Bug#974616: nomacs: "charset=Ascii" appears before the comment of the image

2021-12-26 Thread Vincent Lefevre 
On 2021-12-26 21:00:13 +, Sergio Gelato wrote:
> My only interest in this bug is that it has kept nomacs out of
> bullseye; I don't need its EXIF support.

EXIF information is very useful in general, but AFAIK, only the
comment is affected. A solution would be to either fix the comment
handling or remove it. (Nowadays, ImageDescription seems to be
preferred to Comment, so that removing Comment support would not
be a big loss.)

> If this package isn't effectively orphaned, perhaps the maintainer
> can lower the bug's severity?

Note that there is a potential security issue. Perhaps not currently
(I'm not sure), but potentially in the future: it suffices that the
exiv internals change (like in the past to fix a security bug) to
make Nomacs behave erratically, possibly with memory corruption.

> (And/or forward the report upstream...)

FYI, I haven't reported the bug upstream because Debian has a very
old version. The package should be upgraded to 3.16 first.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#974616: nomacs: "charset=Ascii" appears before the comment of the image

2021-12-26 Thread Sergio Gelato 
Control: tags -1 + upstream

This *is* an upstream bug, as the upstream README.md has build instructions for 
Ubuntu that list libexiv2-dev (no version constraint given) as a required 
package.

As far as I can tell, it's unaddressed as of the current tip of the master 
branch. I don't see that anyone has reported it as an issue on GitHub either. 
(I don't want a GitHub account, so I won't report it myself.)

My only interest in this bug is that it has kept nomacs out of bullseye; I 
don't need its EXIF support. If this package isn't effectively orphaned, 
perhaps the maintainer can lower the bug's severity? (And/or forward the report 
upstream...)

Processed: Re: Bug#974616: nomacs: "charset=Ascii" appears before the comment of the image

2021-12-26 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + upstream
Bug #974616 [nomacs] nomacs uses internal libexiv2 functions to get the user 
comment
Added tag(s) upstream.

-- 
974616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974616
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#974616: nomacs: "charset=Ascii" appears before the comment of the image

2021-04-04 Thread Antoine Beaupré 
On 2020-12-14 23:45:06, Vincent Lefevre wrote:
> Control: retitle -1 nomacs uses internal libexiv2 functions to get the user 
> comment
> Control: severity -1 serious
> Control: tags -1 - patch
>
> On 2020-12-12 21:59:38 +0100, Vincent Lefevre wrote:
>> I'm attaching the patch I've written. There was already a function
>> that removes substrings of the form 'charset="ASCII"' case
>> insensitively. So I do the same thing with 'charset=ASCII'
>> (i.e. without the double-quotes) and 'charset=Unicode', which
>> appears when the string has non-ASCII characters.
>> 
>> Note that this function is a hack: it will remove real occurrences
>> of such strings, not just those added by libexiv2. However, there
>> is very little probability that such strings really appear in the
>> comment. And one cannot do much better to fix the issue.
>
> This is just a workaround that seems to work with the current
> libexiv2 version, but according to the upstream libexiv2 maintainer,
> nomacs uses some internal libexiv2 function, which means that an
> update of libexiv2 can break it at any time, potentially introducing
> security issues.
>
> Note that a change of behavior could have already been seen with the
> upgrade of libexiv2-27 to 0.27.3 with the appearance of spurious data
> before the comment.
>
> The correct way to get the comment with the public API is
>
>   std::string comment = Exiv2::CommentValue(value().toString()).comment());
>
> Note: The upstream nomacs version comes with a bundled libexiv2,
> meaning that this may not be an issue to use internal libexiv2
> features. Debian chose to use the shared library, thus it needs
> to replace these internals by calls to the public API.

Is this fixed upstream, in the latest 3.16 release?

I mean I understand that it *still* bundles exiv2 and friends:

https://github.com/nomacs/nomacs/tree/master/3rd-party

... but maybe their usage of the library improved?

There is #974617 for upgrading to 3.16...

a.

-- 
By now the computer has moved out of the den and into the rest of your
life. It will consume all of your spare time, and even your vacation,
if you let it. It will empty your wallet and tie up your thoughts. It
will drive away your family. Your friends will start to think of you
as a bore. And what for?
   - The True Computerist by Tom Pittman