Comments

37 Comments

Hello people! Thank you for hanging out there why I was dealing with this.


# TL;DR;

I would like to apologize for the problems caused. This was not intentional for this to happen, and I'm really sorry for that. The new packages to solve this issue are currently being build.


# WHY THIS UPDATE?

Many people do not realize that, but (URW)++ fonts are needed by ghostscript for displaying correctly PostScript, PDF and other document types, as well as for conversition between these formats. And ghotscript is also used by many other applications, like Evince, ImageMagick, etc.

Because the current package urw-fonts in Fedora was a total mess, there were problems with versioning, and the fonts were outdated which started to be significant problem for ghostscript, I have decided (as a ghostscript maintainer) to create a new fonts package from scratch, which would follow Fedora Packaging Guidelines, and would be more easily maintainable for the future.


# WHAT CAUSED THESE PROBLEMS?

The main problem with this was in fontconfig priority/ordering, as many of you have found out. But to answer this properly, I need to give you more background.

Previously, the urw-fonts package was using config files from fontconfig directly. They were part of the 30-metric-aliases.conf and 30-metric-aliases.conf, in the /etc/fonts/conf.d folder.

When I was doing the "cleanup" for the new package, we agreed with urw-base35-fonts and fontconfig upstreams to move these config files into the new package, as it is preferable by fontconfig and FPG.

During creation of a new package, I have decided to use 35 as the new priority/ordering value. (That effectively means lowering the priority compared to initial value of 30.) This was a safety precausion, because I wanted to make sure the new fontconfig files would not mess up with default fontconfig configuration.

We agreed with fontconfig upstream/maintainer to do a release together via Bodhi. And here's where I made the mistake. I didn't realize that creating a new update in Bodhi for a new package would actually replace it for all users with the old urw-fonts package. My expectation was that it would just live in the updates repository alongside the (old) urw-fonts, and will be just available to people who would manually install the (new) urw-base35-fonts.

I wanted the new package to be ready for new fontconfig release, and for other steps I was preparing for the transition.

For some reason, after you have updated the package, it started to changing the default font configurations you had on your system. I really have no clue why it happened just now, and not before, since the fontconfig configuration was effectively before on the system as well. My wild guess is that the old urw-fonts package was such a mess that this issue had never came up to surface before?

Unfortunately, combination of this riddle and my screw-up is what caused all of these problems for you. :(


# WHY IT TOOK SO LONG TO GET IT FIXED?

I have learned about this issue yesterday morning, and I had the fixes ready relatively fast. However, before making a new release, I wanted to make sure it fixes everything that was reported...

The rest of the day I've spent trying (I'm not kidding) to install F26, F27, and Rawhide into VM (KVM/QEMU). And with no success... o.O The installation took so much time everytime (I don't know why), and after I have finally finished the installation, it wouldn't boot up. I have tried different ways to get around it, but after several hours I gave up.

I have tested the basics that I could in our internal Fedora instances in OpenStack, and decided to release it now to not block the fixes longer.


# UPDATE:

Seems like all the build have passed successfully.


# WHAT NOW?

As I said before, I will be pushing new updates, but after discussion with fontconfig upstream/maintainer only for F27 and Rawhide. I never wanted to endanger the released Fedora, and don't want to change that. Luckily, the Bodhi process helped to stop the updates before them reaching the stable repository.

For all of you on F25 and F26 I have created a builds also that you can manually download, and which should (hopefully) fix your problems for now.

After that we can try to workaround how you can install the urw-fonts back.

Also, if you would find any problems with the new versions of the package, please, let me now so I can fix it ASAP. And if you have any other feedback, feel free to lay it on me.


# FINAL THOUGHTS

Once again, I'm really sorry this happened. It was not intentional mistake, and I have learned some important lesson in that. I appreciate all your feedback and patience.

-- Dee'Kej --

Hello people! Thank you for hanging out there why I was dealing with this.


# TL;DR;

I would like to apologize for the problems caused. This was not intentional for this to happen, and I'm really sorry for that. The new packages to solve this issue are currently being build.


# WHY THIS UPDATE?

Many people do not realize that, but (URW)++ fonts are needed by ghostscript for displaying correctly PostScript, PDF and other document types, as well as for conversition between these formats. And ghotscript is also used by many other applications, like Evince, ImageMagick, etc.

Because the current package urw-fonts in Fedora was a total mess, there were problems with versioning, and the fonts were outdated which started to be significant problem for ghostscript, I have decided (as a ghostscript maintainer) to create a new fonts package from scratch, which would follow Fedora Packaging Guidelines, and would be more easily maintainable for the future.


# WHAT CAUSED THESE PROBLEMS?

The main problem with this was in fontconfig priority/ordering, as many of you have found out. But to answer this properly, I need to give you more background.

Previously, the urw-fonts package was using config files from fontconfig directly. They were part of the 30-metric-aliases.conf and 30-metric-aliases.conf, in the /etc/fonts/conf.d folder.

When I was doing the "cleanup" for the new package, we agreed with urw-base35-fonts and fontconfig upstreams to move these config files into the new package, as it is preferable by fontconfig and FPG.

During creation of a new package, I have decided to use 35 as the new priority/ordering value. (That effectively means lowering the priority compared to initial value of 30.) This was a safety precausion, because I wanted to make sure the new fontconfig files would not mess up with default fontconfig configuration.

We agreed with fontconfig upstream/maintainer to do a release together via Bodhi. And here's where I made the mistake. I didn't realize that creating a new update in Bodhi for a new package would actually replace it for all users with the old urw-fonts package. My expectation was that it would just live in the updates repository alongside the (old) urw-fonts, and will be just available to people who would manually install the (new) urw-base35-fonts.

I wanted the new package to be ready for new fontconfig release, and for other steps I was preparing for the transition.

For some reason, after you have updated the package, it started to changing the default font configurations you had on your system. I really have no clue why it happened just now, and not before, since the fontconfig configuration was effectively before on the system as well. My wild guess is that the old urw-fonts package was such a mess that this issue had never came up to surface before?

Unfortunately, combination of this riddle and my screw-up is what caused all of these problems for you. :(


# WHY IT TOOK SO LONG TO GET IT FIXED?

I have learned about this issue yesterday morning, and I had the fixes ready relatively fast. However, before making a new release, I wanted to make sure it fixes everything that was reported...

The rest of the day I've spent trying (I'm not kidding) to install F26, F27, and Rawhide into VM (KVM/QEMU). And with no success... o.O The installation took so much time everytime (I don't know why), and after I have finally finished the installation, it wouldn't boot up. I have tried different ways to get around it, but after several hours I gave up.

I have tested the basics that I could in our internal Fedora instances in OpenStack, and decided to release it now to not block the fixes longer.


# UPDATE:

Seems like all the build have passed successfully.


# WHAT NOW?

As I said before, I will be pushing new updates, but after discussion with fontconfig upstream/maintainer only for F27 and Rawhide. I never wanted to endanger the released Fedora, and don't want to change that. Luckily, the Bodhi process helped to stop the updates before them reaching the stable repository.

For all of you on F25 and F26 I have created a builds also that you can manually download, and which should (hopefully) fix your problems for now.

After that we can try to workaround how you can install the urw-fonts back.

Also, if you would find any problems with the new versions of the package, please, let me now so I can fix it ASAP. And if you have any other feedback, feel free to lay it on me.


# FINAL THOUGHTS

Once again, I'm really sorry this happened. It was not intentional mistake, and I have learned some important lesson in that. I appreciate all your feedback and patience.

-- Dee'Kej --

Running this myself on F25. No problem so far.

This update seems to fix my problems with AVC denials for TLP. ++

BZ#1410066 SELinux: Many AVC denials for TLP
BZ#1403964 SELinux is preventing ethtool from 'write' accesses on the file /run/tlp/lock_tlp.

Ah, OK, I'm sorry for the inconvenience... :-/ Is there any way I could prevent this in the future? I don't think not linking the CVEs' BZs is a way to go here (I will link them from multiple bodhi updates).

Well, the exact CVEs fixed are specified in the Details of the Bodhi update. IMHO that should be intuitive, but maybe I'm wrong.

And yes, only CVE-2017-7975 is fixed. The CVE-2016-10317, CVE-2017-7885, CVE-2017-7976 are not fixed. The fix for the latter will be released once upstream provide it. There's no reason to wait on the other fixes while the biggest threats can be already secured (we don't have any ETA from upstream).

P.S.: The referenced bugs will not be automatically closed once this update gets to stable.

This update has been unpushed.

This update has been unpushed.

This update has been unpushed.

I'm not able to execute the reproducer with new package in fresh F24 installation ->> the vulnerability seems to be fixed.

BZ#1377614 CVE-2016-0634 bash: Arbitrary code execution via malicious hostname [fedora-all]
BZ#1377613 CVE-2016-0634 bash: Arbitrary code execution via malicious hostname

@goeran Thank you for the bug submission.

Since the beta of F24 has been released today, and previous package of tcsh is non-functional, I will push this to stable so people testing F24-beta can at least use the tcsh.

I will hope no more problems/regression will occur, and I will try to fix this ASAP.

My peers think I should keep this in testing for a little bit longer. I'm having PTO on Friday & Monday, so we will see how the karma will look on next Tuesday.

@anonymous OK, I will discuss this with my peers again, to find the best course of action.

I would prefer to keep this in 'testing' as long as possible, because of the significant number of changes made to tcsh.

IMHO, there shouldn't be a significant problem, but just to be sure.

If there will be no problems/negative karma, I guess I will push it to stable on May 30th, 2016.

So far so good.

karma

It has fixed the #BZ1244231 for me.