From 93150004326cac44a95affef39f1fba9175edc25 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 19:17:12 +0100 Subject: [PATCH 01/12] saga: remove jasper from inputs It is unused since v2.2.6 (2016) https://sourceforge.net/p/saga-gis/bugs/224/ --- pkgs/applications/gis/saga/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/gis/saga/default.nix b/pkgs/applications/gis/saga/default.nix index feb79f444b8..90e7af9944d 100644 --- a/pkgs/applications/gis/saga/default.nix +++ b/pkgs/applications/gis/saga/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gdal, wxGTK30, proj, libiodbc, lzma, jasper, +{ stdenv, fetchurl, gdal, wxGTK30, proj, libiodbc, lzma, libharu, opencv, vigra, postgresql, Cocoa, unixODBC , poppler, hdf4, hdf5, netcdf, sqlite, qhull, giflib }: @@ -9,7 +9,7 @@ stdenv.mkDerivation { # See https://groups.google.com/forum/#!topic/nix-devel/h_vSzEJAPXs # for why the have additional buildInputs on darwin buildInputs = [ gdal wxGTK30 proj libharu opencv vigra postgresql libiodbc lzma - jasper qhull giflib ] + qhull giflib ] ++ stdenv.lib.optionals stdenv.isDarwin [ Cocoa unixODBC poppler hdf4.out hdf5 netcdf sqlite ]; From acd905893148adadf3e5ff080bba71cd940cf93a Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 19:28:05 +0100 Subject: [PATCH 02/12] digikam: disable JPEG2000 support by default jasper has several unfixed CVE and seems unmaintained Upstream open bug to replace it with OpenJPEG is: https://bugs.kde.org/show_bug.cgi?id=364231 --- pkgs/applications/graphics/digikam/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/graphics/digikam/default.nix b/pkgs/applications/graphics/digikam/default.nix index 1fc15af7244..1d9b06de29f 100644 --- a/pkgs/applications/graphics/digikam/default.nix +++ b/pkgs/applications/graphics/digikam/default.nix @@ -26,7 +26,7 @@ , exiv2 , ffmpeg , flex -, jasper +, jasper ? null, withJpeg2k ? false # disable JPEG2000 support, jasper has unfixed CVE , lcms2 , lensfun , libgphoto2 @@ -70,7 +70,6 @@ mkDerivation rec { exiv2 ffmpeg flex - jasper lcms2 lensfun libgphoto2 @@ -103,7 +102,8 @@ mkDerivation rec { marble oxygen threadweaver - ]; + ] + ++ lib.optionals withJpeg2k [ jasper ]; enableParallelBuilding = true; From ab8889d8b18aab8a80242b695256d5bcee19f8e8 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 19:32:27 +0100 Subject: [PATCH 03/12] k2pdfopt: disable JPEG2000 support by default jasper has unfixed CVE --- pkgs/applications/misc/k2pdfopt/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index a2eba8e08c2..aedfff40d70 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -3,7 +3,7 @@ , enableGSL ? true, gsl , enableGhostScript ? true, ghostscript , enableMuPDF ? true, mupdf -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper ? null # disabled by default, jasper has unfixed CVE , enableDJVU ? true, djvulibre , enableGOCR ? false, gocr # Disabled by default due to crashes , enableTesseract ? true, leptonica, tesseract4 From 0a443f4c72595d0fc1b678ad4f511429c13c8c65 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 19:36:29 +0100 Subject: [PATCH 04/12] kodi: drop jasper dependency Unused since: https://github.com/xbmc/xbmc/commit/424c5138b6bbdbff686ca55e43682f0ee1d84017 --- pkgs/applications/video/kodi/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/video/kodi/default.nix b/pkgs/applications/video/kodi/default.nix index 8edc99c5f02..0302dd24646 100644 --- a/pkgs/applications/video/kodi/default.nix +++ b/pkgs/applications/video/kodi/default.nix @@ -9,7 +9,7 @@ , libXinerama, libXrandr , libXtst, libXfixes, systemd , alsaLib, libGLU, libGL, glew, fontconfig, freetype, ftgl -, libjpeg, jasper, libpng, libtiff +, libjpeg, libpng, libtiff , libmpeg2, libsamplerate, libmad , libogg, libvorbis, flac, libxslt , lzo, libcdio, libmodplug, libass, libbluray @@ -157,7 +157,7 @@ in stdenv.mkDerivation { libX11 xorgproto libXt libXmu libXext libXinerama libXrandr libXtst libXfixes alsaLib libGL libGLU glew fontconfig freetype ftgl - libjpeg jasper libpng libtiff + libjpeg libpng libtiff libmpeg2 libsamplerate libmad libogg libvorbis flac libxslt systemd lzo libcdio libmodplug libass libbluray From 9aa62321ea9c2f7a355d4c549cf1f803c0283ca8 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 19:44:10 +0100 Subject: [PATCH 05/12] gdk-pixbuf: disable JPEG2000 support jasper has unfixed CVE Upstream has no plan to switch to openjpeg AFAICT --- pkgs/development/libraries/gdk-pixbuf/default.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/gdk-pixbuf/default.nix b/pkgs/development/libraries/gdk-pixbuf/default.nix index f4c554395d4..9c2da3c5b69 100644 --- a/pkgs/development/libraries/gdk-pixbuf/default.nix +++ b/pkgs/development/libraries/gdk-pixbuf/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, nixosTests, fixDarwinDylibNames, meson, ninja, pkgconfig, gettext, python3, libxml2, libxslt, docbook_xsl , docbook_xml_dtd_43, gtk-doc, glib, libtiff, libjpeg, libpng, libX11, gnome3 -, jasper, gobject-introspection, doCheck ? false, makeWrapper }: +, gobject-introspection, doCheck ? false, makeWrapper }: let pname = "gdk-pixbuf"; @@ -31,11 +31,10 @@ in stdenv.mkDerivation rec { ] ++ stdenv.lib.optional stdenv.isDarwin fixDarwinDylibNames; - propagatedBuildInputs = [ glib libtiff libjpeg libpng jasper ]; + propagatedBuildInputs = [ glib libtiff libjpeg libpng ]; mesonFlags = [ "-Ddocs=true" - "-Djasper=true" "-Dx11=true" "-Dgir=${if gobject-introspection != null then "true" else "false"}" "-Dgio_sniffing=false" From 652a178840a08527bfd41aa871820c66bd0b8c57 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 19:48:55 +0100 Subject: [PATCH 06/12] grib-api: replace jasper with openjpeg --- .../libraries/grib-api/default.nix | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/pkgs/development/libraries/grib-api/default.nix b/pkgs/development/libraries/grib-api/default.nix index 38243ce5a6d..0c9e4bf3156 100644 --- a/pkgs/development/libraries/grib-api/default.nix +++ b/pkgs/development/libraries/grib-api/default.nix @@ -1,5 +1,5 @@ -{ fetchurl, stdenv, - cmake, netcdf, gfortran, jasper, libpng, +{ fetchurl, fetchpatch, stdenv, + cmake, netcdf, gfortran, libpng, openjpeg, enablePython ? false, pythonPackages }: stdenv.mkDerivation rec{ @@ -11,6 +11,13 @@ stdenv.mkDerivation rec{ sha256 = "0qbj12ap7yy2rl1pq629chnss2jl73wxdj1lwzv0xp87r6z5qdfl"; }; + patches = [ + (fetchpatch { + url = "https://salsa.debian.org/science-team/grib-api/raw/debian/1.28.0-2/debian/patches/openjpeg2.patch"; + sha256 = "05faxh51vlidiazxq1ssd3k4cjivk1adyn30k94mxqa1xnb2r2pc"; + }) + ]; + preConfigure = '' # Fix "no member named 'inmem_' in 'jas_image_t'" substituteInPlace "src/grib_jasper_encoding.c" --replace "image.inmem_ = 1;" "" @@ -19,8 +26,8 @@ stdenv.mkDerivation rec{ buildInputs = [ cmake netcdf gfortran - jasper libpng + openjpeg ] ++ stdenv.lib.optionals enablePython [ pythonPackages.python ]; @@ -32,6 +39,7 @@ stdenv.mkDerivation rec{ cmakeFlags = [ "-DENABLE_PYTHON=${if enablePython then "ON" else "OFF"}" "-DENABLE_PNG=ON" "-DENABLE_FORTRAN=ON" + "-DOPENJPEG_INCLUDE_DIR=${openjpeg.dev}/include/${openjpeg.incDir}" ]; enableParallelBuilding = true; @@ -52,13 +60,15 @@ stdenv.mkDerivation rec{ homepage = https://software.ecmwf.int/wiki/display/GRIB/Home; license = licenses.asl20; platforms = with platforms; linux ++ darwin; - description = "ECMWF Library for the GRIB file format"; + description = "ECMWF Library for the GRIB file format -- DEPRECATED"; longDescription = '' The ECMWF GRIB API is an application program interface accessible from C, FORTRAN and Python programs developed for encoding and decoding WMO FM-92 GRIB edition 1 and edition 2 messages. + + Please note: GRIB-API support is being discontinued at the end of 2018. + After which there will be no further releases. Please upgrade to ecCodes ''; maintainers = with maintainers; [ knedlsepp ]; }; } - From 329270e8520820e5aebe43f78dd9a50eed4c565c Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 22:08:59 +0100 Subject: [PATCH 07/12] libicns: replace jasper with openjpeg --- pkgs/development/libraries/libicns/default.nix | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/libicns/default.nix b/pkgs/development/libraries/libicns/default.nix index 298d6124505..27ec8b17c0d 100644 --- a/pkgs/development/libraries/libicns/default.nix +++ b/pkgs/development/libraries/libicns/default.nix @@ -1,14 +1,24 @@ -{ stdenv, fetchurl, libpng, jasper }: +{ stdenv, fetchurl, fetchpatch, autoreconfHook, libpng, openjpeg }: stdenv.mkDerivation rec { - name = "libicns-0.8.1"; + pname = "libicns"; + version = "0.8.1"; src = fetchurl { - url = "mirror://sourceforge/icns/${name}.tar.gz"; + url = "mirror://sourceforge/icns/${pname}-${version}.tar.gz"; sha256 = "1hjm8lwap7bjyyxsyi94fh5817xzqhk4kb5y0b7mb6675xw10prk"; }; - buildInputs = [ libpng jasper ]; + patches = [ + (fetchpatch { + url = "https://sources.debian.org/data/main/libi/libicns/0.8.1-3.1/debian/patches/support-libopenjp2.patch"; + sha256 = "0ss298lyzvydxvaxsadi6kbbjpwykd86jw3za76brcsg2dpssgas"; + }) + ]; + + nativeBuildInputs = [ autoreconfHook ]; + buildInputs = [ libpng openjpeg ]; + NIX_CFLAGS_COMPILE = [ "-I${openjpeg.dev}/include/${openjpeg.incDir}" ]; meta = with stdenv.lib; { description = "Library for manipulation of the Mac OS icns resource format"; From 9ee141e8c4cd6b5dd3d71d9ebf9c763f97fb27ec Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 22:14:08 +0100 Subject: [PATCH 08/12] libraw: disable JPEG2000 support by default jasper has many security issues and it's only used for some old Redcine cameras. See: https://github.com/LibRaw/LibRaw/issues/69 --- pkgs/development/libraries/libraw/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libraw/default.nix b/pkgs/development/libraries/libraw/default.nix index 62fa8c1a675..00288e359df 100644 --- a/pkgs/development/libraries/libraw/default.nix +++ b/pkgs/development/libraries/libraw/default.nix @@ -1,4 +1,7 @@ -{ stdenv, fetchurl, lcms2, jasper, pkgconfig }: +{ stdenv, fetchurl, lcms2, pkgconfig +, jasper ? null, withJpeg2k ? false +# disable JPEG2000 support by default as jasper has many CVE +}: stdenv.mkDerivation rec { pname = "libraw"; @@ -11,7 +14,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "doc" ]; - buildInputs = [ jasper ]; + buildInputs = stdenv.lib.optionals withJpeg2k [ jasper ]; propagatedBuildInputs = [ lcms2 ]; From d2a536ff9a832c4bbeb62db081c3f42500ff9800 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 22:34:54 +0100 Subject: [PATCH 09/12] openscenegraph: disable jasper by default --- pkgs/development/libraries/openscenegraph/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/openscenegraph/default.nix b/pkgs/development/libraries/openscenegraph/default.nix index 9be5018dc29..b12ca67655b 100644 --- a/pkgs/development/libraries/openscenegraph/default.nix +++ b/pkgs/development/libraries/openscenegraph/default.nix @@ -2,7 +2,7 @@ libX11, libXinerama, libXrandr, libGLU, libGL, glib, ilmbase, libxml2, pcre, zlib, jpegSupport ? true, libjpeg, - jasperSupport ? true, jasper, + jasperSupport ? false, jasper, # disable jasper by default (many CVE) exrSupport ? false, openexr, gifSupport ? true, giflib, pngSupport ? true, libpng, From a13779a779d6fec1ec959c7b7a20d50fd5e13b49 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 23:43:42 +0100 Subject: [PATCH 10/12] opencv: disable jasper by default jasper has many unfixed CVEs, upstream disable its use by default https://github.com/opencv/opencv/issues/14058 --- pkgs/development/libraries/opencv/3.x.nix | 2 +- pkgs/development/libraries/opencv/4.x.nix | 2 +- pkgs/development/libraries/opencv/default.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 874f9535759..97df84637ef 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -9,7 +9,7 @@ , enableTIFF ? true, libtiff , enableWebP ? true, libwebp , enableEXR ? !stdenv.isDarwin, openexr, ilmbase -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper # disable jasper by default (many CVE) , enableEigen ? true, eigen , enableOpenblas ? true, openblas , enableContrib ? true diff --git a/pkgs/development/libraries/opencv/4.x.nix b/pkgs/development/libraries/opencv/4.x.nix index a5eb1029ad9..408368b89c4 100644 --- a/pkgs/development/libraries/opencv/4.x.nix +++ b/pkgs/development/libraries/opencv/4.x.nix @@ -9,7 +9,7 @@ , enableTIFF ? true, libtiff , enableWebP ? true, libwebp , enableEXR ? !stdenv.isDarwin, openexr, ilmbase -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper # disable jasper by default (many CVE) , enableEigen ? true, eigen , enableOpenblas ? true, openblas , enableContrib ? true diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index b91a1489eb6..db8a5e5a41b 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -6,7 +6,7 @@ , enablePNG ? true, libpng , enableTIFF ? true, libtiff , enableEXR ? (!stdenv.isDarwin), openexr, ilmbase -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper # disable jasper by default (many CVE) , enableFfmpeg ? false, ffmpeg , enableGStreamer ? false, gst_all_1 , enableEigen ? true, eigen From 9a48332935d2b1c33cc160d8ded248091dc3052e Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 22:55:36 +0100 Subject: [PATCH 11/12] dcraw: mark as vulnerable --- pkgs/tools/graphics/dcraw/default.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/graphics/dcraw/default.nix b/pkgs/tools/graphics/dcraw/default.nix index e4ceff36f92..11ff4b743dd 100644 --- a/pkgs/tools/graphics/dcraw/default.nix +++ b/pkgs/tools/graphics/dcraw/default.nix @@ -4,7 +4,7 @@ stdenv.mkDerivation rec { name = "dcraw-9.28.0"; src = fetchurl { - url = "https://www.cybercom.net/~dcoffin/dcraw/archive/${name}.tar.gz"; + url = "https://www.dechifro.org/dcraw/archive/${name}.tar.gz"; sha256 = "1fdl3xa1fbm71xzc3760rsjkvf0x5jdjrvdzyg2l9ka24vdc7418"; }; @@ -23,10 +23,17 @@ stdenv.mkDerivation rec { ''; meta = { - homepage = http://www.cybercom.net/~dcoffin/dcraw/; + homepage = https://www.dechifro.org/dcraw/; description = "Decoder for many camera raw picture formats"; license = stdenv.lib.licenses.free; platforms = stdenv.lib.platforms.unix; # Once had cygwin problems maintainers = [ ]; + knownVulnerabilities = [ + "CVE-2018-19655" + "CVE-2018-19565" + "CVE-2018-19566" + "CVE-2018-19567" + "CVE-2018-19568" + ]; }; } From a0d335ff39c4280456b293fb83582d7a0cc6b939 Mon Sep 17 00:00:00 2001 From: c0bw3b Date: Sun, 17 Nov 2019 21:43:52 +0100 Subject: [PATCH 12/12] jasper: mark as vulnerable Many memory issues remain unfixed or partially fixed: CVE-2018-18873 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-9252 CVE-2018-19542 CVE-2018-19543 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622 CVE-2018-9252 Debian/Ubuntu, OpenSuSE and Gentoo removed it entirely. See: https://github.com/mdadams/jasper/issues/208 --- pkgs/development/libraries/jasper/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/libraries/jasper/default.nix b/pkgs/development/libraries/jasper/default.nix index 1bad3394b6a..093fd0c5f28 100644 --- a/pkgs/development/libraries/jasper/default.nix +++ b/pkgs/development/libraries/jasper/default.nix @@ -42,5 +42,10 @@ stdenv.mkDerivation rec { platforms = platforms.unix; license = licenses.jasper; maintainers = with maintainers; [ pSub ]; + knownVulnerabilities = [ + "Numerous CVE unsolved upstream" + "See: https://github.com/NixOS/nixpkgs/pull/57681#issuecomment-475857499" + "See: https://github.com/mdadams/jasper/issues/208" + ]; }; }