[depends] expat 2.2.0, ccache 3.3.1, fontconfig 2.12.1 #8423

pull fanquake wants to merge 3 commits into bitcoin:master from fanquake:expat-ccache-jul changing 3 files +7 −7
  1. fanquake commented at 3:00 AM on July 29, 2016: member

    expat 2.2.0

    CVE-2016-0718 (issue 537) - Fix crash on malformed input
CVE-2016-4472 - Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 2.1.1
CVE-2016-5300 (issue 499) - Use more entropy for hash initialization than the original fix to CVE-2012-0876
CVE-2012-6702 (issue 519) - Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)
Fix uninitialized reads of size 1 (e.g. in little2_updatePosition)
Fix detection of UTF-8 character boundaries

    ccache 3.3.1 - release notes

    fontconfig 2.12.1 - release notes

  2. laanwj assigned theuni on Jul 29, 2016
  3. laanwj added the label Build system on Jul 29, 2016
  4. sipa commented at 7:44 PM on July 29, 2016: member

    Concept ACK for 0.14. I don't think there is anything urgent here for 0.13?

  5. laanwj commented at 8:54 AM on July 30, 2016: member

    @sipa Neither expat nor ccache is directly used in the Bitcoin Core executable, but part of tools (expat is used for the protobuf compiler) / building. So no, I don't see any reason why this would be urgent. We could bump them for 0.14.

  6. theuni commented at 4:33 PM on July 31, 2016: member

    ut ack.

  7. laanwj commented at 11:35 AM on August 4, 2016: member

    HM I was wrong above - expat is not used for protobuf, but used for the dbus, and also a part of fontconfig. I vaguely remember we could drop dbus as a dependency as Qt loads it dynamically? Any hope of getting rid of expat @theuni?

  8. fanquake commented at 1:07 PM on August 4, 2016: member

    From memory we had to wait until we moved to Qt 5.7. Although that could all be rolled into 0.14.0?

  9. laanwj commented at 1:17 PM on August 4, 2016: member

    Ah yes Qt 5.7 there's an issue open for that: #8237

    After that we can get rid of dbus, but can we get rid of expat? What is it used for in fontconfig?

  10. theuni commented at 5:54 PM on August 4, 2016: member

    @laanwj Yes, we can get rid of dbus. IIRC we can do that already, I'll take a look and PR it if possible.

    Unfortunately, I think we're stuck with expat in fontconfig. It's one of the libs that we use to link, then throw away.

  11. fanquake force-pushed on Aug 26, 2016
  12. fanquake commented at 10:24 AM on August 29, 2016: member

    ccache 3.3 has been released, I'll update this PR to include it. @theuni is this going to clash with your Qt5.7 work?

  13. laanwj commented at 2:18 PM on August 31, 2016: member

    Unfortunately, I think we're stuck with expat in fontconfig. It's one of the libs that we use to link, then throw away.

    Would help to have a list of packages whose CVE's affect the final binary, and which don't, to avoid unpleasant surprises.

  14. fanquake cross-referenced this on Sep 1, 2016 from issue Docs: Minimum required dependencies and current CVEs by fanquake
  15. fanquake force-pushed on Sep 3, 2016
  16. fanquake commented at 7:30 AM on September 3, 2016: member

    Rebased, updated ccache to 3.3.0 and added a commit for fontconfig 2.12.1

  17. fanquake renamed this:
    [depends] expat 2.2.0, ccache 3.2.7
    [depends] expat 2.2.0, ccache 3.2.7, fontconfig 2.12.1
    on Sep 3, 2016
  18. fanquake force-pushed on Sep 3, 2016
  19. [depends] expat 2.2.0 6b6cbddb4c
  20. [depends] ccache 3.3.1 9616ac8a40
  21. [depends] fontconfig 2.12.1 86d410d91b
  22. fanquake force-pushed on Sep 16, 2016
  23. fanquake renamed this:
    [depends] expat 2.2.0, ccache 3.2.7, fontconfig 2.12.1
    [depends] expat 2.2.0, ccache 3.3.1, fontconfig 2.12.1
    on Sep 16, 2016
  24. laanwj commented at 5:54 AM on September 22, 2016: member

    utACK 86d410d

  25. laanwj merged this on Sep 22, 2016
  26. laanwj closed this on Sep 22, 2016
  27. laanwj referenced this in commit 3166dff48f on Sep 22, 2016
  28. fanquake deleted the branch on Oct 6, 2016
  29. codablock referenced this in commit 0545b2fabb on Sep 19, 2017
  30. codablock referenced this in commit 801c9e259d on Jan 11, 2018
  31. bitcoin locked this on Sep 8, 2021
Contributors
fanquakesipalaanwjtheuni
Labels
Build system
Linked (view graph)
#8237 [GUI] QT 5.7#8639 Docs: Minimum required dependencies and current CVEs
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-20 06:55 UTC