Bug#864082: Improved patch

Johannes Schauer Marin Rodrigues josch at debian.org
Fri Jan 28 19:22:05 GMT 2022 

Hi Roland,

Quoting Roland Clobus (2022-01-28 18:22:17)
> Sorry about the noise,

as far as I'm concerned, you made no noise but you made a very valuable
contribution instead. Thank you! :)

> Thanks for releasing a new version of fontconfig with the patch for the 
> reproducible cache files 
> (0001-Ensure-cache-checksums-are-determinstic.patch).
> 
> Unfortunately, I see side-effects of the applied patch (as shown in the 
> live-build images [1])
> 
> * Potential out-ouf-bounds-read issue: The function uuid_generate_sha1 
> is called with an incorrect second argument.
> 
>     The second argument must be guaranteed to be of length 16 (or 
> longer), which is the size of a uuid.
>     E.g. /root/.fonts is only 12 bytes, which means that some random 
> bytes at the end of the string will be used for the sha1 sum.
> 
>     The updated patch uses the null namespace as the basis for the sha1 sum.
> 
>    ... or should I have use one of the predefine namespaces instead?
> 
> * The patch adds new compiler warnings. I've added some casts to remove 
> compiler warnings
> 
> * There is a second scenario: initramfs with fonts:
>     plymouth-set-default-theme tribar --rebuild-initrd
>       or
>     update-initramfs -k all -u
> 
>     The value for 'target' is contains a random part:
>     /var/tmp/mkinitramfs_ijJP8d//usr/share/fonts
> 
>     This path is created by the plymouth hook in initramfs which uses 
> 'fc-cache -s -y TEMPDIR'
> 
>     The fonts in the ramdisk can be listed with:
>     zless /initrd.img | cpio --list --quiet | grep fontconfig | grep cache-7
> 
>     For regular invocations of fc-cache, the '-y' argument is not used 
> and then 'target' and 'dir' are identical. The attached patch uses 'dir' 
> instead of 'target' and then the cache of the embedded fonts in the 
> ramdisk is reproducible as well.
> 
> Attached you'll find the patch that fixes all three issues mentioned above.

You completely rewrote the patch. I think it makes sense to replace Chris'
authorship with yours.

Chris, do you agree?

Would you be willing to submit an updated patch containing the name and email
of your choice and a commit message that explains your change? What you wrote
above is a good explanation I think.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20220128/d8241fec/attachment.sig>

More information about the Pkg-freedesktop-maintainers mailing list