|Summary:||media-gfx/xpaint-3.0.5 version bump (was: depends on vulnerable media-libs/openjpeg:0)|
|Product:||Gentoo Linux||Reporter:||John Helmert III <ajak>|
|Component:||Current packages||Assignee:||Viorel <ceamac.paragon>|
|Severity:||normal||CC:||jstein, proxy-maint, sam, security|
|Package list:||Runtime testing required:||---|
Description John Helmert III 2020-08-02 20:10:05 UTC
media-gfx/xpaint is blocking cleanup of media-libs/openjpeg for bug 711260. Can anything be done about the dependency on openjpeg:0? https://github.com/gentoo/gentoo/pull/16909 https://qa-reports.gentoo.org/output/gentoo-ci/bcba0b96a2/output.html#media-gfx/xpaint
Comment 1 Jonas Stein 2020-08-03 19:21:51 UTC
please ask upstream and link the ticket here. https://sourceforge.net/p/sf-xpaint/bugs/
Comment 2 John Helmert III 2020-12-11 20:10:00 UTC
(In reply to Jonas Stein from comment #1) > please ask upstream and link the ticket here. > https://sourceforge.net/p/sf-xpaint/bugs/ Held off on this until somebody got around to checking if the latest version upstream still depended on the vulnerable openjpeg. It looks like it doesn't: if test x$enable_libopenjp2 = xyes; then CFLAGS="$CFLAGS -I/usr/include/openjpeg-2.3" LIBS="$LIBS -lopenjp2" AC_SUBST(LIBOPENJP2_LIBS) AC_DEFINE(HAVE_OPENJP2) fi
Comment 3 Andreas Sturmlechner 2020-12-29 09:39:25 UTC
This does not necessarily depend on bug 762298, no. media-libs/netpbm can be disabled according to the build system using --with-netpbm=no or --without-netpbm, and I would consider it a horrible enough dependency to do exactly that.
Comment 4 John Helmert III 2020-12-29 20:39:31 UTC
(In reply to Andreas Sturmlechner from comment #3) > This does not necessarily depend on bug 762298, no. media-libs/netpbm can be > disabled according to the build system using --with-netpbm=no or > --without-netpbm, and I would consider it a horrible enough dependency to do > exactly that. Me too, but that seems to result in a build failure when you don't have netpbm. readWritePNM.c:20:10: fatal error: netpbm/pam.h: No such file or directory 20 | #include <netpbm/pam.h> | ^~~~~~~~~~~~~~ That file differs significantly between a cvs checkout of xpaint and the distribution tarball (it is even in a different directory). Not sure what to make of that
Comment 5 Andreas Sturmlechner 2020-12-29 21:22:45 UTC
That include is covered by #ifdef NETPBM11, and it seems to me that should not be set when configured without netpbm. That tarball looks like a big mess though.
Comment 6 Larry the Git Cow 2021-01-23 18:13:08 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=790cb5cba8332dea7d0b013cef7644e71402fe36 commit 790cb5cba8332dea7d0b013cef7644e71402fe36 Author: Andreas Sturmlechner <email@example.com> AuthorDate: 2021-01-23 18:07:55 +0000 Commit: Andreas Sturmlechner <firstname.lastname@example.org> CommitDate: 2021-01-23 18:12:57 +0000 media-gfx/xpaint: Drop IUSE=jpeg2k, switch to media-libs/libjpeg-turbo jpeg2k was blocking CVE-2018-21010 security cleanup, good riddance. Bug: https://bugs.gentoo.org/735592 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <email@example.com> media-gfx/xpaint/xpaint-2.10.2-r1.ebuild | 83 ++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+)
Comment 7 Sam James 2021-01-30 10:13:10 UTC
asturm++ (delayed). Thank you!
Comment 8 Sam James 2021-03-31 21:27:40 UTC