search

emscripten-ports / libpng

Other
12 stars 8 forks source link

Update libpng to newer version #4

Open HCLJason opened 3 years ago

HCLJason commented 3 years ago

The current libpng is on 1.6.18, and there are multiple vulnerabilities. Looking at the main libpng page, there's multiple that affect this port.

CVE-2019-7317 CVE-2015-7981 CVE-2015-8126 CVE-2016-10087

Can we please update this to include the changes from the newest version (currently 1.6.37)?

kripken commented 3 years ago

Sounds good. Assuming we can use the upstream repo as discussed in the other issue, then to upgrade, a PR to emscripten-core/emscripten would just need to update tools/ports/libpng.py to a new revision (and switch repos).

HCLJason commented 3 years ago

I did have trouble compiling it if we named the release anything but version_1. When I checked for a hard-coded version_1, grep turned up empty.

We need to merge the PR, create a new release, then add the sha512 into the tools/ports/libpng.py file.

kripken commented 3 years ago

Not sure I follow. Why does the name version_1 matter?

Several emscripten ports do not use version_X names, and they use non-ports repos, for example see icu.

HCLJason commented 3 years ago

I'm not sure. It threw path errors when I used v1.6.37 and version_2. I tested using a version_1 tag of the v1.6.37 branch and it worked.

kripken commented 3 years ago

Can you attach the patch you tried with? I can take a look at it locally. It seems like this should work, so maybe you've hit a bug.

HCLJason commented 3 years ago

Yes.

Patch (for freetype, since I'm updating that to use upstream and it's failing):

TAG = 'VER-2-10-4' HASH = '795dfc6b3f14b25cda4f2e76637e7453390ef775bd6b7dc380d5aa03d923890bdff46d3f40e52b54a49c05207efa4e9cbdc9281cb5babb51750919bbda1c80b9'

def needed(settings): return settings.USE_FREETYPE

def get(ports, settings, shared): ports.fetch_project('freetype', 'http://git.savannah.gnu.org/cgit/freetype/freetype2.git/snapshot/freetype2-' + TAG + '.tar.gz', 'FreeType-' + TAG, sha512hash=HASH)

Build logs with the error:

system_libs:INFO: retrieving port: freetype from http://git.savannah.gnu.org/cgit/freetype/freetype2.git/snapshot/freetype2-VER-2-10-4.tar.gz system_libs:INFO: unpacking port: freetype cache:INFO: generating port: sysroot/lib/wasm32-emscripten/libfreetype.a... (this will be cached in "/local/emsdk/upstream/emscripten/cache/sysroot/lib/wasm32-emscripten/libfreetype.a" for subsequent builds) configure: cmake -B/local/emsdk/upstream/emscripten/cache/ports-builds/freetype -H/local/emsdk/upstream/emscripten/cache/ports/freetype/FreeType-VER-2-10-4 -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/local/emsdk/upstream/emscripten/cache/ports-builds/freetype -DCMAKE_CXX_FLAGS="-pthread" -DCMAKE_C_FLAGS="-pthread" -DCMAKE_TOOLCHAIN_FILE=/local/emsdk/upstream/emscripten/cmake/Modules/Platform/Emscripten.cmake -DCMAKE_CROSSCOMPILING_EMULATOR="/local/emsdk/node/14.15.5_64bit/bin/node"

CMake Error: The source directory "/local/emsdk/upstream/emscripten/cache/ports/freetype/FreeType-VER-2-10-4" does not exist.