giflib appears to have a terrible security profile: * bug 785664 * bug 851945 * bug 918539 In the latest upstream release, they indicated that they aren't interested in any sort of bug reports on invalid input. Please consider, if appropriate, either dropping USE=gif support, package.use.masking it, or perhaps disabling it by default via package.use (given the desktop profiles enable USE=gif by default). If this package is expected to only interact with trusted gifs or you feel it's critical to the functionality of this package, feel free to close as WONTFIX. Thanks. If you're not sure, consider raising this with upstream of this package to see what they suggest. -- At a glance, it looks like libjxl either uses giflib just for a handful of things, or not at all anymore(?) I think consider speaking to upstream about it in this case.
FWICS it's only an optional dep to support decoding GIF files. I suppose we can remove it entirely. libjpeg is used for JPEG encoder/decoder. It's probably needed for lossless recoding of JPEG files. libpng seems to be used for APNG decoding/encoding, but it might be that "apng" codec is also used for regular PNG files. I suppose we could add USE flags for them all, or keep some of them unconditional?
cjxl tool uses libgif to convert animated GIF into animated JXL file: JPEG XL encoder v0.10.2 [AVX2] Usage: cjxl INPUT OUTPUT [OPTIONS...] INPUT the input can be PNG, APNG, GIF, JPEG, EXR, PPM, PFM, PAM, PGX, or JXL OUTPUT the compressed JXL output file It's fine to make useflag for GIF support, no problem to disable by default, just don't remove it entirely.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=567bd29baed6d7dc3430d4eaa187170fe9027a4c commit 567bd29baed6d7dc3430d4eaa187170fe9027a4c Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2024-06-05 10:50:48 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2024-06-05 11:03:03 +0000 media-libs/libjxl: Add flags to control GIF, JPEG and PNG codecs Bug: https://bugs.gentoo.org/933165 Signed-off-by: Michał Górny <mgorny@gentoo.org> media-libs/libjxl/libjxl-0.10.2-r1.ebuild | 115 +++++++++++++++++++++++++++++ media-libs/libjxl/libjxl-0.8.2-r2.ebuild | 94 +++++++++++++++++++++++ media-libs/libjxl/libjxl-0.9.2-r1.ebuild | 119 ++++++++++++++++++++++++++++++ media-libs/libjxl/libjxl-9999.ebuild | 14 ++-- media-libs/libjxl/metadata.xml | 6 +- 5 files changed, 342 insertions(+), 6 deletions(-)