GNU bug report logs -
#74335
[PATCH 0/4] [security] Remove allegro-4.
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Wed, 13 Nov 2024 08:51:02 UTC
Severity: normal
Tags: patch
Done: Andreas Enge <andreas <at> enge.fr>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74335 in the body.
You can then email your comments to 74335 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#74335; Package
guix-patches.
(Wed, 13 Nov 2024 08:51:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 13 Nov 2024 08:51:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This package has a CVE, and its development is not supported upstream
anymore.
Nicolas Graves (4):
gnu: libresprite: Update to 1.1.
gnu: Remove aseprite.
gnu: Remove dumb-allegro4.
gnu: Remove allegro-4.
gnu/packages/game-development.scm | 146 ++++++------------------------
gnu/packages/music.scm | 12 ---
2 files changed, 27 insertions(+), 131 deletions(-)
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74335; Package
guix-patches.
(Wed, 13 Nov 2024 09:06:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 74335 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/game-development.scm (libresprite): Update to 1.1.
[arguments]: Improve style: use gexps.
[native-inputs]: Improve style: use list.
[inputs]: Improve style: use list. Add libarchive. Delete zlib.
Replace tinyxml by tinyxml2.
---
gnu/packages/game-development.scm | 53 ++++++++++++++++---------------
1 file changed, 27 insertions(+), 26 deletions(-)
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index 89c6c0b75e..4d3f73c44c 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -66,6 +66,7 @@ (define-module (gnu packages game-development)
#:use-module (gnu packages assembly)
#:use-module (gnu packages audio)
#:use-module (gnu packages autotools)
+ #:use-module (gnu packages backup)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
@@ -1194,7 +1195,7 @@ (define-public aseprite
(define-public libresprite
(package
(name "libresprite")
- (version "1.0")
+ (version "1.1")
;; TODO: Unbundle third party software.
;; - duktape is bundled inside the project but it's hard to unbundle:
;; there are many differences from a version to the next and it is not
@@ -1208,34 +1209,34 @@ (define-public libresprite
(file-name (git-file-name name version))
(sha256
(base32
- "0djbjjh21ahlxzh0b0jp4mpfycam8h9157i4wbxkd618fraadhbp"))))
+ "0i1g730khnb8xj56c07x0b0ni6sx4n8vp3w13yazqx9anj23y856"))))
(build-system cmake-build-system)
(arguments
- '(#:configure-flags
- (list "-DWITH_WEBP_SUPPORT=1"
- "-DWITH_DESKTOP_INTEGRATION=1")
- ;; Tests are unmaintained
- #:tests? #f))
- (native-inputs
- `(("pkg-config" ,pkg-config)))
+ (list #:configure-flags
+ #~(list "-DWITH_WEBP_SUPPORT=1"
+ "-DWITH_DESKTOP_INTEGRATION=1")
+ ;; Tests are unmaintained
+ #:tests? #f))
+ (native-inputs (list pkg-config))
(inputs
- `(("curl" ,curl)
- ("freetype" ,freetype)
- ("giflib" ,giflib)
- ("googletest" ,googletest)
- ("libjpeg" ,libjpeg-turbo)
- ("libpng" ,libpng)
- ("libwebp" ,libwebp)
- ("libx11" ,libx11)
- ("libxext" ,libxext)
- ("libxxf86dga" ,libxxf86dga)
- ("libxxf86vm" ,libxxf86vm)
- ("lua" ,lua) ; Optional
- ("pixman" ,pixman)
- ("sdl2" ,sdl2)
- ("sdl2-image" ,sdl2-image)
- ("tinyxml" ,tinyxml)
- ("zlib" ,zlib)))
+ (list curl
+ freetype
+ giflib
+ googletest
+ libarchive
+ libjpeg-turbo
+ libpng
+ libwebp
+ libx11
+ libxext
+ libxxf86dga
+ libxxf86vm
+ lua ;optional
+ pixman
+ sdl2
+ sdl2-image
+ tinyxml2
+ zlib))
(synopsis "Animated sprite editor and pixel art tool")
(description "LibreSprite is a tool for creating 2D pixel art for video
games. In addition to basic pixel editing features, it can assist in the
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74335; Package
guix-patches.
(Wed, 13 Nov 2024 09:06:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 74335 <at> debbugs.gnu.org (full text, mbox):
This package is a last GPL2 revision of a package that is now
distributed in a nonfree license. We already have its libre fork in
Guix, and it depends on allegro-4, which has a CVE and which
development is not supported upstream.
* gnu/packages/game-development.scm (aseprite): Delete variable.
---
gnu/packages/game-development.scm | 59 -------------------------------
1 file changed, 59 deletions(-)
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index 4d3f73c44c..0ca08d5149 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -1133,65 +1133,6 @@ (define-public allegro
(home-page "https://liballeg.org")
(license license:bsd-3)))
-(define-public aseprite
- (package
- (name "aseprite")
- (version "1.1.7") ; After 1.1.7 the source is no longer distributed under the GPL.
- ;; TODO: Unbundle third party software.
- (source (origin
- (method url-fetch/zipbomb)
- (uri (string-append "https://github.com/aseprite/aseprite"
- "/releases/download/v" version
- "/Aseprite-v" version "-Source.zip"))
- (sha256
- (base32
- "1plss4i1lfxcznv9p0pip1bkhj7ipw7jlhsh5avd6dzw079l4nvv"))))
- (build-system cmake-build-system)
- (arguments
- '(#:configure-flags
- ;; Use shared libraries instead of building bundled source.
- (list "-DWITH_WEBP_SUPPORT=1"
- "-DUSE_SHARED_CURL=1"
- "-DUSE_SHARED_GIFLIB=1"
- "-DUSE_SHARED_JPEGLIB=1"
- "-DUSE_SHARED_ZLIB=1"
- "-DUSE_SHARED_LIBPNG=1"
- "-DUSE_SHARED_LIBLOADPNG=1"
- "-DUSE_SHARED_LIBWEBP=1"
- "-DUSE_SHARED_TINYXML=1"
- "-DUSE_SHARED_PIXMAN=1"
- "-DUSE_SHARED_FREETYPE=1"
- "-DUSE_SHARED_ALLEGRO4=1"
- "-DENABLE_UPDATER=0" ; no auto-updates
- (string-append "-DFREETYPE_INCLUDE_DIR="
- (assoc-ref %build-inputs "freetype")
- "/include/freetype2"))))
- (native-inputs
- (list pkg-config))
- ;; TODO: Use a patched Allegro 4 that supports window resizing. This
- ;; patched version is bundled with Aseprite, but the patches should be
- ;; extracted and applied on top of a standalone Allegro 4 package.
- (inputs
- `(("allegro" ,allegro-4)
- ("curl" ,curl)
- ("freetype" ,freetype)
- ("giflib" ,giflib)
- ("libjpeg" ,libjpeg-turbo)
- ("libpng" ,libpng)
- ("libwebp" ,libwebp)
- ("libx11" ,libx11)
- ("libxext" ,libxext)
- ("libxxf86vm" ,libxxf86vm)
- ("pixman" ,pixman)
- ("tinyxml" ,tinyxml)
- ("zlib" ,zlib)))
- (synopsis "Animated sprite editor and pixel art tool")
- (description "Aseprite is a tool for creating 2D pixel art for video
-games. In addition to basic pixel editing features, Aseprite can assist in
-the creation of animations, tiled graphics, texture atlases, and more.")
- (home-page "https://www.aseprite.org/")
- (license license:gpl2+)))
-
(define-public libresprite
(package
(name "libresprite")
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74335; Package
guix-patches.
(Wed, 13 Nov 2024 09:06:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 74335 <at> debbugs.gnu.org (full text, mbox):
This package is leaf package that depends on allegro4, which has a CVE
and which development is not supported upstream anymore.
* gnu/packages/music.scm (dumb-allegro4): Delete variable.
---
gnu/packages/music.scm | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 980bce6b30..aec13b25a4 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -130,7 +130,6 @@ (define-module (gnu packages music)
#:use-module (gnu packages fonts)
#:use-module (gnu packages fontutils)
#:use-module (gnu packages freedesktop)
- #:use-module (gnu packages game-development)
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
#:use-module (gnu packages ghostscript)
@@ -985,17 +984,6 @@ (define-public dumb
;; Therefore, the DUMB license may be considered a free software license.
(license (license:fsf-free "file://LICENSE"))))
-(define-public dumb-allegro4
- (package
- (inherit dumb)
- (name "dumb-allegro4")
- (arguments
- (substitute-keyword-arguments (package-arguments dumb)
- ((#:configure-flags flags)
- `(cons "-DBUILD_ALLEGRO4=ON" ,(delete "-DBUILD_ALLEGRO4=OFF" flags)))))
- (inputs
- (list allegro-4))))
-
(define-public hydrogen
(package
(name "hydrogen")
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74335; Package
guix-patches.
(Wed, 13 Nov 2024 09:06:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 74335 <at> debbugs.gnu.org (full text, mbox):
This package has a CVE and its development is not supported by
upstream anymore.
* gnu/packages/game-development.scm (allegro-4): Delete variable.
---
gnu/packages/game-development.scm | 34 -------------------------------
1 file changed, 34 deletions(-)
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index 0ca08d5149..c854e533f9 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -1058,40 +1058,6 @@ (define-public love-nuklear
(home-page "https://github.com/keharriso/love-nuklear/")
(license license:expat)))
-(define-public allegro-4
- (package
- (name "allegro")
- (version "4.4.3.1")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/liballeg/allegro5/"
- "releases/download/" version "/allegro-"
- version ".tar.gz"))
- (sha256
- (base32
- "1m6lz35nk07dli26kkwz3wa50jsrxs1kb6w1nj14a911l34xn6gc"))))
- (build-system cmake-build-system)
- (arguments
- '(#:phases
- (modify-phases %standard-phases
- (add-after 'unpack 'patch-build-system
- (lambda _
- ;; Build addons as shared libraries. Trying to set ADDON_LINKAGE
- ;; via a command line option doesn't work because it is
- ;; unconditionally clobbered in the build script.
- (substitute* '("CMakeLists.txt")
- (("ADDON_LINKAGE STATIC")
- "ADDON_LINKAGE SHARED")))))))
- (inputs
- (list glu libpng libvorbis mesa zlib))
- (synopsis "Game programming library")
- (description "Allegro is a library mainly aimed at video game and
-multimedia programming. It handles common, low-level tasks such as creating
-windows, accepting user input, loading data, drawing images, playing sounds,
-etc.")
- (home-page "https://liballeg.org")
- (license license:giftware)))
-
(define-public allegro
(package
(name "allegro")
--
2.46.0
Message sent on
to
Nicolas Graves <ngraves <at> ngraves.fr>:
bug#74335.
(Tue, 08 Apr 2025 13:13:03 GMT)
Full text and
rfc822 format available.
Message #20 received at 74335-submitter <at> debbugs.gnu.org (full text, mbox):
Hi Nicolas,
In #74335 you're removing allegro-4 due to a CVE. Can you specify which CVE it is and add a link to the issue please?
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=74335
According to the manual the package can be removed due to a security issue so it makes sense, but it would be good to record it correctly.
Thanks,
Futurile / Steve
Reply sent
to
Andreas Enge <andreas <at> enge.fr>:
You have taken responsibility.
(Wed, 30 Apr 2025 13:30:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
bug acknowledged by developer.
(Wed, 30 Apr 2025 13:30:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 74335-done <at> debbugs.gnu.org (full text, mbox):
Hello!
I have not found a CVE number, but the arguments given by Nicolas are
convincing enough for the package removals. I have pushed.
Thanks!
Andreas
Message sent on
to
Nicolas Graves <ngraves <at> ngraves.fr>:
bug#74335.
(Wed, 30 Apr 2025 13:30:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 29 May 2025 11:24:14 GMT)
Full text and
rfc822 format available.
This bug report was last modified 38 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.