Lector de Feeds

‎A way forward: C/C++ static binaries, generalized text

← Older revision Revision as of 23:02, 4 February 2025 Line 84: Line 84:  A script will be created to take care of the bulk of step 1 for the developer. It would scan the application source code to find out what dependencies are needed, then exclude any dependencies already supplied by packages in ''BuildRequires:'' leaving a list of outstanding ones. These would be downloaded using the language's normal package download mechanism and installed into a private temporary location. All these would then be archived into a compressed tarball along with an SBOM containing all the packaged dependency names and versions and stored in the ''SOURCES/'' directory under a standard name (maybe ''dependencies.tar.xz'').  This file would then be added to ''sha1.lst'' and uploaded to ''binrepo''. This could all be integrated into a ''mgarepo'' subcommand. ''TODO: who is responsible for ensuring that the licenses of all the dependencies are allowed, compatible and that the License: line in the .spec file matches?'' A script will be created to take care of the bulk of step 1 for the developer. It would scan the application source code to find out what dependencies are needed, then exclude any dependencies already supplied by packages in ''BuildRequires:'' leaving a list of outstanding ones. These would be downloaded using the language's normal package download mechanism and installed into a private temporary location. All these would then be archived into a compressed tarball along with an SBOM containing all the packaged dependency names and versions and stored in the ''SOURCES/'' directory under a standard name (maybe ''dependencies.tar.xz'').  This file would then be added to ''sha1.lst'' and uploaded to ''binrepo''. This could all be integrated into a ''mgarepo'' subcommand. ''TODO: who is responsible for ensuring that the licenses of all the dependencies are allowed, compatible and that the License: line in the .spec file matches?''    −The various RPM build macros would be updated to handle any dependencies stored in ''dependencies.tar.xz''. They would be extracted into a temporary location in ''BUILDROOT/'' and the compile command extended to look for missing dependencies in this location. For interpreted languages, the dependencies would instead be installed ''in the RPM'' in an appropriate location in ''/usr/share/'' (that doesn't conflict with other dependencies), and the application's launch command extended to find these dependencies (since they are private to that one application and won't be found in the normal search paths). ''TODO: how to handle locally patching these dependencies? patching before or after storing in dependencies.tar.xz''+For step 2., the various RPM build macros would be updated to handle any dependencies stored in ''dependencies.tar.xz''. They would be extracted into a temporary location in ''BUILDROOT/'' and the compile command extended to look for missing dependencies in this location.  +   +For interpreted languages (step 3), the dependencies would instead be installed ''in the RPM'' in an appropriate location in ''/usr/share/'' (that doesn't conflict with other dependencies), and the application's launch command extended to find these dependencies (since they are private to that one application and won't be found in the normal search paths). ''TODO: how to handle locally patching these dependencies? patching before or after storing in dependencies.tar.xz''  +   +=== C/C++ ===  +   +While C/C++ programs occasionally vendor in dependencies, a bigger problem is those packages that statically link to libc. The build nodes should scan for statically-linked binaries and highlight those in the SBOM alongside their dependencies to ensure the static binaries can be rebuilt to include the security fixes when those dependencies (mostly glibc) are patched. It's also possible for a binary to be partially statically linked and these cases should also be detected (likely with difficulty), either by detecting static libraries in the dependency lists, or by instrumenting the linker.     === Go === === Go === −  −The specifics listed in this section are for handling Go applications, but it can be generalized for other languages in the future. These should be able to be generalized to work for applications in other compiled languages as well. It is possible to develop infrastructure to support interpreted languages as well, but the benefits may not be as clear; any such applications that ship vendored modules ''would'' benefit, but it's unclear how many of those (if any) actually exist.      The ''go list -json'' command can be used to generate the list of dependencies needed by an application (step 1). The ''go list -json'' command can be used to generate the list of dependencies needed by an application (step 1). Danf

Publication date: 04 Feb 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-12425 , CVE-2024-12426 Description Path traversal leading to arbitrary .ttf file write. (CVE-2024-12425) URL fetching can be used to exfiltrate arbitrary INI file values and environment variables. (CVE-2024-12426) References

• https://bugs.mageia.org/show_bug.cgi?id=33941
• https://lists.debian.org/debian-security-announce/2025/msg00008.html
• https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425/
• https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426/
• https://ubuntu.com/security/notices/USN-7228-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12425
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12426

SRPMS 9/core

• libreoffice-24.2.7.2-1.mga9

Publication date: 04 Feb 2025
Type: bugfix
Affected Mageia releases : 9
Description It corrects a bug which appeared in version 0.6.2 (in conversion of preferences commands). Adds support for DSF files to the library. Reinstates support for AAC files to the library (removed in 0.5.0). References

• https://bugs.mageia.org/show_bug.cgi?id=33977

SRPMS 9/core

• guayadeque-0.6.4-1.mga9

In Mageia/9/x86_64: Mesa is an OpenGL 4.6 compatible 3D graphics library.

In Mageia/9/aarch64: Mesa is an OpenGL 4.6 compatible 3D graphics library.

In Mageia/9/armv7hl: Mesa is an OpenGL 4.6 compatible 3D graphics library.

In Mageia/9/i586: Mesa is an OpenGL 4.6 compatible 3D graphics library.

In Mageia/cauldron/x86_64: Rachota is a portable application for timetracking different projects. It runs everywhere. It displays time data in diagram form, creates customized reports and invoices or analyses measured data and suggests hints to improve user's time usage. The totally portable yet personal timetracker.

In Mageia/cauldron/i586: Rachota is a portable application for timetracking different projects. It runs everywhere. It displays time data in diagram form, creates customized reports and invoices or analyses measured data and suggests hints to improve user's time usage. The totally portable yet personal timetracker.

In Mageia/cauldron/i586: A program to convert images from PPM format into the control language for the Alps Micro-Dry printers, at various times sold by Citizen, Alps and Okidata. This program drives the Alps Micro-Dry series of printers, including the Citizen Printiva series, Alps MD series, and Oki DP series (but not yet the DP-7000). In the current release, the program drives the standard mode fairly well; the dye sublimation mode very well; and the VPhoto mode reasonably well. It supports all the colours available up to the DP-5000, including the foil colours.

In Mageia/cauldron/x86_64: A program to convert images from PPM format into the control language for the Alps Micro-Dry printers, at various times sold by Citizen, Alps and Okidata. This program drives the Alps Micro-Dry series of printers, including the Citizen Printiva series, Alps MD series, and Oki DP series (but not yet the DP-7000). In the current release, the program drives the standard mode fairly well; the dye sublimation mode very well; and the VPhoto mode reasonably well. It supports all the colours available up to the DP-5000, including the foil colours.

In Mageia/cauldron/x86_64: This tool tries to recover JFIF (JPEG) pictures and MOV movies (using recovermov) from a peripheral. This may be useful if you mistakenly overwrite a partition or if a device such as a digital camera memory card is bogus.

In Mageia/cauldron/i586: This tool tries to recover JFIF (JPEG) pictures and MOV movies (using recovermov) from a peripheral. This may be useful if you mistakenly overwrite a partition or if a device such as a digital camera memory card is bogus.

In Mageia/cauldron/x86_64: Rdfind is a program that finds duplicate files. It is useful for compressing backup directories or just finding duplicate files. It compares files based on their content, NOT on their file names.

In Mageia/cauldron/i586: Rdfind is a program that finds duplicate files. It is useful for compressing backup directories or just finding duplicate files. It compares files based on their content, NOT on their file names.

In Mageia/cauldron/x86_64: Unifont is a Unicode font with a glyph for every visible Unicode Basic Multilingual Plane code point and more, with supporting utilities to modify the font. This package contains tools and glyph descriptions.

In Mageia/cauldron/i586: Unifont is a Unicode font with a glyph for every visible Unicode Basic Multilingual Plane code point and more, with supporting utilities to modify the font. This package contains tools and glyph descriptions.