media-gfx/xpaint is blocking cleanup of media-libs/openjpeg for bug 711260. Can anything be done about the dependency on openjpeg:0?
please ask upstream and link the ticket here.
(In reply to Jonas Stein from comment #1)
> please ask upstream and link the ticket here.
Held off on this until somebody got around to checking if the latest version upstream still depended on the vulnerable openjpeg. It looks like it doesn't:
if test x$enable_libopenjp2 = xyes; then
This does not necessarily depend on bug 762298, no. media-libs/netpbm can be disabled according to the build system using --with-netpbm=no or --without-netpbm, and I would consider it a horrible enough dependency to do exactly that.
(In reply to Andreas Sturmlechner from comment #3)
> This does not necessarily depend on bug 762298, no. media-libs/netpbm can be
> disabled according to the build system using --with-netpbm=no or
> --without-netpbm, and I would consider it a horrible enough dependency to do
> exactly that.
Me too, but that seems to result in a build failure when you don't have netpbm.
readWritePNM.c:20:10: fatal error: netpbm/pam.h: No such file or directory
20 | #include <netpbm/pam.h>
That file differs significantly between a cvs checkout of xpaint and the distribution tarball (it is even in a different directory). Not sure what to make of that
That include is covered by #ifdef NETPBM11, and it seems to me that should not be set when configured without netpbm.
That tarball looks like a big mess though.
The bug has been referenced in the following commit(s):
Author: Andreas Sturmlechner <firstname.lastname@example.org>
AuthorDate: 2021-01-23 18:07:55 +0000
Commit: Andreas Sturmlechner <email@example.com>
CommitDate: 2021-01-23 18:12:57 +0000
media-gfx/xpaint: Drop IUSE=jpeg2k, switch to media-libs/libjpeg-turbo
jpeg2k was blocking CVE-2018-21010 security cleanup, good riddance.
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Andreas Sturmlechner <firstname.lastname@example.org>
media-gfx/xpaint/xpaint-2.10.2-r1.ebuild | 83 ++++++++++++++++++++++++++++++++
1 file changed, 83 insertions(+)
asturm++ (delayed). Thank you!
We're on 3.1.3 now: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4866112462debfdde734c6b9f5841108be8dbfbf.