Overview
Request 663793 superseded
- Updated exiv2-build-date.patch
- Added exiv2-cmake-installdir.patch (exiv2 bug #623)
- Added exiv2-rename-libxmp.patch (exiv2 bug #624)
* This should prevent possible issues with libxmp project
- Added exiv2-install-headers.patch (exiv2 bug #627)
- Added exiv2-BanAllEntityUsage.patch
* This prevents a denial of service attack related to XML entity expansion
- Created by gladiac
- In state superseded
- Superseded by 664266
Request History
gladiac created request
- Updated exiv2-build-date.patch
- Added exiv2-cmake-installdir.patch (exiv2 bug #623)
- Added exiv2-rename-libxmp.patch (exiv2 bug #624)
* This should prevent possible issues with libxmp project
- Added exiv2-install-headers.patch (exiv2 bug #627)
- Added exiv2-BanAllEntityUsage.patch
* This prevents a denial of service attack related to XML entity expansion
is there a bugreport for this "banallentities" patch? is thsi upstream? is this going to be upstream? is there a CVE related to this?
This is already upstream and will be in 0.27.1 which will probably released in March or April. No there is no CVE and no need to.
Another problem that turned out in the Factory submission (not directly related to this SR, but I thought I better mention it in case you didn't notice):
Apparently it's not acceptable to install a static lib as part of a devel package, and I don't think renaming libxmp.a to libexiv-xmp.a (as done by patch exiv2-rename-libxmp.patch) will change that.
But the new exiv2Config.cmake would need it, so deleting it again is not really an option either... :-/
I'll try to come up with another patch for that (tomorrow I hope), but suggestions would of course be welcome.
I mentioned it in http://dev.exiv2.org/issues/0001119 that introduced libxmp.a, but we should still find a solution I think.
Well, in case upstream reads this: STATIC is exceptionally unpopular. Either make the xmp target "SHARED", or "OBJECT" (going back to before 2784b1f7f7ddcc66211e6cf492de1588).
Renaming the library is a prudent thing to do, because there is already a libxmp in distros (the XMP module player) that you don't want to overlap with ever.
As already discussed upstream they should use libexmpi but that wont happen before 0.28.0.
Sorry for being late now, but I have been able to "fix" it by linking lib(exiv2-)xmp.a as PRIVATE instead of PUBLIC. That should also fix https://github.com/Exiv2/exiv2/issues/459 I think.
https://build.opensuse.org/package/view_file/home:wolfi323:branches:graphics/exiv2/0001-Don-t-export-libxmp.patch?expand=1
As there was a new submission meanwhile, and kphotoalbum builds fine with it, I'll probably just suggest that upstream though. ;-)
Btw, that would also eliminate the need for the "Requires: libexpat-devel" in the devel package, as that is actually needed by lib(exiv2-)xmp.a only.
(and it would also eliminate the need for lib(exiv2-)xmp.a in the first place IMHO...)
Aha, you put the STATIC inside target_link_libraries rather than add_library/set_target_properties. Didn't know that was a thing.
But that is awesome.
The correct fix would be to use libexmpi and not duplicate the code :-)
suggest it upstream.