can we get rid of rsvg security patch?
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Matanya
	Jun 28 2015, 10:06 PM

Description

Older rsvg versions needed a security patch, we now have newer rsvg packages, check if

# Hack for rsvg broken by security patch
$wgSVGConverters['rsvg-broken'] = '$path/rsvg-convert -w $width -h $height -o $output < $input';
if ( defined( 'HHVM_VERSION' ) ) {
    # Newer librsvg supports a sane security model by default and doesn't need our security patch
    $wgSVGConverters['rsvg-secure'] = '$path/rsvg-convert -w $width -h $height -o $output $input';
} else {
    # This converter will only work when rsvg has a suitable security patch
    $wgSVGConverters['rsvg-secure'] = '$path/rsvg-convert --no-external-files -w $width -h $height -o $output $input';
}

Hack is still needed.

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Joe	T104147 can we get rid of rsvg security patch?
Resolved		None	T86081 Complete the use of HHVM over Zend PHP on the Wikimedia cluster
Resolved		Joe	T86096 Switch HAT appservers to trusty's ICU (or newer)
Resolved		Joe	T78765 Convert jobrunners to HHVM
Resolved		Joe	T84842 Convert eqiad imagescalers to HHVM, Trusty
Resolved		tstarling	T91468 HHVM with FastCGI does not support streaming output
Resolved		Joe	T93194 Create an HHVM 3.6.0 package, adding Tim's streaming patch
Resolved		kaldari	T58041 updateCollation.php script prohibitively slow for very large wikis
Resolved		jcrespo	T130692 Add new indexes from eec016ece6d2b30addcdf3d3efcc2ba59b10e858 to production databases
Resolved		Volans	T128353 Switchover to new s3 master
Resolved	PRODUCTION ERROR	aaron	T126436 Spikes of mediawiki in read only for job runners after altering the s2 slaves topology
Invalid		None	T126632 Scap should restart job runners to pick up new config
Declined		ArielGlenn	T94277 Convert snapshot hosts to use HHVM and trusty
Resolved		ArielGlenn	T111586 Snapshot hosts need to be manually added to dataset1001's exports
Resolved		ori	T113932 HHVM does not recognize compress.bzip2 streams
Declined		None	T117534 DCAT-AP: XML produces invalid output with HHVM
Resolved		MoritzMuehlenhoff	T143648 Merge facebook/hhvm@9d2be6c30b into build of next hhvm release
Resolved		Joe	T87036 Convert work machines (tin, terbium) to Trusty and hhvm usage
Resolved		Joe	T116728 Reimage mw1152 as a terbium replacement
Resolved		Joe	T124024 Be able to switch programmatically between deployment servers in codfw and eqiad
Resolved		Andrew	T98813 Move wikitech (silver) to HHVM
Resolved		Joe	T104747 Convert tmh100[12] to HHVM and trusty
Duplicate		fgiunchedi	T107313 Backport ffmpeg 2.7.3 to Trusty
Resolved		• brion	T69953 ogv transcodes have broken audio tracks with ffmpeg2theora 0.29 (Trusty upstream)
Resolved		• brion	T103335 Investigate impact of switching from ffmpeg to libav (ffmpeg is not in Jessie)
Resolved		bd808	T110707 Upgrade Beta Cluster tmh* host(s) to HHVM and Trusty
Resolved		Joe	T113284 Frequent job timeouts on HHVM video scalers
Resolved		fgiunchedi	T146285 Switch mwscript from Zend PHP5 to default php alternative (e.g. HHVM or PHP7)
Resolved	PRODUCTION ERROR	EBernhardson	T132751 "Elastica: missing curl_init_pooled method" due to mwscript job running with PHP 5 on terbium
Resolved		Krenair	T125540 New version of File:Duniya Na Mane, 1937.webm
Resolved		None	T25748 Bad label on upload max filesize at upload page in spanish version
Resolved		hashar	T146286 mwscript on jessie mediawiki fails
Resolved		tstarling	T145819 Jobs invoking SiteConfiguration::getConfig cause HHVM to fail updating the bytecode cache due to being filesize limited to 512MBytes
Resolved		tstarling	T111441 SiteConfiguration::getConfig() does not work in Wikimedia production
Resolved		MoritzMuehlenhoff	T112421 Update rsvg on the image scalers to 2.40.16 (to solve several SVG rendering issues)
Resolved		Krenair	T84950 Thumbnail generation should happen via the same setup in the beta cluster and in production (tracking)
Resolved		• AlexMonk-WMF	T64835 Setup a Swift cluster on beta-cluster to match production
Resolved		fgiunchedi	T123512 beta swift labs instances requirements
Resolved		• AlexMonk-WMF	T140220 "UnderflowException from ... FancyCaptcha.class.php: Ran out of captcha images" at Special:CreateAccount
Resolved		Krenair	T116816 beta cluster missing vips command needed to render tiffs and pngs, pnmtojpeg for DjVus
Resolved		fgiunchedi	T142289 Setup deployment-imagescaler host(s) in Beta Cluster
Resolved		Krenair	T142288 Consolidate, remove, and/or downsize Beta Cluster instances to help with [[wikitech:Purge_2016]]
Declined		None	T142255 Move mathoid to deployment-sca* hosts in Beta Cluster
Resolved		• mobrovac	T107309 Test Mathoid in Jessie
Resolved		Krinkle	T142152 Move apertium to deployment-sca* hosts in Beta Cluster
Resolved		KartikMistry	T107306 Package apertium (and dependencies) for Jessie
Resolved		KartikMistry	T106385 [Tracker] Move Apertium packaging to Debian
Resolved		bd808	T143065 deployment-sca0[12] puppet failure due to issues involving /srv/deployment directory
Invalid		None	T142150 Move citoid to deployment-sca* hosts in Beta Cluster
Declined		None	T107302 Package and test Zotero for Jessie
Resolved		• dduvall	T138778 Upgrade mariadb in deployment-prep from Precise/MariaDB 5.5 to Jessie/MariaDB 5.10
Resolved		• dduvall	T147110 Delete deployment-db1 and deployment-db2

Event Timeline

Matanya created this task.Jun 28 2015, 10:06 PM

Matanya raised the priority of this task from to Needs Triage.

Matanya updated the task description. (Show Details)

Matanya added a project: Wikimedia-Site-requests.

Matanya subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 28 2015, 10:06 PM

Matanya added a parent task: T31902: Tidy up wmf-config CommonSettings.php and InitialiseSettings.php.Jun 28 2015, 10:07 PM

• MZMcBride subscribed.Jun 29 2015, 3:08 AM

Reedy set Security to None.Jun 29 2015, 3:17 AM

Reedy added subscribers: • csteipp, tstarling.

we are running 2.36.1 on precise, 2.40.2 on trusty

Krenair edited projects, added acl*sre-team, acl*security; removed Wikimedia-Site-requests.Jul 23 2015, 10:50 PM

Krenair mentioned this in T93041: Some wikitech.wikimedia.org thumbnails broken (404).

• dpatrick assigned this task to Krenair.Aug 12 2015, 8:50 PM

• dpatrick triaged this task as Medium priority.

• dpatrick edited projects, added Security-Team; removed acl*security.

I imagine it's still needed on tin, terbium, tmh100[12], and snapshot100[1-4]

But really I don't know enough about librsvg to determine this

Specifically, we run rsvg-convert version "2.36.1 (Wikimedia)" on precise (according to rsvg-convert --version). Are you asking whether we still need to do this? Since someone had to manually take 2.36.1 and add the patch to it, I'd assume so?

Presumably when all mw servers are running trusty we can remove the hack above

Reedy added a subtask: T86081: Complete the use of HHVM over Zend PHP on the Wikimedia cluster.Aug 12 2015, 9:16 PM

Ricordisamoa subscribed.Aug 12 2015, 9:32 PM

Ricordisamoa updated the task description. (Show Details)Aug 12 2015, 9:35 PM

Newer librsvg supports a sane security model by default

Does anyone know which version number resembles "newer" or has some upstream bug ID reference? Sigh...
For those who want to investigate:

git clone git://git.gnome.org/librsvg
https://bugzilla.gnome.org/buglist.cgi?product=librsvg&query_format=advanced&limit=0

In T104147#1535187, @Aklapper wrote:

Newer librsvg supports a sane security model by default

Does anyone know which version number resembles "newer" or has some upstream bug ID reference?

My understanding from the version numbers involved is that 2.40.2 is the newer version, 2.36.1 is the older version.

Some historical info on T40010 and T80392

# Newer librsvg supports a sane security model by default and doesn't need our security patch

Still unclear which "newer" version is refered to and no references provided.
https://bugzilla.gnome.org/show_bug.cgi?id=686346 might be related.

In T104147#1805678, @Aklapper wrote:

# Newer librsvg supports a sane security model by default and doesn't need our security patch

Still unclear which "newer" version is refered to and no references provided.
https://bugzilla.gnome.org/show_bug.cgi?id=686346 might be related.

I think, when we've upgraded all MW running servers to 14.04 we should be good...

Aklapper added a subtask: T112421: Update rsvg on the image scalers to 2.40.16 (to solve several SVG rendering issues).Nov 17 2015, 10:19 PM

Yes, the correct version of this patch is already included in our trusty packages.

So... That just means tin and silver to be upgraded and then we're done... I think

@Joe, when you say 'the corect version of this patch' do you mean this? https://gerrit.wikimedia.org/r/#/c/28496/ Or is there a different patch someplace else?