Control: reopen -1 Control: severity -1 important On Mon, 14 Dec 2020 23:32:16 +0100 Vincent Lefevre <vinc...@vinc17.net> wrote: > Control: severity -1 serious > > According to the upstream libexiv2 maintainer, gthumb uses some > internal libexiv2 function, which means that an update of libexiv2 > can break it at any time, potentially introducing security issues. > > Note that a change of behavior could have already been seen with > the upgrade of libexiv2-27 to 0.27.3 with the appearance of spurious > data before the comment. > > The correct way to get the comment is > > std::string comment = Exiv2::CommentValue(value().toString()).comment()); I briefly read upstream's solution to the original problem [1]. It seems that upstream's solution was doing hardcoding, which does not look like the correct way. This solves the original issue for now, but I'm not sure whether things would break in the long run. Note that I'm not the maintainer of gthumb and my comment may be wrong.
Anyway, I have backported upstream's fix in git trunk and pushed a new upload with new version (3.11.1-0.1) to clean things up. Meanwhile, I choose to downgrade the severity to important for now since we are getting close to release freeze and that libexiv2 is unlikely to break its API/ABI around this part again. This issue should be further investigated and get fixed in next release cycle, though. Thanks, Boyuan Yang [1] https://gitlab.gnome.org/GNOME/gthumb/-/commit/3bdb4f94ba37b410ac07c25b5c83e587b55482fd
signature.asc
Description: This is a digitally signed message part
