from raster-png.cxx:18: raster-png.cxx: In function ‘gfx::ByteRaster* gfx::read_png_image(const char*)’: raster-png.cxx:45:22: error: invalid use of incomplete type ‘png_struct’ {aka ‘struct png_struct_def’} 45 | if( setjmp(png_ptr->jmpbuf) ) | ^~ In file included from raster-png.cxx:18: ------------------------------------------------------------------- This is an unstable amd64 chroot image at a tinderbox (==build bot) name: 17.1_no-multilib-libressl_science-20201116-220441 ------------------------------------------------------------------- gcc-config -l: [1] x86_64-pc-linux-gnu-7.3.1 [2] x86_64-pc-linux-gnu-10.2.0 * clang version 11.0.0 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm/11/bin /usr/lib/llvm/11 11.0.0 Available Python interpreters, in order of preference: [1] python3.7 [2] python3.9 (fallback) [3] python3.8 (fallback) [4] python2.7 (fallback) Available Rust versions: [1] rust-bin-1.47.0 * [2] rust-1.47.0 The following VMs are available for generation-2: *) AdoptOpenJDK 8.272_p10 [openjdk-bin-8] Available Java Virtual Machines: [1] openjdk-bin-8 system-vm The Glorious Glasgow Haskell Compilation System, version 8.8.4 timestamp(s) of HEAD at this tinderbox image: /var/db/repos/gentoo Sun Nov 22 04:05:38 AM UTC 2020 /var/db/repos/libressl Sat Nov 7 03:06:11 PM UTC 2020 emerge -qpvO media-libs/libgfx [ebuild N ] media-libs/libgfx-1.1.0 USE="-static-libs"
Created attachment 674314 [details] emerge-info.txt
Created attachment 674317 [details] emerge-history.txt
Created attachment 674320 [details] environment
Created attachment 674323 [details] etc.portage.tbz2
Created attachment 674326 [details] logs.tbz2
Created attachment 674329 [details] media-libs:libgfx-1.1.0:20201122-050203.log
I worked on this package for about half a day, and I got it to compile. However, to do this I had to edit the source because it is so outdated. I edited the source by adding in required libraries(cstring) to a few .cxx files and commented out a part where a libpng struct was being accessed before it was defined. These changes are needed for it to compile because libpng and C++ have both been updated since this came out in 2005. I will upload the patch. However, the tests do not work. The tests cannot find the fltk header files correctly because the build system is out of date. In addition, USE flags are not being used when they should be. Specifically, there should be USE flags for tiff, png, and jpeg. I propose this package be dropped. My reasons for suggesting this are: the last release was in 2005 so its very out of date, according to `equery d libgfx`, no packages depend on this one, and the ebuild needs to be updated to include dependencies, use flags, and all this would need to be tested.
Created attachment 712380 [details, diff] This patch will allow it to compile Only allows it to compile. It does not update the build system, update the tests so they compile, nor update the ebuild to include needed dependencies and USE flags.
We may not have to drop the package, but the patch file is incomplete because it does not patch raster-png.cxx like it does raster.cxx, and the ebuild is missing USE flags, and the code needs two lines updated due to a libpng update involving a buffer overflow vulnerability. Ignore my first patch file. https://www.exploit-db.com/exploits/393
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/proj/sci.git/commit/?id=1853049bec92e1def4d2c1eb40b8ec66cc766f23 commit 1853049bec92e1def4d2c1eb40b8ec66cc766f23 Author: Lucas Mitrak <lucas@lucasmitrak.com> AuthorDate: 2021-06-03 22:16:31 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2021-06-05 12:38:22 +0000 media-libs/libgfx: add test, dependencies, patches * Add test, dependencies, and new patches to ebuild * Add cstring to needed files due to newer version of gcc * Change png jmpbuf to use the newer safer method due to GLSA 200408-03 Currently, media-libs/libgfx will not compile due to a vulnerability in libpng which has since been patched [1]. Therefore, the patch libPNG-1.2.5 updates the code to libPNG's newer and safer method. This also fixes bug https://bugs.gentoo.org/756061. However, even with this patch the package will not compile due to outdated C++, so the patch gcc-4.3 updates two files to include cstring, which is neccessary for memcpy. These patches will allow the package to compile. Without these patches, the package will not compile. In addition, the ebuild was updated to include these patches, as well as add the dependencies listed on upstream's homepage [2]. Without these dependencies, the package will not compile. Finally, a test IUSE flag as well as the src_test() function were added. Due to the package using outdated FLTK code, some of the tests had to be disabled using a sed command. This commit was tested in a docker image with dev-util/ebuildtester. This commit was written, tested, and submitted by Lucas Mitrak. [1] https://security.gentoo.org/glsa/200408-03 [2] http://mgarland.org/software/libgfx.html Closes: https://bugs.gentoo.org/756061 Signed-off-by: Lucas Mitrak <lucas@lucasmitrak.com> Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> media-libs/libgfx/files/1.1.0-gcc-4.3.patch | 24 ++++++++++++++++++++++++ media-libs/libgfx/files/1.1.0-gcc4.3.patch | 11 ----------- media-libs/libgfx/files/1.1.0-libPNG-1.2.5.patch | 24 ++++++++++++++++++++++++ media-libs/libgfx/libgfx-1.1.0.ebuild | 20 ++++++++++++++++++-- 4 files changed, 66 insertions(+), 13 deletions(-)
