Newsgroups: php.internals,php.internals.win Path: news.php.net Xref: news.php.net php.internals:125502 php.internals.win:1299 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 04E771A00BD; Wed, 11 Sep 2024 12:55:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1726059435; bh=S9JkABqb/Uyp9odl5/xNnv2XatYFy15jx4B8HIOBcMQ=; h=Date:To:Cc:From:Subject:From; b=g/lWogR99+QomRYUqhTR45CekkUpr+3JWfZEYUZjElt5iW66nJBv8R0bQxPOxF63J DM+LD9PE8FbnG8eoLE86bpnilWaYZCzJjw6a6U/Sh/jv4WX5AmhfrSKFDq1IeH1NrR 05sydZnqzzwf+tI6LUQhpmxgclavDA1POKcSYth/2PNnd5Qqe50j/6OelRG8S3czoG Gn3b1x3fK/IRxng2QrDebtL4adElZInh/RZywbBgK2GElWVSFxHC0qAlVXtsIUeOB+ mRkP3z8Q3iP6piua+makYK2amK6Ky2sUG4xzX6Az8/NbNNha9xiAjd+pCUBVmkCHCN EfHfKDYM4rdVA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 83DEF180072; Wed, 11 Sep 2024 12:57:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS; Wed, 11 Sep 2024 12:57:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1726059308; x=1726664108; i=cmbecker69@gmx.de; bh=QP1OyIVHL+y4Jy1Xr6c+3lpde78fH8SewK2CA0l2PDk=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:To:Cc:From: Subject:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=NOFuQPf3laN1XRX+iLoj5CDZ5gtouoYTUkUMeYkc6DSnqMkSfQwn0NMFukQqmd90 Cvn5t5v82MONhBcSSVpl3hxmrnuzqfnZsvf8mZPqo1/n45VAWhJkHX+c/ikCOdIzE QzfzCSQn9Pe5REnAlJKLLHCatl/eDHFOueFQdLVvc/aW7FN4ift39QlOaBKGbhO2N hUTTUoPnsJqwLxrB/Rgv2Rr9wZ3F3o2rnKJLBTsRDkMekRfc+cbRU8nyem5rMHa5E +HsCjVyqAc2zw1+Nb0KvpL6nBTR+WXzDy42ZpiEJbuMOxpTLlxAovlb3PHJXL3ehI 6c7JT+Idk+23hMpAyA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.2.130] ([79.251.205.37]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MoO2E-1sCrK81HEO-00aZ4C; Wed, 11 Sep 2024 14:55:08 +0200 Message-ID: Date: Wed, 11 Sep 2024 14:55:08 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: PHP internals list Content-Language: de-DE Cc: internals-win Subject: [PHP-DEV] ext/gd: drop XPM support on Windows Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:mmUVsuhPNAVUToQzvirRqAvx7G6SYyAgrAr7gOrKj+IxqUv3582 FVwwQVl1UAaMDjYF2tuIJJSoA0c+3Ar2zzUqDz2VPs5YUwGOwcGKD3l7b39B1lWl09dDwPY C3FPFNZQj/cOquWAszlconzpSHuovHAMK+GqKaZo5PYZJUea4N0lKbKJ3XF1/LPMfJclTKV GAlYP7+p2qbiZPGjzMACQ== UI-OutboundReport: notjunk:1;M01:P0:dnVRnBZ2rfg=;J3fkuOdHFPnIfJiJ+YYjcMvcnce T0XsMRsLIMq8c3qlmbcOteYBDRHNhHzwSxBNYs2d6c2Tp60xu88MQk19MmbTL2Tfz7ZFD2HNC oz/i0YEMbvddpkfj1cieWD6/4caYPAnKuvnQmvjSF91NMZF1WvEey6nxWlgnPoHu030jXx8hU eNFLsPcHa6tZ2Etk+wLPF9OHvqrpfJMgdspvMYzPUYGl6jXbn6QumKy1HmjpavW26ftjqL1XW jSZCMPQWEnzs4Vy1rv88uDQpoX6bS8wsBZd4v8SG2z6j+TINnzPg7YLtxSr5IJWJwXc0cOcog UeSBiZZVzSIpKCJlHzl3OprF1fOkNCSZGDJyVu/FNML95rnyGylhobgMkrltCuDjX7dGiic1u kQ8m4EcomnxMG1OlqDKs/pT3La9bNr6Pi77fJtMnHd57AQBXcofhAIwmWBbJtw2JGTV50LIHV MiTgROMCjqL7lSZjFVRBd1CaKccOF0dhh76Cg68A8CV5pPHlvxxgaTXcyb6xE85ap1WDZimg9 qOJJv6VnAk3tcIS35qARldUPi+NwdpflBWJhpjhECTCYXy0IoTpsfh6Da3Mol7YO/fUq/ymE4 ecg9LsyEgnbUHdf3XPzPVNdTQzTdeJsOki2EsUkXQFga6F/oG/TFhLYiaI+eXgzGFdZRzP9Tk rqTEZpP3oiELGU4sAOnttCre6dn/eHDL3mQfN+Hljmaua3uc9oZc24jyY6SwRXYZHI3HnzIlO Z1+cfRqrMbHFk1mKiYKxC0Caccf7VPKLjBfypeRGM4MkbSXK51lAPTZRALLkfjRJOkjkWbLU0 xkjyumrSrnX8q0XqfkN/RoIAhdCZwRkRlIfNdO8iOV7PQ= From: cmbecker69@gmx.de ("Christoph M. Becker") Hi all, I'm in the progress of updating all libraries required for ext/gd on Windows. Since libxpm hasn't been updated for quite a while (we're still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17. However, besides the already existing mess of needing to fetch several X11 header files from other repos, I've noticed that support for FOR_MSW builds has completely been dropped[1]. That makes it even harder to have a somewhat clean build. Looking a bit further, I've noticed that three vulnerabilites have been fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but the first two likely do, causing potential DoS, if crafted XPM images are read by imagecreatefromxpm() (but not by imagecreatefromstring() since this doesn't support XPM). While it should be possible to upgrade to libxpm 3.5.15 (or at least to backport the respective fixes), I don't think it makes sense to move forward supporting XPM images with ext/gd on Windows. Besides that this format is typically used on Linux, it is grossly out-dated. Even Gif is way superior, let alone PNG. Therefore I suggest dropping XPM support from ext/gd on Windows as soon as possible (might be a bit late for PHP 8.4, but might still be a good idea). Note that XBM support is unrelated, since this is handled by the bundled libgd without relying on any library. Also note that getimagesize() is also not affected, since it doesn't support XPM anyway. Any objections, or general thoughts? [1] [2] Christoph