[pkg-lxqt-devel] Bug#974616: nomacs: "charset=Ascii" appears before the comment of the image
Antoine Beaupré
anarcat at debian.org
Sun Apr 4 18:47:01 BST 2021
On 2020-12-14 23:45:06, Vincent Lefevre wrote:
> Control: retitle -1 nomacs uses internal libexiv2 functions to get the user comment
> Control: severity -1 serious
> Control: tags -1 - patch
>
> On 2020-12-12 21:59:38 +0100, Vincent Lefevre wrote:
>> I'm attaching the patch I've written. There was already a function
>> that removes substrings of the form 'charset="ASCII"' case
>> insensitively. So I do the same thing with 'charset=ASCII'
>> (i.e. without the double-quotes) and 'charset=Unicode', which
>> appears when the string has non-ASCII characters.
>>
>> Note that this function is a hack: it will remove real occurrences
>> of such strings, not just those added by libexiv2. However, there
>> is very little probability that such strings really appear in the
>> comment. And one cannot do much better to fix the issue.
>
> This is just a workaround that seems to work with the current
> libexiv2 version, but according to the upstream libexiv2 maintainer,
> nomacs uses some internal libexiv2 function, which means that an
> update of libexiv2 can break it at any time, potentially introducing
> security issues.
>
> Note that a change of behavior could have already been seen with the
> upgrade of libexiv2-27 to 0.27.3 with the appearance of spurious data
> before the comment.
>
> The correct way to get the comment with the public API is
>
> std::string comment = Exiv2::CommentValue(value().toString()).comment());
>
> Note: The upstream nomacs version comes with a bundled libexiv2,
> meaning that this may not be an issue to use internal libexiv2
> features. Debian chose to use the shared library, thus it needs
> to replace these internals by calls to the public API.
Is this fixed upstream, in the latest 3.16 release?
I mean I understand that it *still* bundles exiv2 and friends:
https://github.com/nomacs/nomacs/tree/master/3rd-party
... but maybe their usage of the library improved?
There is #974617 for upgrading to 3.16...
a.
--
By now the computer has moved out of the den and into the rest of your
life. It will consume all of your spare time, and even your vacation,
if you let it. It will empty your wallet and tie up your thoughts. It
will drive away your family. Your friends will start to think of you
as a bore. And what for?
- The True Computerist by Tom Pittman
More information about the pkg-lxqt-devel
mailing list