Hi all,
I'm in the progress of updating all libraries required for ext/gd on
Windows. Since libxpm hasn't been updated for quite a while (we're
still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17.
However, besides the already existing mess of needing to fetch several
X11 header files from other repos, I've noticed that support for FOR_MSW
builds has completely been dropped[1]. That makes it even harder to
have a somewhat clean build.
Looking a bit further, I've noticed that three vulnerabilites have been
fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but
the first two likely do, causing potential DoS, if crafted XPM images
are read by imagecreatefromxpm() (but not by imagecreatefromstring()
since this doesn't support XPM). While it should be possible to upgrade
to libxpm 3.5.15 (or at least to backport the respective fixes), I don't
think it makes sense to move forward supporting XPM images with ext/gd
on Windows. Besides that this format is typically used on Linux, it is
grossly out-dated. Even Gif is way superior, let alone PNG.
Therefore I suggest dropping XPM support from ext/gd on Windows as soon
as possible (might be a bit late for PHP 8.4, but might still be a good
idea). Note that XBM support is unrelated, since this is handled by the
bundled libgd without relying on any library. Also note that
getimagesize() is also not affected, since it doesn't support XPM anyway.
Any objections, or general thoughts?
[1]
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/b30fd0918f8d99aa718ede3da30f9d29f87063e1
[2] https://lists.x.org/archives/xorg-announce/2023-January/003312.html
Christoph
Hi all,
I'm in the progress of updating all libraries required for ext/gd on
Windows. Since libxpm hasn't been updated for quite a while (we're
still shipping libxpm 3.5.12), I've attempted updating to libxpm 3.5.17.
However, besides the already existing mess of needing to fetch several
X11 header files from other repos, I've noticed that support for FOR_MSW
builds has completely been dropped[1]. That makes it even harder to
have a somewhat clean build.Looking a bit further, I've noticed that three vulnerabilites have been
fixed in libxpm 3.5.15[2]; the third one doesn't affect our builds, but
the first two likely do, causing potential DoS, if crafted XPM images
are read by imagecreatefromxpm() (but not by imagecreatefromstring()
since this doesn't support XPM). While it should be possible to upgrade
to libxpm 3.5.15 (or at least to backport the respective fixes), I don't
think it makes sense to move forward supporting XPM images with ext/gd
on Windows. Besides that this format is typically used on Linux, it is
grossly out-dated. Even Gif is way superior, let alone PNG.Therefore I suggest dropping XPM support from ext/gd on Windows as soon
as possible (might be a bit late for PHP 8.4, but might still be a good
idea). Note that XBM support is unrelated, since this is handled by the
bundled libgd without relying on any library. Also note that
getimagesize()is also not affected, since it doesn't support XPM anyway.Any objections, or general thoughts?
[1]
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/b30fd0918f8d99aa718ede3da30f9d29f87063e1
[2] https://lists.x.org/archives/xorg-announce/2023-January/003312.htmlChristoph
I agree, let's reduce that maintenance burden.
Kind regards
Niels
hi Christoph,
Hi all,
Therefore I suggest dropping XPM support from ext/gd on Windows as soon
as possible (might be a bit late for PHP 8.4, but might still be a good
idea).
Given it is only useful on OSes relying on X/freedesktop, the impact should
be zero.
best,