitramfs_ijJP8d//usr/share/fonts

    This path is created by the plymouth hook in initramfs which uses 
'fc-cache -s -y TEMPDIR'

    The fonts in the ramdisk can be listed with:
    zless /initrd.img | cpio --list --quiet | grep fontconfig | grep cache-7

    For regular invocations of fc-cache, the '-y' argument is not used 
and then 'target' and 'dir' are identical. The attached patch uses 'dir' 
instead of 'target' and then the cache of the embedded fonts in the 
ramdisk is reproducible as well.

Attached you'll find the patch that fixes all three issues mentioned above.

With kind regards,
Roland Clobus

[1] https://jenkins.debian.net/view/live/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-the-cache-filenames-determinstic.patch
Type: text/x-patch
Size: 1970 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20220128/ae8a9dac/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20220128/ae8a9dac/attachment.sig>

More information about the Pkg-freedesktop-maintainers mailing list