Page MenuHomePhabricator

can we get rid of rsvg security patch?
Closed, ResolvedPublic

Description

Older rsvg versions needed a security patch, we now have newer rsvg packages, check if

# Hack for rsvg broken by security patch
$wgSVGConverters['rsvg-broken'] = '$path/rsvg-convert -w $width -h $height -o $output < $input';
if ( defined( 'HHVM_VERSION' ) ) {
    # Newer librsvg supports a sane security model by default and doesn't need our security patch
    $wgSVGConverters['rsvg-secure'] = '$path/rsvg-convert -w $width -h $height -o $output $input';
} else {
    # This converter will only work when rsvg has a suitable security patch
    $wgSVGConverters['rsvg-secure'] = '$path/rsvg-convert --no-external-files -w $width -h $height -o $output $input';
}

Hack is still needed.

Related Objects

StatusAssignedTask
ResolvedJoe
ResolvedNone
ResolvedJoe
ResolvedJoe
ResolvedJoe
Resolvedtstarling
ResolvedJoe
Resolvedkaldari
Resolvedjcrespo
ResolvedVolans
Resolvedaaron
InvalidNone
DeclinedArielGlenn
ResolvedArielGlenn
Resolvedori
DeclinedNone
ResolvedMoritzMuehlenhoff
ResolvedJoe
ResolvedJoe
ResolvedJoe
ResolvedAndrew
ResolvedJoe
Duplicatefgiunchedi
Resolvedbrion
Resolvedbrion
Resolvedbd808
ResolvedJoe
Resolvedfgiunchedi
ResolvedEBernhardson
ResolvedKrenair
ResolvedNone
Resolvedhashar
Resolvedtstarling
Resolvedtstarling
ResolvedMoritzMuehlenhoff
ResolvedKrenair
Resolved AlexMonk-WMF
Resolvedfgiunchedi
Resolved AlexMonk-WMF
ResolvedKrenair
Resolvedfgiunchedi
ResolvedKrenair
DeclinedNone
Resolvedmobrovac
ResolvedKrinkle
ResolvedKartikMistry
ResolvedKartikMistry
Resolvedbd808
InvalidNone
DeclinedNone
Resolveddduvall
Resolveddduvall

Event Timeline

Matanya created this task.Jun 28 2015, 10:06 PM
Matanya raised the priority of this task from to Needs Triage.
Matanya updated the task description. (Show Details)
Matanya added a subscriber: Matanya.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 28 2015, 10:06 PM
Reedy set Security to None.Jun 29 2015, 3:17 AM
Reedy added subscribers: csteipp, tstarling.

we are running 2.36.1 on precise, 2.40.2 on trusty

dpatrick triaged this task as Normal priority.
dpatrick edited projects, added Security-Team; removed Security.

I imagine it's still needed on tin, terbium, tmh100[12], and snapshot100[1-4]

Krenair removed Krenair as the assignee of this task.Aug 12 2015, 8:58 PM
Krenair added a subscriber: Krenair.

But really I don't know enough about librsvg to determine this

Specifically, we run rsvg-convert version "2.36.1 (Wikimedia)" on precise (according to rsvg-convert --version). Are you asking whether we still need to do this? Since someone had to manually take 2.36.1 and add the patch to it, I'd assume so?

Reedy added a subscriber: Reedy.Aug 12 2015, 9:15 PM

Presumably when all mw servers are running trusty we can remove the hack above

Ricordisamoa updated the task description. (Show Details)Aug 12 2015, 9:35 PM

Newer librsvg supports a sane security model by default

Does anyone know which version number resembles "newer" or has some upstream bug ID reference? Sigh...
For those who want to investigate:

Newer librsvg supports a sane security model by default

Does anyone know which version number resembles "newer" or has some upstream bug ID reference?

My understanding from the version numbers involved is that 2.40.2 is the newer version, 2.36.1 is the older version.

Some historical info on T40010 and T80392

# Newer librsvg supports a sane security model by default and doesn't need our security patch

Still unclear which "newer" version is refered to and no references provided.
https://bugzilla.gnome.org/show_bug.cgi?id=686346 might be related.

Reedy added a comment.Nov 14 2015, 7:09 PM

# Newer librsvg supports a sane security model by default and doesn't need our security patch

Still unclear which "newer" version is refered to and no references provided.
https://bugzilla.gnome.org/show_bug.cgi?id=686346 might be related.

I think, when we've upgraded all MW running servers to 14.04 we should be good...

Joe added a subscriber: Joe.Nov 18 2015, 5:07 PM

Yes, the correct version of this patch is already included in our trusty packages.

Reedy added a comment.Nov 18 2015, 5:27 PM

So... That just means tin and silver to be upgraded and then we're done... I think

Andrew added a subscriber: Andrew.Nov 18 2015, 7:09 PM

@Joe, when you say 'the corect version of this patch' do you mean this? https://gerrit.wikimedia.org/r/#/c/28496/ Or is there a different patch someplace else?

Wait, I'm dumb, it took me a while to figure out what @Joe meant by 'simple backport.'

So... That just means tin and silver to be upgraded and then we're done... I think

I thought silver already had the patch?

Joe closed this task as Resolved.Feb 2 2016, 9:37 AM
Joe claimed this task.
sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:17 PM