Bug 222309 - graphics/ImageMagick and graphics/ImageMagick7: remove FPX from default options
Summary: graphics/ImageMagick and graphics/ImageMagick7: remove FPX from default options
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Koop Mast
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-13 19:18 UTC by Anton Yuzhaninov
Modified: 2017-10-02 07:08 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (kwm)


Attachments
remove FPX from default options (1.68 KB, patch)
2017-09-13 19:18 UTC, Anton Yuzhaninov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Yuzhaninov 2017-09-13 19:18:22 UTC
Created attachment 186354 [details]
remove FPX from default options

Please remove FPX from default options for graphics/ImageMagick and graphics/ImageMagick7.

1. FlashPix images are very rare noways. I was not able to found them on the Internet except in ImageMagick test cases. In rare case when fpx support is needed it is possible to rebuild ImageMagick from ports with this option enabled.

2. libfpx contains multiple DoS vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12925
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12924
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12923
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12922
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12921
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12919

and it is unlikely that they will be fixed in near future, because libfxp is not actively developed: https://blogs.gentoo.org/ago/2017/08/09/libfpx-null-pointer-dereference-in-wchar-c/
Comment 1 commit-hook freebsd_committer 2017-09-19 14:13:00 UTC
A commit references this bug:

Author: kwm
Date: Tue Sep 19 14:12:42 UTC 2017
New revision: 450128
URL: https://svnweb.freebsd.org/changeset/ports/450128

Log:
  ImageMagick7 to 7.0.7-2.

  Disable FPX (FlashPix) support by default. This image format is really
  rare these days coupled with that there are known CVE's in libfpx and
  it doesn't seem to be maintained these days. It doesn't make sense to
  keep it enabled by default anymore. [1]

  Bump vapoursynth for sharedi library bumps in IM7.

  PR:		222309 [1]
  Submitted by:	Anton Yuzhaninov <citrin+pr@citrin.ru> [1]

Changes:
  head/graphics/ImageMagick7/Makefile
  head/graphics/ImageMagick7/distinfo
  head/graphics/ImageMagick7/pkg-plist
  head/multimedia/vapoursynth/Makefile
Comment 2 commit-hook freebsd_committer 2017-09-27 16:42:28 UTC
A commit references this bug:

Author: swills
Date: Wed Sep 27 16:41:53 UTC 2017
New revision: 450766
URL: https://svnweb.freebsd.org/changeset/ports/450766

Log:
  MFH: r450128 r450491

  ImageMagick7 to 7.0.7-2.

  Disable FPX (FlashPix) support by default. This image format is really
  rare these days coupled with that there are known CVE's in libfpx and
  it doesn't seem to be maintained these days. It doesn't make sense to
  keep it enabled by default anymore. [1]

  Bump vapoursynth for sharedi library bumps in IM7.

  PR:		222309 [1]
  Submitted by:	Anton Yuzhaninov <citrin+pr@citrin.ru> [1]

  Update ImageMagick7 to 7.0.7-4.

  PR:		222622
  Security:	16fb4f83-a2ab-11e7-9c14-009c02a2ab30

  Approved by:	ports-secteam@ (implicit)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/graphics/ImageMagick7/Makefile
  branches/2017Q3/graphics/ImageMagick7/distinfo
  branches/2017Q3/graphics/ImageMagick7/pkg-plist
  branches/2017Q3/multimedia/vapoursynth/Makefile
Comment 3 commit-hook freebsd_committer 2017-09-28 15:37:14 UTC
A commit references this bug:

Author: kwm
Date: Thu Sep 28 15:36:35 UTC 2017
New revision: 450852
URL: https://svnweb.freebsd.org/changeset/ports/450852

Log:
  ImageMagick to 6.9.9-15.

  * Disable FPX (FlashPix) support by default. This image format is really
    rare these days coupled with that there are known CVE's in libfpx and
    it doesn't seem to be maintained these days. It doesn't make sense to
    keep it enabled by default anymore. [1]
  * Add new option for RAW support
  * Fix portscout macro to only show 6.9.x versions

  Bump other ports for the shared library bumps in IM 6.

  PR:		222309 [1]
  Submitted by:	Anton Yuzhaninov <citrin+pr@citrin.ru> [1]

Changes:
  head/audio/mp3plot/Makefile
  head/devel/synfig/Makefile
  head/editors/emacs/Makefile
  head/editors/emacs-devel/Makefile
  head/graphics/ImageMagick/Makefile
  head/graphics/ImageMagick/distinfo
  head/graphics/ImageMagick/pkg-plist
  head/graphics/autotrace/Makefile
  head/graphics/converseen/Makefile
  head/graphics/dcraw-m/Makefile
  head/graphics/dmtx-utils/Makefile
  head/graphics/fpc-imagemagick/Makefile
  head/graphics/gimp-gmic-plugin/Makefile
  head/graphics/gscan2pdf/Makefile
  head/graphics/hdr_tools/Makefile
  head/graphics/inkscape/Makefile
  head/graphics/kipi-plugin-videoslideshow/Makefile
  head/graphics/libboard/Makefile
  head/graphics/libdmtx/Makefile
  head/graphics/npretty/Makefile
  head/graphics/opendx/Makefile
  head/graphics/p5-Image-Magick-Iterator/Makefile
  head/graphics/pecl-imagick/Makefile
  head/graphics/php-magickwand/Makefile
  head/graphics/pstoedit/Makefile
  head/graphics/py-wand/Makefile
  head/graphics/reallyslick/Makefile
  head/graphics/rubygem-rmagick/Makefile
  head/graphics/timg/Makefile
  head/graphics/zbar/Makefile
  head/misc/img2xterm/Makefile
  head/multimedia/emby-server/Makefile
  head/security/libfprint/Makefile
  head/www/WebMagick/Makefile
  head/x11-wm/libwraster/Makefile
  head/x11-wm/windowmaker/Makefile
Comment 4 Koop Mast freebsd_committer 2017-10-02 07:08:50 UTC
Committed, thanks for the suggestion!