[pkg-lxqt-devel] Bug#974616: nomacs: "charset=Ascii" appears before the comment of the image

[Vincent Lefevre]

Control: retitle -1 nomacs uses internal libexiv2 functions to get the user comment
Control: severity -1 serious
Control: tags -1 - patch

On 2020-12-12 21:59:38 +0100, Vincent Lefevre wrote:
> I'm attaching the patch I've written. There was already a function
> that removes substrings of the form 'charset="ASCII"' case
> insensitively. So I do the same thing with 'charset=ASCII'
> (i.e. without the double-quotes) and 'charset=Unicode', which
> appears when the string has non-ASCII characters.
> 
> Note that this function is a hack: it will remove real occurrences
> of such strings, not just those added by libexiv2. However, there
> is very little probability that such strings really appear in the
> comment. And one cannot do much better to fix the issue.

This is just a workaround that seems to work with the current
libexiv2 version, but according to the upstream libexiv2 maintainer,
nomacs uses some internal libexiv2 function, which means that an
update of libexiv2 can break it at any time, potentially introducing
security issues.

Note that a change of behavior could have already been seen with the
upgrade of libexiv2-27 to 0.27.3 with the appearance of spurious data
before the comment.

The correct way to get the comment with the public API is

  std::string comment = Exiv2::CommentValue(value().toString()).comment());

Note: The upstream nomacs version comes with a bundled libexiv2,
meaning that this may not be an issue to use internal libexiv2
features. Debian chose to use the shared library, thus it needs
to replace these internals by calls to the public API.

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)