Re: Changes to gdk-pixbuf2 in rawhide and F43

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Sep 4, 2025 at 8:51 AM Michael Catanzaro <mcatanzaro@xxxxxxxxxx> wrote:
I have checked our gdk-pixbuf2-modules-extra package. I think the BMP,
ICO, PNM, and TGA loaders are now obsolete and can safely be disabled.
The other loaders provided by this package are still needed, but they
cover particularly obscure image formats, so I wonder whether we still
need gdk-pixbuf2-modules-extra at all. I suspect this package exists
mainly for the BMP, ICO, and possibly TGA loaders? So maybe the package
is no longer needed? Remember that websites can download images to your
downloads directory and trigger a thumbnailer without any user
intervention (by default, yes I know Firefox can be configured to ask
permission before starting a download), so the attack surface of all of
these unsandboxed plugins is effectively web-exposed and an attacker
will target whichever is most obscure and least secure.

I've built gdk-pixbuf2-modules-extra 2.43.5 for F43 and F44, dropping the thumbnailer config and loaders obsoleted by Glycin.

The remaining loaders are ANI (Windows animated cursors), ICNS (an older macOS icon format), QTIF (old QuickTime container format for still images), XBM (pre-X11 one-bit X bitmaps), and XPM (X11 bitmaps).  Most of these are indeed obscure and should probably be left to specialized tools, but the fly in the ointment is XPM.  In Fedora, I found at least Free42, gerbv, GKrellM, usbview, vim-X11, XSane, and xzgv that still need it.  (Also, it'd be nice to not break random old local binaries that crash if they can't load their application icon.)

Since the gdk-pixbuf thumbnailer is going away, the risk of drive-by downloads seems low(er).  One option is to remove all loaders from gdk-pixbuf2-modules-extra except XPM, at least in Rawhide.  Meanwhile I've filed [1] to ask for XPM support in Glycin, and if we get that I think it's reasonable to retire -modules-extra.

--Benjamin Gilbert

[1]: https://gitlab.gnome.org/GNOME/glycin/-/issues/192

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux