Control: retitle -1 nomacs uses internal libexiv2 functions to get the user comment Control: severity -1 serious Control: tags -1 - patch
On 2020-12-12 21:59:38 +0100, Vincent Lefevre wrote: > I'm attaching the patch I've written. There was already a function > that removes substrings of the form 'charset="ASCII"' case > insensitively. So I do the same thing with 'charset=ASCII' > (i.e. without the double-quotes) and 'charset=Unicode', which > appears when the string has non-ASCII characters. > > Note that this function is a hack: it will remove real occurrences > of such strings, not just those added by libexiv2. However, there > is very little probability that such strings really appear in the > comment. And one cannot do much better to fix the issue. This is just a workaround that seems to work with the current libexiv2 version, but according to the upstream libexiv2 maintainer, nomacs uses some internal libexiv2 function, which means that an update of libexiv2 can break it at any time, potentially introducing security issues. Note that a change of behavior could have already been seen with the upgrade of libexiv2-27 to 0.27.3 with the appearance of spurious data before the comment. The correct way to get the comment with the public API is std::string comment = Exiv2::CommentValue(value().toString()).comment()); Note: The upstream nomacs version comes with a bundled libexiv2, meaning that this may not be an issue to use internal libexiv2 features. Debian chose to use the shared library, thus it needs to replace these internals by calls to the public API. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
