Hi folks,
There are a few CVEs opened against dcmtk on Bugzilla, and others reported by a user that are all fixed in the next patch release: 3.6.7. The current version in Fedora is 3.6.6. Unfortunately, dcmtk does not guarantee ABI stability and bumps the soname version in every patch release also. Only two packages depend on dcmtk, though:
I did look into backporting the patches from 3.6.7 to 3.6.6 but just updating to 3.6.7 is simpler.
Would FESCo please grant an exception for me to update dcmtk in all Fedora releases to 3.6.7?
References:
and a few reported here too:
Commits referenced as fixes:
Did you actually test for an ABI change using fedabipkgdiff or similar?
With only two packages affected, and the 2nd one being mine I don't think this is really a big deal even if technically it's discouraged by the guidelines.
fedabipkgdiff results_dcmtk/3.6.6/12.fc37/dcmtk-3.6.6-12.fc37.x86_64.rpm results_dcmtk/3.6.7/1.fc37/dcmtk-3.6.7-1.fc37.x86_64.rpm Comparing the ABI of binaries between dcmtk-3.6.6-12.fc37.x86_64.rpm and dcmtk-3.6.7-1.fc37.x86_64.rpm: Removed binaries: [D] /usr/lib64/libcmr.so.16.3.6.6, SONAME: libcmr.so.16 [D] /usr/lib64/libdcmdata.so.16.3.6.6, SONAME: libdcmdata.so.16 [D] /usr/lib64/libdcmdsig.so.16.3.6.6, SONAME: libdcmdsig.so.16 [D] /usr/lib64/libdcmect.so.16.3.6.6, SONAME: libdcmect.so.16 [D] /usr/lib64/libdcmfg.so.16.3.6.6, SONAME: libdcmfg.so.16 [D] /usr/lib64/libdcmimage.so.16.3.6.6, SONAME: libdcmimage.so.16 [D] /usr/lib64/libdcmimgle.so.16.3.6.6, SONAME: libdcmimgle.so.16 [D] /usr/lib64/libdcmiod.so.16.3.6.6, SONAME: libdcmiod.so.16 [D] /usr/lib64/libdcmjpeg.so.16.3.6.6, SONAME: libdcmjpeg.so.16 [D] /usr/lib64/libdcmjpls.so.16.3.6.6, SONAME: libdcmjpls.so.16 [D] /usr/lib64/libdcmnet.so.16.3.6.6, SONAME: libdcmnet.so.16 [D] /usr/lib64/libdcmpmap.so.16.3.6.6, SONAME: libdcmpmap.so.16 [D] /usr/lib64/libdcmpstat.so.16.3.6.6, SONAME: libdcmpstat.so.16 [D] /usr/lib64/libdcmqrdb.so.16.3.6.6, SONAME: libdcmqrdb.so.16 [D] /usr/lib64/libdcmrt.so.16.3.6.6, SONAME: libdcmrt.so.16 [D] /usr/lib64/libdcmseg.so.16.3.6.6, SONAME: libdcmseg.so.16 [D] /usr/lib64/libdcmsr.so.16.3.6.6, SONAME: libdcmsr.so.16 [D] /usr/lib64/libdcmtkcharls.so.16.3.6.6, SONAME: libdcmtkcharls.so.16 [D] /usr/lib64/libdcmtls.so.16.3.6.6, SONAME: libdcmtls.so.16 [D] /usr/lib64/libdcmtract.so.16.3.6.6, SONAME: libdcmtract.so.16 [D] /usr/lib64/libdcmwlm.so.16.3.6.6, SONAME: libdcmwlm.so.16 [D] /usr/lib64/libi2d.so.16.3.6.6, SONAME: libi2d.so.16 [D] /usr/lib64/libijg12.so.16.3.6.6, SONAME: libijg12.so.16 [D] /usr/lib64/libijg16.so.16.3.6.6, SONAME: libijg16.so.16 [D] /usr/lib64/libijg8.so.16.3.6.6, SONAME: libijg8.so.16 [D] /usr/lib64/liboflog.so.16.3.6.6, SONAME: liboflog.so.16 [D] /usr/lib64/libofstd.so.16.3.6.6, SONAME: libofstd.so.16 Added binaries: [A] /usr/lib64/libcmr.so.17.3.6.7, SONAME: libcmr.so.17 [A] /usr/lib64/libdcmdata.so.17.3.6.7, SONAME: libdcmdata.so.17 [A] /usr/lib64/libdcmdsig.so.17.3.6.7, SONAME: libdcmdsig.so.17 [A] /usr/lib64/libdcmect.so.17.3.6.7, SONAME: libdcmect.so.17 [A] /usr/lib64/libdcmfg.so.17.3.6.7, SONAME: libdcmfg.so.17 [A] /usr/lib64/libdcmimage.so.17.3.6.7, SONAME: libdcmimage.so.17 [A] /usr/lib64/libdcmimgle.so.17.3.6.7, SONAME: libdcmimgle.so.17 [A] /usr/lib64/libdcmiod.so.17.3.6.7, SONAME: libdcmiod.so.17 [A] /usr/lib64/libdcmjpeg.so.17.3.6.7, SONAME: libdcmjpeg.so.17 [A] /usr/lib64/libdcmjpls.so.17.3.6.7, SONAME: libdcmjpls.so.17 [A] /usr/lib64/libdcmnet.so.17.3.6.7, SONAME: libdcmnet.so.17 [A] /usr/lib64/libdcmpmap.so.17.3.6.7, SONAME: libdcmpmap.so.17 [A] /usr/lib64/libdcmpstat.so.17.3.6.7, SONAME: libdcmpstat.so.17 [A] /usr/lib64/libdcmqrdb.so.17.3.6.7, SONAME: libdcmqrdb.so.17 [A] /usr/lib64/libdcmrt.so.17.3.6.7, SONAME: libdcmrt.so.17 [A] /usr/lib64/libdcmseg.so.17.3.6.7, SONAME: libdcmseg.so.17 [A] /usr/lib64/libdcmsr.so.17.3.6.7, SONAME: libdcmsr.so.17 [A] /usr/lib64/libdcmtkcharls.so.17.3.6.7, SONAME: libdcmtkcharls.so.17 [A] /usr/lib64/libdcmtls.so.17.3.6.7, SONAME: libdcmtls.so.17 [A] /usr/lib64/libdcmtract.so.17.3.6.7, SONAME: libdcmtract.so.17 [A] /usr/lib64/libdcmwlm.so.17.3.6.7, SONAME: libdcmwlm.so.17 [A] /usr/lib64/libi2d.so.17.3.6.7, SONAME: libi2d.so.17 [A] /usr/lib64/libijg12.so.17.3.6.7, SONAME: libijg12.so.17 [A] /usr/lib64/libijg16.so.17.3.6.7, SONAME: libijg16.so.17 [A] /usr/lib64/libijg8.so.17.3.6.7, SONAME: libijg8.so.17 [A] /usr/lib64/liboflog.so.17.3.6.7, SONAME: liboflog.so.17 [A] /usr/lib64/libofstd.so.17.3.6.7, SONAME: libofstd.so.17
(have I used this right?)
Yup, so while the SONAME was bumped, the are no actual ABI differences so a simple rebuild should be fine. As it only affects our packages, I think this falls into the "not a big deal" category.
If you're a PP then you can perform all the necessary builds, if not, just let me know what what the side tags are.
Also, I recently updated OpenImageIo so let's wait until their stable.
I think this is fine. The impact is very limited—and you have a plan to coordinate it—and the security fix is worthwhile.
+1
``` fedabipkgdiff results_dcmtk/3.6.6/12.fc37/dcmtk-3.6.6-12.fc37.x86_64.rpm results_dcmtk/3.6.7/1.fc37/dcmtk-3.6.7-1.fc37.x86_64.rpm (have I used this right?)
``` fedabipkgdiff results_dcmtk/3.6.6/12.fc37/dcmtk-3.6.6-12.fc37.x86_64.rpm results_dcmtk/3.6.7/1.fc37/dcmtk-3.6.7-1.fc37.x86_64.rpm
No, I don't think so. It didn't recognise these libraries as "the same". You need to include the -devel packages in the comparison as well (which contains the unversioned .so file), and possibly the -debuginfo package for the subpackage that contains the libraries (so the diff result is more meaningful, because it can resolve struct fields and symbol names etc.).
Anyway, the impact is still very limited and security fixes are nice, so +1 on the update policy exception.
Metadata Update from @music: - Issue tagged with: updates policy exception
``` fedabipkgdiff results_dcmtk/3.6.6/12.fc37/dcmtk-3.6.6-12.fc37.x86_64.rpm results_dcmtk/3.6.7/1.fc37/dcmtk-3.6.7-1.fc37.x86_64.rpm (have I used this right?) No, I don't think so. It didn't recognise these libraries as "the same". You need to include the -devel packages in the comparison as well (which contains the unversioned .so file), and possibly the -debuginfo package for the subpackage that contains the libraries (so the diff result is more meaningful, because it can resolve struct fields and symbol names etc.).
Sorry, I can't figure this out: how does include devel packages too?
fedabipkgdiff results_dcmtk/3.6.6/12.fc37/dcmtk-devel-3.6.6-12.fc37.x86_64.rpm results_dcmtk/3.6.7/1.fc37/dcmtk-devel-3.6.7-1.fc37.x86_64.rpm # returns nothing
Using wildcards to include all files also returns nothing:
fedabipkgdiff results_dcmtk/3.6.6/12.fc37/*rpm results_dcmtk/3.6.7/1.fc37/*rpm
I've never used the fedabipkgdiff wrapper, I'm not even sure if it's the right tool here, given that its "--help" output mentions comparing koji build outputs. I used abipkgdiff directly, like this:
abipkgdiff pkg1 pkg2 --devel1 pkg1-devel --devel2 pkg2-devel --debug-info-pkg1 pkg1-debuginfo --debug-info-pkg2 pkg2-debuginfo
I usualy use it to comapre to the current rawhide package so my workflow would be something likes:
The tool is a bit quirky. If it returns fast I know it didn't do anything since it didn't download the packages.
After a week+, this is APPROVED with (+3, 0, -0).
Metadata Update from @churchyard: - Issue tagged with: pending announcement
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/4UCHC2R6JZQHHR3UT7H7XS4LPZ3K3JQ7/
Metadata Update from @churchyard: - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
Thanks very much folks, I'll get the ball rolling on all the builds + updates ASAP.
Login to comment on this ticket.