GIFLIB upstream has accepted my solution for reallocarray problem (bug #651820 comment #11, bug #651820 comment #15), but next, they deleted Autotools build system and added custom Makefile: https://sourceforge.net/p/giflib/code/ci/95785572710fa6cdb6755b65293dea69f4ad1f61/ https://sourceforge.net/p/giflib/code/ci/5fdd280d0049b7ee70f2ef1a8100b1473086e3eb/ This results in lack of automatic detection of availability of reallocarray. The comment added later in unrelated commit has incomplete advice: https://sourceforge.net/p/giflib/code/ci/ee776f920f144262f938738619a69e7d0af8e1ca/ """ # If your platform has the OpenBSD reallocarray(3) call, you may # add -DHAVE_REALLOCARRAY to CFLAGS to use that, saving a bit # of code space in the shared library. """ _GNU_SOURCE also must be defined (so "-D_GNU_SOURCE -DHAVE_REALLOCARRAY") in order for libc header to declare reallocarray. If only above change is done, then libgif.so.7 would contain both undefined symbol "reallocarray@GLIBC_2.26" and defined symbol "openbsd_reallocarray". So it is better to disable compilation of openbsd-reallocarray.c file. ("reallocarray@@GLIBC_2.26" is defined in libc.so.)
Created attachment 565250 [details, diff] Patch
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68b03f76599d145f0fe00ba9da0a45fb2c193fca commit 68b03f76599d145f0fe00ba9da0a45fb2c193fca Author: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> AuthorDate: 2019-02-14 04:35:45 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-02-14 12:26:10 +0000 media-libs/giflib: Use reallocarray() if available. Closes: https://bugs.gentoo.org/677956 Signed-off-by: Arfrever Frehtes Taifersar Arahesis <Arfrever@Apache.Org> Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> media-libs/giflib/{giflib-5.1.6.ebuild => giflib-5.1.6-r1.ebuild} | 7 +++++++ 1 file changed, 7 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=033629cddfc22d7bcead70daa7b6eaa76f0bc623 commit 033629cddfc22d7bcead70daa7b6eaa76f0bc623 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-05-30 03:50:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-30 03:53:53 +0000 media-libs/giflib: add 5.2.2 The release notes mention CVE-2023-48161 and CVE-2022-28506 by CVE but there's a bunch of other security fixes in the list of fixes. The documentation in this release also adds: """ +<refsect1><title>Bugs</title> + +<para>Feeding this utility a GIF with an invalid colormap, or other +kinds of malformations, index will produce invalid output and may +core-dump the tool. Don't do that.</para> + +</refsect1> """ Anyway, on the ebuild side: * Replace Makefile patch for doc building conditionally with a sed * Make tests more verbose (needed it when debugging bug #848807) * Cleanup reallocarray hack (bug #677956) * Add LFS support (bug #915316) Bug: https://bugs.gentoo.org/677956 Bug: https://bugs.gentoo.org/785664 Bug: https://bugs.gentoo.org/851945 Bug: https://bugs.gentoo.org/918539 Closes: https://bugs.gentoo.org/848807 Closes: https://bugs.gentoo.org/915316 Signed-off-by: Sam James <sam@gentoo.org> media-libs/giflib/Manifest | 1 + media-libs/giflib/files/giflib-5.2.2-fortify.patch | 27 ++++++++ .../giflib/files/giflib-5.2.2-verbose-tests.patch | 74 +++++++++++++++++++++ media-libs/giflib/giflib-5.2.2.ebuild | 76 ++++++++++++++++++++++ 4 files changed, 178 insertions(+)
