933164 – app-misc/tracker-miners: consider dropping or masking USE=gif due to problematic media-libs/giflib dependency

Bug 933164 - app-misc/tracker-miners: consider dropping or masking USE=gif due to problematic media-libs/giflib dependency

Summary: app-misc/tracker-miners: consider dropping or masking USE=gif due to problema...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Linux Gnome Desktop Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	933163
	Show dependency tree

Reported:	2024-05-30 04:15 UTC by Sam James
Modified:	2024-05-30 04:15 UTC (History)
CC List:	0 users

See Also:	CVE-2023-5557
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-05-30 04:15:28 UTC

giflib appears to have a terrible security profile:
* bug 785664 	
* bug 851945
* bug 918539

In the latest upstream release, they indicated that they aren't interested in any sort of bug reports on invalid input.

Please consider, if appropriate, either dropping USE=gif support, package.use.masking it, or perhaps disabling it by default via package.use (given the desktop profiles enable USE=gif by default).

If this package is expected to only interact with trusted gifs or you feel it's critical to the functionality of this package, feel free to close as WONTFIX. Thanks.

If you're not sure, consider raising this with upstream of this package to see what they suggest.

---

Perhaps in the context of bug #916378, upstream may want to drop use entirely.