Re: gdk-pixbuf removing several icon loaders
On Mon, May 13, 2024 at 1:36 PM Michael Catanzaro wrote: > gdk-pixbuf 2.42.11 has dropped support for several uncommon image > formats. This is causing several applications to crash in Fedora > rawhide [1][2]. (The change also got backported to F40 and F39, but > I've reverted it there.) Thanks Michael. The affected image formats are ANI, BMP, ICNS, ICO, PNM, QTIF, TGA, XBM, and XPM. Two classes of applications are affected: - Applications that use gdk-pixbuf for displaying UI elements in older formats, e.g. GKrellM and XSane both use XPMs and are both crashing in F41 right now. - Applications that use gdk-pixbuf for displaying user-supplied images, e.g. Eye of GNOME, Nautilus, and OpenSlide. These don't crash, but currently can't load the affected formats in F41. gdk-pixbuf upstream is discussing splitting these loaders out into a separate project. Once the plan firms up, I'll package the new project for F41. --Benjamin Gilbert -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: gdk-pixbuf removing several icon loaders
On Mon, May 13 2024 at 08:50:04 PM +02:00:00, Fabio Valentini wrote: Just out of curiosity, would glycin be a better mechanism than gdk-pixbuf for loading "untrusted" images / "unsafe" image formats? Its loaders are sandboxed via SECCOMP and support for most image formats is implemented in Rust (except HEIF and JPEG-XL - they use the C reference implementations). In theory, yes indeed. It should now be possible since [1]. Would be good if interested developers could investigate this. [1] https://gitlab.gnome.org/sophie-h/glycin/-/merge_requests/68 -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: gdk-pixbuf removing several icon loaders
On Mon, May 13, 2024 at 8:36 PM Michael Catanzaro wrote: > > Hi, > > gdk-pixbuf 2.42.11 has dropped support for several uncommon image > formats. This is causing several applications to crash in Fedora > rawhide [1][2]. (The change also got backported to F40 and F39, but > I've reverted it there.) > > Benjamin Gilbert has proposed reenabling the removed loaders [3], but > this is not likely to be accepted upstream. So he's currently planning > to package the removed loaders for Fedora in a separate package. You'll > be able to depend on these if needed to avoid crashing, but please do > so only if you really need to, since the goal of removing the extra > loaders is to reduce attack surface. (Unfortunately gdk-pixbuf is a > fairly risky dependency: many applications require it, but it's not > very safe.) Most applications should use modern image formats instead. Just out of curiosity, would glycin be a better mechanism than gdk-pixbuf for loading "untrusted" images / "unsafe" image formats? Its loaders are sandboxed via SECCOMP and support for most image formats is implemented in Rust (except HEIF and JPEG-XL - they use the C reference implementations). (It looks like the Rust "image" crate doesn't - yet - support some obscure image formats like XPM, so it wouldn't help in this particular case, though.) Fabio -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
gdk-pixbuf removing several icon loaders
Hi, gdk-pixbuf 2.42.11 has dropped support for several uncommon image formats. This is causing several applications to crash in Fedora rawhide [1][2]. (The change also got backported to F40 and F39, but I've reverted it there.) Benjamin Gilbert has proposed reenabling the removed loaders [3], but this is not likely to be accepted upstream. So he's currently planning to package the removed loaders for Fedora in a separate package. You'll be able to depend on these if needed to avoid crashing, but please do so only if you really need to, since the goal of removing the extra loaders is to reduce attack surface. (Unfortunately gdk-pixbuf is a fairly risky dependency: many applications require it, but it's not very safe.) Most applications should use modern image formats instead. Michael [1] https://bugzilla.redhat.com/show_bug.cgi?id=2276464 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2276661 [3] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/169 [4] https://src.fedoraproject.org/rpms/gdk-pixbuf2/pull-request/4#comment-198909 -- ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue