media-gfx/xpaint is blocking cleanup of media-libs/openjpeg for bug 711260. Can anything be done about the dependency on openjpeg:0? https://github.com/gentoo/gentoo/pull/16909 https://qa-reports.gentoo.org/output/gentoo-ci/bcba0b96a2/output.html#media-gfx/xpaint
please ask upstream and link the ticket here. https://sourceforge.net/p/sf-xpaint/bugs/
(In reply to Jonas Stein from comment #1) > please ask upstream and link the ticket here. > https://sourceforge.net/p/sf-xpaint/bugs/ Held off on this until somebody got around to checking if the latest version upstream still depended on the vulnerable openjpeg. It looks like it doesn't: if test x$enable_libopenjp2 = xyes; then CFLAGS="$CFLAGS -I/usr/include/openjpeg-2.3" LIBS="$LIBS -lopenjp2" AC_SUBST(LIBOPENJP2_LIBS) AC_DEFINE(HAVE_OPENJP2) fi
This does not necessarily depend on bug 762298, no. media-libs/netpbm can be disabled according to the build system using --with-netpbm=no or --without-netpbm, and I would consider it a horrible enough dependency to do exactly that.
(In reply to Andreas Sturmlechner from comment #3) > This does not necessarily depend on bug 762298, no. media-libs/netpbm can be > disabled according to the build system using --with-netpbm=no or > --without-netpbm, and I would consider it a horrible enough dependency to do > exactly that. Me too, but that seems to result in a build failure when you don't have netpbm. readWritePNM.c:20:10: fatal error: netpbm/pam.h: No such file or directory 20 | #include <netpbm/pam.h> | ^~~~~~~~~~~~~~ That file differs significantly between a cvs checkout of xpaint and the distribution tarball (it is even in a different directory). Not sure what to make of that
That include is covered by #ifdef NETPBM11, and it seems to me that should not be set when configured without netpbm. That tarball looks like a big mess though.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=790cb5cba8332dea7d0b013cef7644e71402fe36 commit 790cb5cba8332dea7d0b013cef7644e71402fe36 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-01-23 18:07:55 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-01-23 18:12:57 +0000 media-gfx/xpaint: Drop IUSE=jpeg2k, switch to media-libs/libjpeg-turbo jpeg2k was blocking CVE-2018-21010 security cleanup, good riddance. Bug: https://bugs.gentoo.org/735592 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-gfx/xpaint/xpaint-2.10.2-r1.ebuild | 83 ++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+)
asturm++ (delayed). Thank you!
We're on 3.1.3 now: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4866112462debfdde734c6b9f5841108be8dbfbf.
