On 11/09/2024 14:55, Christoph M. Becker wrote: > Hi all, > > I'm in the progress of updating all libraries required for ext/gd on > Windows. Since libxpm hasn't been updated for quite a while (we're > still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17. > However, besides the already existing mess of needing to fetch several > X11 header files from other repos, I've noticed that support for FOR_MSW > builds has completely been dropped[1]. That makes it even harder to > have a somewhat clean build. > > Looking a bit further, I've noticed that three vulnerabilites have been > fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but > the first two likely do, causing potential DoS, if crafted XPM images > are read by imagecreatefromxpm() (but not by imagecreatefromstring() > since this doesn't support XPM). While it should be possible to upgrade > to libxpm 3.5.15 (or at least to backport the respective fixes), I don't > think it makes sense to move forward supporting XPM images with ext/gd > on Windows. Besides that this format is typically used on Linux, it is > grossly out-dated. Even Gif is way superior, let alone PNG. > > Therefore I suggest dropping XPM support from ext/gd on Windows as soon > as possible (might be a bit late for PHP 8.4, but might still be a good > idea). Note that XBM support is unrelated, since this is handled by the > bundled libgd without relying on any library. Also note that > getimagesize() is also not affected, since it doesn't support XPM anyway. > > Any objections, or general thoughts? > > [1] > <https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/b30fd0918f8d99aa718ede3da30f9d29f87063e1> > [2] <https://lists.x.org/archives/xorg-announce/2023-January/003312.html> > > Christoph
I agree, let's reduce that maintenance burden. Kind regards Niels
