Re: ext/gd: drop XPM support on Windows
On 11/09/2024 14:55, Christoph M. Becker wrote:
> Hi all,
>
> I'm in the progress of updating all libraries required for ext/gd on
> Windows. Since libxpm hasn't been updated for quite a while (we're
> still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17.
> However, besides the already existing mess of needing to fetch several
> X11 header files from other repos, I've noticed that support for FOR_MSW
> builds has completely been dropped[1]. That makes it even harder to
> have a somewhat clean build.
>
> Looking a bit further, I've noticed that three vulnerabilites have been
> fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but
> the first two likely do, causing potential DoS, if crafted XPM images
> are read by imagecreatefromxpm() (but not by imagecreatefromstring()
> since this doesn't support XPM). While it should be possible to upgrade
> to libxpm 3.5.15 (or at least to backport the respective fixes), I don't
> think it makes sense to move forward supporting XPM images with ext/gd
> on Windows. Besides that this format is typically used on Linux, it is
> grossly out-dated. Even Gif is way superior, let alone PNG.
>
> Therefore I suggest dropping XPM support from ext/gd on Windows as soon
> as possible (might be a bit late for PHP 8.4, but might still be a good
> idea). Note that XBM support is unrelated, since this is handled by the
> bundled libgd without relying on any library. Also note that
> getimagesize() is also not affected, since it doesn't support XPM anyway.
>
> Any objections, or general thoughts?
>
> [1]
> <https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/b30fd0918f8d99aa718ede3da30f9d29f87063e1>
> [2] <https://lists.x.org/archives/xorg-announce/2023-January/003312.html>
>
> Christoph
I agree, let's reduce that maintenance burden.
Kind regards
Niels
Thread (9 messages)