Page MenuHomePhabricator

can we get rid of rsvg security patch?
Closed, ResolvedPublic

Description

Older rsvg versions needed a security patch, we now have newer rsvg packages, check if

# Hack for rsvg broken by security patch
$wgSVGConverters['rsvg-broken'] = '$path/rsvg-convert -w $width -h $height -o $output < $input';
if ( defined( 'HHVM_VERSION' ) ) {
    # Newer librsvg supports a sane security model by default and doesn't need our security patch
    $wgSVGConverters['rsvg-secure'] = '$path/rsvg-convert -w $width -h $height -o $output $input';
} else {
    # This converter will only work when rsvg has a suitable security patch
    $wgSVGConverters['rsvg-secure'] = '$path/rsvg-convert --no-external-files -w $width -h $height -o $output $input';
}

Hack is still needed.

Related Objects

StatusSubtypeAssignedTask
ResolvedJoe
ResolvedNone
ResolvedJoe
ResolvedJoe
ResolvedJoe
Resolvedtstarling
ResolvedJoe
Resolvedkaldari
Resolvedjcrespo
ResolvedVolans
ResolvedPRODUCTION ERRORaaron
InvalidNone
DeclinedArielGlenn
ResolvedArielGlenn
Resolvedori
DeclinedNone
ResolvedMoritzMuehlenhoff
ResolvedJoe
ResolvedJoe
ResolvedJoe
ResolvedAndrew
ResolvedJoe
Duplicatefgiunchedi
Resolved brooke
Resolved brooke
Resolvedbd808
ResolvedJoe
Resolvedfgiunchedi
ResolvedPRODUCTION ERROREBernhardson
ResolvedKrenair
ResolvedNone
Resolvedhashar
Resolvedtstarling
Resolvedtstarling
ResolvedMoritzMuehlenhoff
ResolvedKrenair
Resolved AlexMonk-WMF
Resolvedfgiunchedi
Resolved AlexMonk-WMF
ResolvedKrenair
Resolvedfgiunchedi
ResolvedKrenair
DeclinedNone
Resolved mobrovac
ResolvedKrinkle
ResolvedKartikMistry
ResolvedKartikMistry
Resolvedbd808
InvalidNone
DeclinedNone
Resolveddduvall
Resolveddduvall

Event Timeline

Matanya raised the priority of this task from to Needs Triage.
Matanya updated the task description. (Show Details)
Matanya subscribed.

we are running 2.36.1 on precise, 2.40.2 on trusty

dpatrick triaged this task as Medium priority.
dpatrick edited projects, added Security-Team; removed acl*security.

I imagine it's still needed on tin, terbium, tmh100[12], and snapshot100[1-4]

Krenair subscribed.

But really I don't know enough about librsvg to determine this

Specifically, we run rsvg-convert version "2.36.1 (Wikimedia)" on precise (according to rsvg-convert --version). Are you asking whether we still need to do this? Since someone had to manually take 2.36.1 and add the patch to it, I'd assume so?

Presumably when all mw servers are running trusty we can remove the hack above

Newer librsvg supports a sane security model by default

Does anyone know which version number resembles "newer" or has some upstream bug ID reference? Sigh...
For those who want to investigate:

Newer librsvg supports a sane security model by default

Does anyone know which version number resembles "newer" or has some upstream bug ID reference?

My understanding from the version numbers involved is that 2.40.2 is the newer version, 2.36.1 is the older version.

Some historical info on T40010 and T80392

# Newer librsvg supports a sane security model by default and doesn't need our security patch

Still unclear which "newer" version is refered to and no references provided.
https://bugzilla.gnome.org/show_bug.cgi?id=686346 might be related.

# Newer librsvg supports a sane security model by default and doesn't need our security patch

Still unclear which "newer" version is refered to and no references provided.
https://bugzilla.gnome.org/show_bug.cgi?id=686346 might be related.

I think, when we've upgraded all MW running servers to 14.04 we should be good...

Yes, the correct version of this patch is already included in our trusty packages.

So... That just means tin and silver to be upgraded and then we're done... I think

@Joe, when you say 'the corect version of this patch' do you mean this? https://gerrit.wikimedia.org/r/#/c/28496/ Or is there a different patch someplace else?

Wait, I'm dumb, it took me a while to figure out what @Joe meant by 'simple backport.'

So... That just means tin and silver to be upgraded and then we're done... I think

I thought silver already had the patch?

Joe claimed this task.