giflib*: update to 6.1.2

0-wiz-0 · 0-wiz-0 · commit 4807dbce4bcc · 2026-03-10T20:40:57.000Z
Version 6.1.2 ============= Code Fixes ---------- * Fix for low-severity CVE-2026-23868 affecting gifponge, giftool, and gifbuild, but not the core library - library clients need not be alarned. Version 6.1.1 ============= This release bumps the major version, but only one entry point - EGifSpew() - has changed signature and behavior (in order to be able to pass out a detailed error code). The internal error codes in the E_GIF_ERR series have changed value so none of them collides with GIF_ERROR. This code has been systematically audited and hardened wuth ChatGPT-5.2. The only library fixes reported by users or found by robot were for some memory leaks that could only triggered by severely malformed GIFs. Other bugs are edge-case failures in the CLI tools. The gif2rbg CLI tool has been moved to the "obsolete" bin, because its only deployment case in 2026 is as a piñata at fuzzer parties. Warning: the CLI tools in the obsolete category will soon be removed from the distribution entirely. The maintainer is tired of fielding junk bugs filed against them by would-be coup-counters who found yet another edge case, and the rest of the world doesn't need noisy CVEs that aren't actually DoS or security issues for giflib clients. Code Fixes ---------- * Fix for CVE-2021-40633. * Fix SF bug NetBSD#165 EGifSpew leaks GifFileOut->SColorMap * Fix SF bug NetBSD#171 ImageMagick required to build giflib on non-Darwin Platforms * Fix SF bug NetBSD#172 Incorrect object files in shared libutil on darwin * Fix SF bug NetBSD#173 installation of manual pages and html documentation * Fix SF bug NetBSD#175 Memory leaks in gifecho.c's main() and in gifalloc.c's GifMakeMapObject * Fix SF bug NetBSD#177 wrong pointer used in giftool getbool * Fix SF bug NetBSD#179 Path Traversal vulnerability * Fix SF bug #180: -Wformat-truncation likely pointing out an actual bug * Fix SF bug #182 out‐of‐bounds writes in Icon2Gif * Fix SF bug #184 uninitialized buffer in DumpScreen2RGB * Fix SF bug #185 integer overflow in gifbg.c * Fix SF bug #186 integer overflow in Icon2Gif * Fix SF bug #187: CVE-2025-31344 * Fix SF bug NetBSD#170 Tests failing on Ubuntu Noble, giftext buffer overflow * Fix SF bug NetBSD#165 EGifSpew leaks GifFileOut->SColorMap * Fix SF bug NetBSD#162 detected memory leaks in GifMakeSavedImage giflib/gifalloc.c * Fix SF bug NetBSD#161 detected memory leaks in EGifOpenFileHandle giflib/egif_lib.c * Fix SF bug NetBSD#142 ABI break public symbol GifQuantizeBuffer Other bugs that duplicate these have breen addressesed by these fixes * SF bug NetBSD#156 EGifSpew leaks SavedImages (and more); won't fix, caller might want to write a GIF, modify the in-memory data, then write again. Tests ----- Test suite now emits TAP (Test Anything Protocol).
diff --git a/graphics/giflib-util/Makefile b/graphics/giflib-util/Makefile
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.16 2025/05/04 11:19:20 nia Exp $
+# $NetBSD: Makefile,v 1.17 2026/03/10 20:40:57 wiz Exp $
 
 .include "../../graphics/giflib/Makefile.common"
 
 PKGNAME=	${DISTNAME:S/-/-util-/}
-PKGREVISION=	1
 
 COMMENT=	GIF image format utility
 
diff --git a/graphics/giflib-util/PLIST b/graphics/giflib-util/PLIST
@@ -1,5 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2024/09/18 23:02:59 nia Exp $
-bin/gif2rgb
+@comment $NetBSD: PLIST,v 1.7 2026/03/10 20:40:57 wiz Exp $
 bin/gifbuild
 bin/gifclrmp
 bin/giffix
diff --git a/graphics/giflib/Makefile b/graphics/giflib/Makefile
@@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.60 2025/05/04 11:19:19 nia Exp $
+# $NetBSD: Makefile,v 1.61 2026/03/10 20:40:57 wiz Exp $
 
 .include "Makefile.common"
 
-PKGREVISION=	1
-
 COMMENT=	GIF image format library
 
 CONFLICTS+=	libungif-[0-9]*
 
 # clang: error: no such file or directory: 'dgif_lib.o'
 # clang: error: no such file or directory: 'egif_lib.o'
-MAKE_JOBS_SAFE=		no
+#MAKE_JOBS_SAFE=		no
 
 INSTALL_TARGET=		install-include
 INSTALL_TARGET+=	install-lib
 
+TEST_TARGET=		check
+
 .include "../../mk/bsd.pkg.mk"
diff --git a/graphics/giflib/Makefile.common b/graphics/giflib/Makefile.common
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile.common,v 1.16 2025/11/17 11:00:55 wiz Exp $
+# $NetBSD: Makefile.common,v 1.17 2026/03/10 20:40:57 wiz Exp $
 # used by graphics/giflib/Makefile
 # used by graphics/giflib-util/Makefile
 
-DISTNAME=	giflib-5.2.2
+DISTNAME=	giflib-6.1.2
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=giflib/}
 
@@ -16,3 +16,5 @@ DISTINFO_FILE=	${.CURDIR}/../../graphics/giflib/distinfo
 USE_LANGUAGES=		c c++
 USE_LIBTOOL=		yes
 USE_TOOLS+=		gmake
+
+CFLAGS.NetBSD+=	-DHAVE_REALLOCARRAY
diff --git a/graphics/giflib/distinfo b/graphics/giflib/distinfo
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.31 2025/05/04 11:19:19 nia Exp $
+$NetBSD: distinfo,v 1.32 2026/03/10 20:40:57 wiz Exp $
 
-BLAKE2s (giflib-5.2.2.tar.gz) = 2a24163a1af876f9241b5971a7e523f054d131661435e4a3ab11b7cf6acc20f1
-SHA512 (giflib-5.2.2.tar.gz) = 0865ab2b1904fa14640c655fdb14bb54244ad18a66e358565c00287875d00912343f9be8bfac7658cc0146200d626f7ec9160d7a339f20ba3be6b9941d73975f
-Size (giflib-5.2.2.tar.gz) = 447175 bytes
-SHA1 (patch-CVE-2025-31344) = ea977fd36f1e7bb03844dd8eae9a6e70ceb5d4d6
-SHA1 (patch-Makefile) = f7dcce252760dfdcafee46513936d6a2a6fcd668
+BLAKE2s (giflib-6.1.2.tar.gz) = 4a11ffb04a0e4b68025385a55e5d96141349612c91444b66152f8b9fba045004
+SHA512 (giflib-6.1.2.tar.gz) = 523cf2a9941c6ddb903bf5ec22ecbf5a283c9470c1c85229360ab4137227a9e4a64b799e3ff0ca1f9f3b9de0fafe197a43fccd3c043239e76561f7b5ede59193
+Size (giflib-6.1.2.tar.gz) = 469032 bytes
+SHA1 (patch-Makefile) = 6f702c821b4da37ce126a6c896ac1b75884f09b6
diff --git a/graphics/giflib/patches/patch-CVE-2025-31344 b/graphics/giflib/patches/patch-CVE-2025-31344
diff --git a/graphics/giflib/patches/patch-Makefile b/graphics/giflib/patches/patch-Makefile
@@ -1,58 +1,38 @@
-$NetBSD: patch-Makefile,v 1.9 2024/09/19 09:01:15 nia Exp $
+$NetBSD: patch-Makefile,v 1.10 2026/03/10 20:40:57 wiz Exp $
 
 - Libtoolize.
 - Allow override of PREFIX.
 - Allow separate installation of utilities.
 - Move quantize.c back into libgif.so to fix various library users.
 
---- Makefile.orig	2024-02-19 01:01:50.000000000 +0000
+--- Makefile.orig	2026-03-10 17:50:52.000000000 +0000
 +++ Makefile
-@@ -8,13 +8,13 @@
- #
- OFLAGS = -O0 -g
- OFLAGS  = -O2
--CFLAGS  = -std=gnu99 -fPIC -Wall -Wno-format-truncation $(OFLAGS)
-+CFLAGS += -std=gnu99 -fPIC
- 
- SHELL = /bin/sh
- TAR = tar
- INSTALL = install
- 
--PREFIX = /usr/local
-+PREFIX?= /usr/local
- BINDIR = $(PREFIX)/bin
- INCDIR = $(PREFIX)/include
- LIBDIR = $(PREFIX)/lib
-@@ -29,13 +29,13 @@ LIBPOINT=0
- LIBVER=$(LIBMAJOR).$(LIBMINOR).$(LIBPOINT)
- 
+@@ -36,11 +36,11 @@ HEADERS = gif_hash.h  gif_lib.h  gif_lib_private.h
  SOURCES = dgif_lib.c egif_lib.c gifalloc.c gif_err.c gif_font.c \
--	gif_hash.c openbsd-reallocarray.c
-+	gif_hash.c openbsd-reallocarray.c quantize.c
+ 	gif_hash.c openbsd-reallocarray.c quantize.c
  HEADERS = gif_hash.h  gif_lib.h  gif_lib_private.h
 -OBJECTS = $(SOURCES:.c=.o)
 +OBJECTS = $(SOURCES:.c=.lo)
  
--USOURCES = qprintf.c quantize.c getarg.c 
-+USOURCES = qprintf.c getarg.c 
+ USOURCES = qprintf.c getarg.c
  UHEADERS = getarg.h
 -UOBJECTS = $(USOURCES:.c=.o)
 +UOBJECTS = $(USOURCES:.c=.lo)
  
  UNAME:=$(shell uname)
  
-@@ -61,7 +61,7 @@ UTILS = $(INSTALLABLE) \
- 	gifsponge \
- 	gifwedge
+@@ -75,7 +75,7 @@ UTILS = $(INSTALLABLE) \
+ 	gifwedge \
+ 	gif2rgb
  
 -LDLIBS=libgif.a -lm
 +LDLIBS=-lm
  
- MANUAL_PAGES = \
- 	doc/gif2rgb.xml \
-@@ -72,45 +72,30 @@ MANUAL_PAGES = \
- 	doc/giftext.xml \
- 	doc/giftool.xml
+ MANUAL_PAGES_1 = \
+ 	doc/gifbuild.xml \
+@@ -91,52 +91,37 @@ MANUAL_PAGES_7_MAN = $(MANUAL_PAGES_7:%.xml=%.7)
+ MANUAL_PAGES_1_MAN = $(MANUAL_PAGES_1:%.xml=%.1)
+ MANUAL_PAGES_7_MAN = $(MANUAL_PAGES_7:%.xml=%.7)
  
 -SOEXTENSION	= so
 +SOEXTENSION	= la
@@ -70,66 +50,79 @@ $NetBSD: patch-Makefile,v 1.9 2024/09/19 09:01:15 nia Exp $
 -LIBUTILSOMAJOR	= libutil.$(LIBMAJOR).$(SOEXTENSION)
 -endif
  
--all: $(LIBGIFSO) libgif.a $(LIBUTILSO) libutil.a $(UTILS)
+ SHARED_LIBS = $(LIBGIFSO) $(LIBUTILSO)
+ STATIC_LIBS = libgif.a libutil.a
+ 
+-all: shared-lib static-lib $(UTILS)
 -ifeq ($(UNAME), Darwin)
 -else
 -	$(MAKE) -C doc
 -endif
 +all: $(LIBGIFSO) $(LIBUTILSO)
  
--$(UTILS):: libgif.a libutil.a
+-$(UTILS):: $(STATIC_LIBS)
 +.SUFFIXES: .lo
  
+ shared-lib: $(SHARED_LIBS)
+ 
+ static-lib: $(STATIC_LIBS)
+ 
 -$(LIBGIFSO): $(OBJECTS) $(HEADERS)
 -ifeq ($(UNAME), Darwin)
 -	$(CC) $(CFLAGS) -dynamiclib -current_version $(LIBVER) $(OBJECTS) -o $(LIBGIFSO)
 -else
--	$(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,$(LIBGIFSOMAJOR) -o $(LIBGIFSO) $(OBJECTS)
+-	$(CC) $(CFLAGS) $(CPPFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,$(LIBGIFSOMAJOR) -o $(LIBGIFSO) $(OBJECTS)
 -endif
 +.c.lo:
 +	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CFLAGS) -c $<
-+
-+.libs/libgif.a: $(LIBGIFSO)
-+.libs/libutil.a: $(LIBUTILSO)
  
 -libgif.a: $(OBJECTS) $(HEADERS)
 -	$(AR) rcs libgif.a $(OBJECTS)
++.libs/libgif.a: $(LIBGIFSO)
++.libs/libutil.a: $(LIBUTILSO)
+ 
 +$(UTILS): .libs/libutil.a .libs/libgif.a
 +
 +$(LIBGIFSO): $(OBJECTS) $(HEADERS)
 +	$(LIBTOOL) --mode=link --tag=CC $(CC) $(CFLAGS) $(LDFLAGS) -version-info $(LIBMAJOR):0:0 -rpath $(PREFIX)/lib -o $(LIBGIFSO) $(OBJECTS)
- 
++
  $(LIBUTILSO): $(UOBJECTS) $(UHEADERS)
 -ifeq ($(UNAME), Darwin)
--	$(CC) $(CFLAGS) -dynamiclib -current_version $(LIBVER) $(OBJECTS) -o $(LIBUTILSO)
+-	$(CC) $(CFLAGS) -dynamiclib -current_version $(LIBVER) $(UOBJECTS) -o $(LIBUTILSO)
 -else
--	$(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,$(LIBUTILMAJOR) -o $(LIBUTILSO) $(UOBJECTS)
+-	$(CC) $(CFLAGS) $(CPPLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,$(LIBUTILSOMAJOR) -o $(LIBUTILSO) $(UOBJECTS)
 -endif
 +	$(LIBTOOL) --mode=link --tag=CC $(CC) $(CFLAGS) $(LDFLAGS) -version-info $(LIBMAJOR):0:0 -rpath $(PREFIX)/lib -o $(LIBUTILSO) $(UOBJECTS)
  
  libutil.a: $(UOBJECTS) $(UHEADERS)
  	$(AR) rcs libutil.a $(UOBJECTS)
-@@ -129,11 +114,7 @@ reflow:
+@@ -166,11 +151,7 @@ spellcheck:
  
- # Installation/uninstallation
+ # Install/uninstall
  
 -ifeq ($(UNAME), Darwin)
 -install: all install-bin install-include install-lib
 -else
- install: all install-bin install-include install-lib install-man
+ install: all install-bin install-include install-lib install-man install-doc
 -endif
  
  install-bin: $(INSTALLABLE)
  	$(INSTALL) -d "$(DESTDIR)$(BINDIR)"
-@@ -143,10 +124,7 @@ install-include:
+@@ -178,15 +159,9 @@ install-include:
+ install-include:
+ 	$(INSTALL) -d "$(DESTDIR)$(INCDIR)"
  	$(INSTALL) -m 644 gif_lib.h "$(DESTDIR)$(INCDIR)"
- install-lib:
+-install-static-lib:
++install-lib:
  	$(INSTALL) -d "$(DESTDIR)$(LIBDIR)"
 -	$(INSTALL) -m 644 libgif.a "$(DESTDIR)$(LIBDIR)/libgif.a"
+-install-shared-lib:
+-	$(INSTALL) -d "$(DESTDIR)$(LIBDIR)"
 -	$(INSTALL) -m 755 $(LIBGIFSO) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSOVER)"
 -	ln -sf $(LIBGIFSOVER) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSOMAJOR)"
 -	ln -sf $(LIBGIFSOMAJOR) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSO)"
+-install-lib: install-static-lib install-shared-lib
 +	$(LIBTOOL) --mode=install --tag=CC $(BSD_INSTALL_LIB) $(LIBGIFSO) "$(DESTDIR)$(LIBDIR)"
  install-man:
- 	$(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1"
- 	$(INSTALL) -m 644 $(MANUAL_PAGES) "$(DESTDIR)$(MANDIR)/man1"
+ 	$(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1" "$(DESTDIR)$(MANDIR)/man7"
+ 	$(INSTALL) -m 644 $(MANUAL_PAGES_1_MAN) "$(DESTDIR)$(MANDIR)/man1"
