search

openpnp / opencv

OpenCV Java bindings packaged with native libraries, seamlessly delivered as a turn-key Maven dependency.
Other
327 stars 93 forks source link

Why libjpeg 6b lib present in 4.3.0-2 opencv jar dependency as it is not used. By default libjpeg-turbo using in opencv from 3.4.2 version #72

Closed maheshrajus closed 1 year ago

maheshrajus commented 3 years ago

Hi OpenPnp/OpenCv community,

Why libjpeg (version 6b lib) present in 4.3.0-2 opencv jar dependency as it is not used. By default libjpeg-turbo using in opencv from 3.4.2 version. Reference: https://github.com/opencv/opencv/tree/master/3rdparty

WITH_JPEG CMake option must be ON to add libjpeg or libjpeg-turbo support to imgcodecs.
                      BUILD_JPEG=ON selects libjpeg-turbo by default (since OpenCV 3.4.2).
                      Enable BUILD_JPEG_TURBO_DISABLE=ON to force using of libjpeg (this option is removed in OpenCV 4.0).

If libjpeg usage option is removed from OpenCV 4.0 version why we are maintaining it in JAR package.

opencv-4.5.1-0.jar/nu/pattern/opencv/windows/x86_64/opencv_java451.dll
opencv-4.5.1-0.jar/nu/pattern/opencv/linux/x86_64/libopencv_java451.so

libjpeg 6b version has some vulnerabilities CVE-2020-14152 and CVE-2020-14153. So When we used any package (4.3.0-2 , 4.3.0-3 and 4.5.1-0) the similar issues showing for libjpeg 6b version.

Can you please help us why we are maintaining libjpeg also in the latest versions even though it is not used?

vonnieda commented 3 years ago

See https://github.com/openpnp/opencv/blob/develop/.github/workflows/build.yml#L259 for the build command being used, and let me know (or submit a PR) if there are changes that will help with this.