Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125507 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 81D921A00BD for ; Wed, 11 Sep 2024 15:38:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1726069218; bh=+YyuVd6Qo3oCw5Orwkd+dmPLTJ2Wpe1JoEbKcr4KM4E=; h=Date:Subject:To:References:From:In-Reply-To:From; b=LykYwvZdN8fNegSHB359nNPg2CnC52bWZvh41tZh4AloWTCxq/U0yn79SxanRpYV7 KAKOcM3KRh4Tdcwh3K2bOIX9pfQqqwjm1ApgwV7Kzs+P0x2vfQehg/CvcfiDdLg47n FAReKTV5zQCYNjmPPoU1IGro5IfJ5y97Do6FCdGHBY04+6z3uYiV3HrZi6NEaILi9M TbcVR0VpolULj4CO1TM7fK2MT+lzUXn9EQtgePaI32WhxDHKKmnMA4FHsenkYGcbFt DP5V50A+HY/MQVtMbb2ViQW9W4V13L9zRlBeKNh7r4GF2FFpuC2jnU1JnlNocLyUdT 9ZAQ+Er6kO8SA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 2E08C180054 for ; Wed, 11 Sep 2024 15:40:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 11 Sep 2024 15:40:15 +0000 (UTC) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-42cae6bb895so45529945e9.1 for ; Wed, 11 Sep 2024 08:38:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726069093; x=1726673893; darn=lists.php.net; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=NZcr/mViiqogilHzdXAIb3eNNMlupu4eIOvQCQ1eY4s=; b=HGrot8AucU9uuFajBZ6EYlnqzKAOlT5CUhWePg1go6d3Pk19rqshO17y7/6SJCyXjM nLCNmYRoHjmAmt7Lm+JzlwJ/6unSO2dGEwgKQgjC255CjZKIWYUpjuaI25cArSeuXEAC Gwkds2065+ypQgKc2eUP4H6yPQp+UWdheN8DZu+zDpxnvykHx/B9luUSbi3jAEIqI2o+ I6AO/cOZaHiPRZ+WoaAzMOadRmzm56HnEgs3UxgAj377Xaeev5mR534qTq5/4l2VXNFg vLlkVr5BZxSmxlpzEuhFZyxYFGgX/LwXYMI86SmJXvwPybBfIlwhu4cer7LFu6yRWX96 FuWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726069093; x=1726673893; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NZcr/mViiqogilHzdXAIb3eNNMlupu4eIOvQCQ1eY4s=; b=nKEU4Bawk5L1oRgYi8I35Dv0Ion/q/z4EsBuJrcmTCyXO8WfIykG9++NyhRI3iAO6i Icc45oCl10Cn8m+ixVhNUg44vq9yAtVWDD0PoxtxHmlwD0V+AKe4UkD8PyhEMpVKaUoj iuJIq18ZMmQ7LAJ/esROerxSXGL5AK3TgHMnpcCFLSU3Y0ZunZ1jVlcx5hNomAPjYB4K RZTkvMEtOoXOWDKeUg59TmTbUgliBRJdEbrVdWlvKODsAdcwcLSZH/Qiu2S+G21vXMoN RveivrEjEuuoEAHHmoV3OtX3X/EXpBJaoHMyIST87j1OVMWj2zpeXIbUuIrptX09W5r0 G9BQ== X-Gm-Message-State: AOJu0YxdQ1iMSqda3ySjQhyI3hKHHMkbH+Zama59b98n0D8TDtiiNMWO MhDOqywRQEHHQHcsCrlrYbOb5QMD9Irm8cDz7PKXPgQa4dGiy1huHIi8CQ== X-Google-Smtp-Source: AGHT+IHFE6Ij+rL3rId6NYRqlJ65cAKQTfWIsFkNBdSrv0J1JI/YPGeXCVDGWy+lepLVNlvJIz63Sw== X-Received: by 2002:a05:600c:3109:b0:42c:b1e1:a44e with SMTP id 5b1f17b1804b1-42cdb538571mr96545e9.6.1726069091751; Wed, 11 Sep 2024 08:38:11 -0700 (PDT) Received: from ?IPV6:2a02:1811:cd2f:3500:e093:fcad:4f6:e542? (ptr-du5vm7f5ekzptmf0fgi.18120a2.ip6.access.telenet.be. [2a02:1811:cd2f:3500:e093:fcad:4f6:e542]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37895665553sm11971249f8f.39.2024.09.11.08.38.11 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Sep 2024 08:38:11 -0700 (PDT) Message-ID: <6367f801-17ae-46ea-8add-07966d933f9d@gmail.com> Date: Wed, 11 Sep 2024 17:38:20 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] ext/gd: drop XPM support on Windows To: internals@lists.php.net References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit From: dossche.niels@gmail.com (Niels Dossche) On 11/09/2024 14:55, Christoph M. Becker wrote: > Hi all, > > I'm in the progress of updating all libraries required for ext/gd on > Windows. Since libxpm hasn't been updated for quite a while (we're > still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17. > However, besides the already existing mess of needing to fetch several > X11 header files from other repos, I've noticed that support for FOR_MSW > builds has completely been dropped[1]. That makes it even harder to > have a somewhat clean build. > > Looking a bit further, I've noticed that three vulnerabilites have been > fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but > the first two likely do, causing potential DoS, if crafted XPM images > are read by imagecreatefromxpm() (but not by imagecreatefromstring() > since this doesn't support XPM). While it should be possible to upgrade > to libxpm 3.5.15 (or at least to backport the respective fixes), I don't > think it makes sense to move forward supporting XPM images with ext/gd > on Windows. Besides that this format is typically used on Linux, it is > grossly out-dated. Even Gif is way superior, let alone PNG. > > Therefore I suggest dropping XPM support from ext/gd on Windows as soon > as possible (might be a bit late for PHP 8.4, but might still be a good > idea). Note that XBM support is unrelated, since this is handled by the > bundled libgd without relying on any library. Also note that > getimagesize() is also not affected, since it doesn't support XPM anyway. > > Any objections, or general thoughts? > > [1] > > [2] > > Christoph I agree, let's reduce that maintenance burden. Kind regards Niels