fontconfig_210: remove

[flokli]

fontconfig 2.10.x hasn't had a release in years, is nowhere used inside
nixpkgs and vulnerable to CVE-2016-5384.

Motivation for this change

#88289

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[flokli]

Corresponding 20.03 PR that marks this as insecure: #92921

[vcunat]

It is still used in nixos/modules/config/fonts/fontconfig.nix. I suspect we don't really need to support systems with fontconfig < 2.11 (CentOS 6 is the only one I can think of), but in that case we should look into cleaning that reference.

[flokli]

Okay, I can remove this. We might want to resurrect the code when bumping fontconfig to 2.13 and keep backwards-compat support for 2.12, but then it can easily be resurrected from the history I guess.

[flokli]

Urgh, just took a closer look - in fontconfig-conf we use $out/etc/fonts/conf.d for the old version, and $out/etc/fonts/${latestVersion}/conf.d for the more recent version… Shouldn't it be the other way around?

[prusnak]

Suggested change

	fontconfig_210 = throw "fontconfig 2.10.x hasn't had a relase in years, is nowhere used inside nixpkgs and vulnerable to CVE-2016-5384"; # 2020-07-11
	fontconfig_210 = throw "fontconfig 2.10.x hasn't had a release in years, is nowhere used inside nixpkgs and vulnerable to CVE-2016-5384"; # 2020-07-11

[worldofpeace]

Urgh, just took a closer look - in fontconfig-conf we use $out/etc/fonts/conf.d for the old version, and $out/etc/fonts/${latestVersion}/conf.d for the more recent version… Shouldn't it be the other way around?

If there's any issue see here so we can fix them in one go #73795

[vcunat]

I expect that severity of 2.10 remaining is low (in the current way). Just getting the config files from 2.10 shouldn't be vulnerable, and it seems very unlikely that someone opted in to use 2.10 in some other way. Still, it would be nice to clean this up during that 2.13/2.14 update.

[flokli]

Okay, fine to not pursue this any further if we can address this during #73795 soon - it was already suggested in #73795 (comment) anyways.

[cole-h]

Doesn't look like this made it into #73795. Should we reopen?

[flokli]

I reopened #88289.

[flokli]

@cole-h would you be up to proposing a PR addressing #88289?

[cole-h]

I'm unclear on what direction I should go in, if I were to accept. Do we want to remove 2.10, or just patch it (https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940, according to the vulnerability page)?

In the case we want to remove it, how should I handle the aforementioned nixos/modules/config/fonts/fontconfig.nix? I will admit, I'm not well-versed in fontconfig (much less our fontconfig situation), so I don't expect to get it right upon submission.

Once these questions are answered, I can find some time during the week to tackle this. However, I wouldn't be offended if somebody beats me to the punch... ;^)

[vcunat]

I expect we want to bump supportVersion to 212 (and thus bring back the 2.12.6 expression), at least from #73795 (comment)

[jtojnar]

2.12 is not necessary since our patched 2.14 should be compatible with 2.11+. We should just drop support version altogether once we are sure there are no regressions.