[pkg-lxqt-devel] Bug#974616: nomacs uses internal libexiv2 functions to get the user comment

[Vincent Lefevre]

Control: found -1 3.17.2206+dfsg-1

Since charset=Ascii still appears before the "User Comment" metadata
of the image, this shows that nomacs still uses internal libexiv2
functions, which could silently yield erratic behavior (and possibly
security issues) in case such functions change.

Perhaps a workaround could be to have a versioned dependency on
libexiv2-27 to stick to the current version (a manual check would
be needed for any update of libexiv2-27, including a minor one,
without a soname change).

On 2020-12-12 21:59:38 +0100, Vincent Lefevre wrote:
> I'm attaching the patch I've written. There was already a function
> that removes substrings of the form 'charset="ASCII"' case
> insensitively. So I do the same thing with 'charset=ASCII'
> (i.e. without the double-quotes) and 'charset=Unicode', which
> appears when the string has non-ASCII characters.
> 
> Note that this function is a hack: it will remove real occurrences
> of such strings, not just those added by libexiv2. However, there
> is very little probability that such strings really appear in the
> comment. And one cannot do much better to fix the issue.

For those interested, I've attached an updated version of my patch
(but as with the current nomacs code, there is absolutely no guarantee
of the behavior in case the libexiv2 library is updated).

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nomacs-317-exiv2-charset.patch
Type: text/x-diff
Size: 1063 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxqt-devel/attachments/20230106/44873e35/attachment.patch>