On 11.09.2024 at 23:27, JB wrote: > The GD PHP extension defines "imagecreatefromxpm" functions. How do you > manage it if XPM support is disabled?
Oh, wow, gd/config.w32 needs to be fixed (anyway). As is, if libxpm is not available, ext/gd can't be built, what makes no sense, since the code which needs libxpm is already guarded by HAVE_GD_XPM. > GD (libxpm) must be updated for the currently supported PHP versions to > provide a security fix. Yeah, although I'm not really concerned about this, since I consider it highly unlikely that any PHP code running on Windows accepts XPM images from untrusted sources. > I have applied 5 patches on the master branch of winlibs/libxpm on > php-win-ext fork [1] and tagged "libxpm-3.5.12-1". The patch for the > last CVE has been manually integrated. > > How do we integrate this fix? Patch on winlibs-builder? PR on > winlibs/libxpm repository? This should be fixed in winlibs/libxpm. The patch in winlib-builder doesn't make sense; I think I did this to make it easier to update libxpm, though in hindsight this was probably a bad idea. Christoph
