Bug 173993

Summary: inkscape: update to 0.43 (fixes arbitrary code execution)
Product: [Fedora] Fedora Reporter: Ville Skyttä <scop>
Component: inkscapeAssignee: Denis Leroy <denis>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: extras-qa, hdegoede, jeff, mattdm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-16 23:10:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2005-11-23 14:56:25 UTC 
0.43 is out, IIUC fixing an arbitrary code execution vulnerability. 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330894
Comment 1 Ville Skyttä 2005-12-15 19:29:14 UTC 
The FC-4 build will be out in a jiffy, but devel still needs updating.
Comment 2 Denis Leroy 2005-12-15 20:13:51 UTC 
I'm working on it. It needs patches for g++ 4.1.0.
Comment 3 Hans de Goede 2006-01-05 11:15:43 UTC 
Denis need help? (Dangerous offer I'm fluent in C, but the ++ part is not my
speciality)
Comment 4 Denis Leroy 2006-01-05 11:30:40 UTC 
Surem i could use some QA, cos i won't have access to my rawhide vmware until
i'm back to the US on the 15th. It's fixed in CVS, so it just needs to be
tested, tagged and built.
Comment 5 Matthew Miller 2006-01-05 15:56:38 UTC 
I'm not sure it's yet time to enable the Loudmouth/Inkboard stuff -- from the
release notes, "Inkboard has known bugs, and may present security issues." Could
it at least be made an easy-to-disable build flag at the top of the spec file?
(Or, moved to a subpackage, if that's possible.)
Comment 6 Denis Leroy 2006-01-05 16:39:35 UTC 
An excellent point, and after all this is Rawhide, so the point of this release
is also to determine whether that feature is ready or not. To tell you the
truth, i was unable to use it at all, all my attemps resulted in crashes, though
they seem to come from the loudmouth code rather than from the inkscape code.
The SUSE devel guys do enable it.
Comment 7 Hans de Goede 2006-01-05 19:47:04 UTC 
A local compile works fine on my fully up2date rawhide x86_64. It runs fine too,
this the first time I've used inkscape and I must say its a nice tool. I've
tested all the drawing tools, but thats about as far as I can do QA for you my
main reason the offer help was because I'm trying to get any security bugs
closed, not because I'm an inkscape user. (although I may become one in the future).

I've also done a small patch to the spec to silence a bunch of warnings, leaving
the more usefull ones, which otherwise got drowned out. Someone should take a
look at most of them, especially those about ignoring system call ret values.

Here is the patch:
diff -u -r1.24 inkscape.spec
--- inkscape.spec       18 Dec 2005 03:00:15 -0000      1.24
+++ inkscape.spec       5 Jan 2006 19:47:25 -0000
@@ -59,6 +59,8 @@
 
 
 %build
+export CFLAGS="$RPM_OPT_FLAGS -Wno-unused-parameter"
+export CXXFLAGS="$RPM_OPT_FLAGS -Wno-unused-parameter"
 %configure             \
 --enable-static=no     \
 --with-python          \
Comment 8 Denis Leroy 2006-01-16 23:10:20 UTC 
Done. i'll file a seperate bug for the whiteboard issues.