Hi, We have now in Fedora system LibRaw built as shared library http://koji.fedoraproject.org/koji/rpminfo?rpmID=3134262 http://koji.fedoraproject.org/koji/rpminfo?rpmID=3134260 Please, add option in libkdcraw for building it against system shared LibRaw. Reproducible: Always
LibRaw just got two security CVEs (CVE-2013-2126 and CVE-2013-2127), see also http://www.openwall.com/lists/oss-security/2013/05/29/7 Gilles, can you please switch libdcraw to use an external libraw shared library and get rid of the embedded libraw copy? That will ease a lot the maintaineance of libkdcraw by distributions, and also self-compiling users (which won't need to patch libkdcraw on their own).
Pino, About security issue, i CC Alex Tutubalin who is lead libraw developer. About shared libraw support, there is already another report about : https://bugs.kde.org/show_bug.cgi?id=307146 Gilles Caulier
(In reply to comment #2) > About security issue, i CC Alex Tutubalin who is lead libraw developer. If you would have read the page I linked earlier, the issue was fixed already in their Git repository by Alex already. > About shared libraw support, there is already another report about : > > https://bugs.kde.org/show_bug.cgi?id=307146 This bug *is* #307146.
Sorry. my mistake. Look my comment here : https://bugs.kde.org/show_bug.cgi?id=320794#c1 Gilles Caulier
(In reply to comment #4) > Look my comment here : > > https://bugs.kde.org/show_bug.cgi?id=320794#c1 Basically, the explanation is the following: > We don't want to add external libraw dependency, until libraw 1.0.0 is out, due tobroken binary compatibility with API between release. Thiw will crash digiKam if you update system based libraw without to recompile libkdcraw. This is a very weak explanation for the following reasons: - so far libraw seems to be handling SONAME bumps when the ABI is broken (and if it does not, it is a libraw issue) - if you use distro packages, distro packagers will take care of recompiling libkdcraw with the new libraw when its SONAME changes (otherwise no change is needed and new libraw versions will be used fine) - if you compile stuff on your own, you have to manage yourself the software you recompile (and in any case, a library with bumped SONAME won't overwrite the old one)
Opened a RR: https://git.reviewboard.kde.org/r/110962/
Git commit ee76a4eef0c601215c7c7c4440fd56b2b8740a63 by Pino Toscano. Committed on 08/07/2013 at 13:33. Pushed by pino into branch 'external-libraw'. Switch to an external LibRaw Instead of using an embedded copy of LibRaw, look for an external LibRaw as mandatory dependency with a new CMake module and using its variables. Considering some LibRaw versions seem to be underlinked and not linking to OpenMP, link it manually in libkdcraw to overcome such lack. Switch back to the MAKE_KDCRAW_LIB define (i.e. the default set by KDE4_ADD_LIBRARY) as the one used to check whether it is being built, as otherwise LIBRAW_BUILDLIB would conflict with LibRaw. See review #110962 M +2 -4 CMakeLists.txt A +63 -0 cmake/modules/FindLibRaw.cmake M +24 -4 libkdcraw/CMakeLists.txt M +1 -1 libkdcraw/libkdcraw_export.h http://commits.kde.org/libkdcraw/ee76a4eef0c601215c7c7c4440fd56b2b8740a63
I applied this patch to libkdcraw-4.10.90. It built against system LibRaw-0.15.2. After that system LibRaw was updated to 0.15.3 but digiKam-3.3.0-beta3 still shows in components LibRaw version 0.15.2.
In patch, libkdcraw code is not patched to take a care about shared libraw. I think mixed code (embeded and shared) are used. There are a lots of work to do about this entry. It's not simply to patch cmake rules. It's more complicated to do. i plan to take a look soon... Gilles Caulier
libkdcraw compiled after 'rm -rf libraw'.
And do you have recompiled digiKam with this new version ? Gilles Caulier
(In reply to comment #11) > And do you have recompiled digiKam with this new version ? No but I recompiled now libkdcraw with LibRaw 0.15.3 and now digiKam shows this version So looks like version shown in digiKam is LibRaw version used at libkdcraw compile time but not actually installed version.
Git commit ce1fed4fc2bda012a93b207a76ce0d050e048cdb by Gilles Caulier. Committed on 11/09/2013 at 13:48. Pushed by cgilles into branch 'external-libraw'. Remove all Libraw implementation embeded in libkdcraw. Adjust all settings in config widget accordingly with extra packs used by libraw, especially Raw quality setting. Add new methods to get whole options used to compile Libraw. Bump API/ABI id. This version of libkdcraw break BC. It must be published with next KDE 4.12.0 and next digiKam 4.0.0. Libraw compatible with this implementation is 0.16.0 which have been ported. FIXED-IN: 4.0.0 REVIEW: 110962 M +21 -19 CMakeLists.txt M +3 -18 README M +2 -7 libkdcraw/CMakeLists.txt M +61 -34 libkdcraw/dcrawsettingswidget.cpp M +18 -0 libkdcraw/kdcraw.cpp M +8 -0 libkdcraw/kdcraw.h M +1 -1 libkdcraw/libkdcraw_export.h M +12 -3 libkdcraw/rawdecodingsettings.h M +0 -1 test/CMakeLists.txt M +2 -0 test/libinfo.cpp http://commits.kde.org/libkdcraw/ce1fed4fc2bda012a93b207a76ce0d050e048cdb
bcode using an external instance of libraw is now merged to master, in order to be release with KDE 4.12... http://commits.kde.org/libkdcraw/88020682619f0fd96e7624ffef00269d5c1b9e88 Gilles Caulier
Git commit 6c91e18cedfe5ef37d202f6d0cf4fde1a607a9a9 by Gilles Caulier. Committed on 21/10/2013 at 07:01. Pushed by cgilles into branch 'master'. Add support of libraw release < 0.16.0 Minimum version supported are 0.14.x, but with minimum support of extra options from Libraw, as RawSpeed codec support, LCMS support, GPL2 and GPL3 packs supports, etc... All these options are registered and shared into a new libraw_config.h with 0.16.0, which do not exist in previous release. M +11 -2 CMakeLists.txt A +79 -0 cmake/modules/FindLibRaw.cmake M +3 -0 libkdcraw/kdcraw.cpp http://commits.kde.org/libkdcraw/6c91e18cedfe5ef37d202f6d0cf4fde1a607a9a9