933165 – media-libs/libjxl: examine media-libs/giflib dependency

Bug 933165 - media-libs/libjxl: examine media-libs/giflib dependency

Summary: media-libs/libjxl: examine media-libs/giflib dependency

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Daniel Novomeský

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	933163
	Show dependency tree

Reported:	2024-05-30 04:18 UTC by Sam James
Modified:	2024-06-05 11:04 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-05-30 04:18:05 UTC

giflib appears to have a terrible security profile:
* bug 785664 	
* bug 851945
* bug 918539

In the latest upstream release, they indicated that they aren't interested in any sort of bug reports on invalid input.

Please consider, if appropriate, either dropping USE=gif support, package.use.masking it, or perhaps disabling it by default via package.use (given the desktop profiles enable USE=gif by default).

If this package is expected to only interact with trusted gifs or you feel it's critical to the functionality of this package, feel free to close as WONTFIX. Thanks.

If you're not sure, consider raising this with upstream of this package to see what they suggest.

--

At a glance, it looks like libjxl either uses giflib just for a handful of things, or not at all anymore(?)

I think consider speaking to upstream about it in this case.

Comment 1 Michał Górny archtester

2024-05-30 16:10:44 UTC

FWICS it's only an optional dep to support decoding GIF files.  I suppose we can remove it entirely.

libjpeg is used for JPEG encoder/decoder.  It's probably needed for lossless recoding of JPEG files.

libpng seems to be used for APNG decoding/encoding, but it might be that "apng" codec is also used for regular PNG files.

I suppose we could add USE flags for them all, or keep some of them unconditional?

Comment 2 Daniel Novomeský 2024-05-31 16:14:56 UTC

cjxl tool uses libgif to convert animated GIF into animated JXL file:

JPEG XL encoder v0.10.2 [AVX2]
Usage: cjxl INPUT OUTPUT [OPTIONS...]
 INPUT
    the input can be PNG, APNG, GIF, JPEG, EXR, PPM, PFM, PAM, PGX, or JXL
 OUTPUT
    the compressed JXL output file


It's fine to make useflag for GIF support, no problem to disable by default, just don't remove it entirely.

Comment 3 Larry the Git Cow gentoo-dev

2024-06-05 11:04:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=567bd29baed6d7dc3430d4eaa187170fe9027a4c

commit 567bd29baed6d7dc3430d4eaa187170fe9027a4c
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2024-06-05 10:50:48 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2024-06-05 11:03:03 +0000

    media-libs/libjxl: Add flags to control GIF, JPEG and PNG codecs
    
    Bug: https://bugs.gentoo.org/933165
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 media-libs/libjxl/libjxl-0.10.2-r1.ebuild | 115 +++++++++++++++++++++++++++++
 media-libs/libjxl/libjxl-0.8.2-r2.ebuild  |  94 +++++++++++++++++++++++
 media-libs/libjxl/libjxl-0.9.2-r1.ebuild  | 119 ++++++++++++++++++++++++++++++
 media-libs/libjxl/libjxl-9999.ebuild      |  14 ++--
 media-libs/libjxl/metadata.xml            |   6 +-
 5 files changed, 342 insertions(+), 6 deletions(-)