On Thu, Sep 4, 2025 at 8:51 AM Michael Catanzaro <mcatanz...@redhat.com> wrote:
> I have checked our gdk-pixbuf2-modules-extra package. I think the BMP, > ICO, PNM, and TGA loaders are now obsolete and can safely be disabled. > The other loaders provided by this package are still needed, but they > cover particularly obscure image formats, so I wonder whether we still > need gdk-pixbuf2-modules-extra at all. I suspect this package exists > mainly for the BMP, ICO, and possibly TGA loaders? So maybe the package > is no longer needed? Remember that websites can download images to your > downloads directory and trigger a thumbnailer without any user > intervention (by default, yes I know Firefox can be configured to ask > permission before starting a download), so the attack surface of all of > these unsandboxed plugins is effectively web-exposed and an attacker > will target whichever is most obscure and least secure. I've built gdk-pixbuf2-modules-extra 2.43.5 for F43 and F44, dropping the thumbnailer config and loaders obsoleted by Glycin. The remaining loaders are ANI (Windows animated cursors), ICNS (an older macOS icon format), QTIF (old QuickTime container format for still images), XBM (pre-X11 one-bit X bitmaps), and XPM (X11 bitmaps). Most of these are indeed obscure and should probably be left to specialized tools, but the fly in the ointment is XPM. In Fedora, I found at least Free42, gerbv, GKrellM, usbview, vim-X11, XSane, and xzgv that still need it. (Also, it'd be nice to not break random old local binaries that crash if they can't load their application icon.) Since the gdk-pixbuf thumbnailer is going away, the risk of drive-by downloads seems low(er). One option is to remove all loaders from gdk-pixbuf2-modules-extra except XPM, at least in Rawhide. Meanwhile I've filed [1] to ask for XPM support in Glycin, and if we get that I think it's reasonable to retire -modules-extra. --Benjamin Gilbert [1]: https://gitlab.gnome.org/GNOME/glycin/-/issues/192
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
