Summary: | media-gfx/xpaint-3.0.5 version bump (was: depends on vulnerable media-libs/openjpeg:0) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | John Helmert III <ajak> |
Component: | Current packages | Assignee: | Viorel Munteanu <ceamac> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jstein, proxy-maint, sam, security |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceforge.net/projects/sf-xpaint/files/sf-xpaint/xpaint-3.0.5/README/download | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2020-08-02 20:10:05 UTC
please ask upstream and link the ticket here. https://sourceforge.net/p/sf-xpaint/bugs/ (In reply to Jonas Stein from comment #1) > please ask upstream and link the ticket here. > https://sourceforge.net/p/sf-xpaint/bugs/ Held off on this until somebody got around to checking if the latest version upstream still depended on the vulnerable openjpeg. It looks like it doesn't: if test x$enable_libopenjp2 = xyes; then CFLAGS="$CFLAGS -I/usr/include/openjpeg-2.3" LIBS="$LIBS -lopenjp2" AC_SUBST(LIBOPENJP2_LIBS) AC_DEFINE(HAVE_OPENJP2) fi This does not necessarily depend on bug 762298, no. media-libs/netpbm can be disabled according to the build system using --with-netpbm=no or --without-netpbm, and I would consider it a horrible enough dependency to do exactly that. (In reply to Andreas Sturmlechner from comment #3) > This does not necessarily depend on bug 762298, no. media-libs/netpbm can be > disabled according to the build system using --with-netpbm=no or > --without-netpbm, and I would consider it a horrible enough dependency to do > exactly that. Me too, but that seems to result in a build failure when you don't have netpbm. readWritePNM.c:20:10: fatal error: netpbm/pam.h: No such file or directory 20 | #include <netpbm/pam.h> | ^~~~~~~~~~~~~~ That file differs significantly between a cvs checkout of xpaint and the distribution tarball (it is even in a different directory). Not sure what to make of that That include is covered by #ifdef NETPBM11, and it seems to me that should not be set when configured without netpbm. That tarball looks like a big mess though. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=790cb5cba8332dea7d0b013cef7644e71402fe36 commit 790cb5cba8332dea7d0b013cef7644e71402fe36 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-01-23 18:07:55 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-01-23 18:12:57 +0000 media-gfx/xpaint: Drop IUSE=jpeg2k, switch to media-libs/libjpeg-turbo jpeg2k was blocking CVE-2018-21010 security cleanup, good riddance. Bug: https://bugs.gentoo.org/735592 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-gfx/xpaint/xpaint-2.10.2-r1.ebuild | 83 ++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) asturm++ (delayed). Thank you! |