Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 735592 - media-gfx/xpaint-3.0.5 version bump (was: depends on vulnerable media-libs/openjpeg:0)
Summary: media-gfx/xpaint-3.0.5 version bump (was: depends on vulnerable media-libs/op...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Viorel
URL: https://sourceforge.net/projects/sf-x...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-02 20:10 UTC by John Helmert III
Modified: 2021-03-31 21:27 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-08-02 20:10:05 UTC
media-gfx/xpaint is blocking cleanup of media-libs/openjpeg for bug 711260. Can anything be done about the dependency on openjpeg:0?

https://github.com/gentoo/gentoo/pull/16909
https://qa-reports.gentoo.org/output/gentoo-ci/bcba0b96a2/output.html#media-gfx/xpaint
Comment 1 Jonas Stein gentoo-dev 2020-08-03 19:21:51 UTC
please ask upstream and link the ticket here.
https://sourceforge.net/p/sf-xpaint/bugs/
Comment 2 John Helmert III gentoo-dev Security 2020-12-11 20:10:00 UTC
(In reply to Jonas Stein from comment #1)
> please ask upstream and link the ticket here.
> https://sourceforge.net/p/sf-xpaint/bugs/

Held off on this until somebody got around to checking if the latest version upstream still depended on the vulnerable openjpeg. It looks like it doesn't:

if test x$enable_libopenjp2 = xyes; then
  CFLAGS="$CFLAGS -I/usr/include/openjpeg-2.3"
  LIBS="$LIBS -lopenjp2"
  AC_SUBST(LIBOPENJP2_LIBS)
  AC_DEFINE(HAVE_OPENJP2)
fi
Comment 3 Andreas Sturmlechner gentoo-dev 2020-12-29 09:39:25 UTC
This does not necessarily depend on bug 762298, no. media-libs/netpbm can be disabled according to the build system using --with-netpbm=no or --without-netpbm, and I would consider it a horrible enough dependency to do exactly that.
Comment 4 John Helmert III gentoo-dev Security 2020-12-29 20:39:31 UTC
(In reply to Andreas Sturmlechner from comment #3)
> This does not necessarily depend on bug 762298, no. media-libs/netpbm can be
> disabled according to the build system using --with-netpbm=no or
> --without-netpbm, and I would consider it a horrible enough dependency to do
> exactly that.

Me too, but that seems to result in a build failure when you don't have netpbm.

readWritePNM.c:20:10: fatal error: netpbm/pam.h: No such file or directory
   20 | #include <netpbm/pam.h>
      |          ^~~~~~~~~~~~~~

That file differs significantly between a cvs checkout of xpaint and the distribution tarball (it is even in a different directory). Not sure what to make of that
Comment 5 Andreas Sturmlechner gentoo-dev 2020-12-29 21:22:45 UTC
That include is covered by #ifdef NETPBM11, and it seems to me that should not be set when configured without netpbm.

That tarball looks like a big mess though.
Comment 6 Larry the Git Cow gentoo-dev 2021-01-23 18:13:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=790cb5cba8332dea7d0b013cef7644e71402fe36

commit 790cb5cba8332dea7d0b013cef7644e71402fe36
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-01-23 18:07:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-23 18:12:57 +0000

    media-gfx/xpaint: Drop IUSE=jpeg2k, switch to media-libs/libjpeg-turbo
    
    jpeg2k was blocking CVE-2018-21010 security cleanup, good riddance.
    
    Bug: https://bugs.gentoo.org/735592
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-gfx/xpaint/xpaint-2.10.2-r1.ebuild | 83 ++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2021-01-30 10:13:10 UTC
asturm++ (delayed). Thank you!