Sync from SUSE:SLFO:Main librsvg revision 92ff0e3fce38a14dd93d3f470c3f6600

2024-11-12 12:16:00 +01:00 · 2024-11-12 12:16:00 +01:00 · 7cf37d0711
commit 7cf37d0711
parent d740109963
8 changed files with 310 additions and 50 deletions
--- a/7
+++ b/7
@ -3,7 +3,7 @@
  <service name="obs_scm" mode="manual">
    <param name="url">https://gitlab.gnome.org/GNOME/librsvg.git</param>
    <param name="scm">git</param>
-    <param name="revision">refs/tags/2.56.3</param>
+    <param name="revision">2.59.2</param>
    <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
    <param name="versionrewrite-pattern">(.*)\+0</param>
    <param name="versionrewrite-replacement">\1</param>
@ -13,13 +13,10 @@
  <service name="tar" mode="buildtime"/>
  <service name="recompress" mode="buildtime">
    <param name="file">*.tar</param>
-    <param name="compression">xz</param>
+    <param name="compression">zst</param>
  </service>
  <service name="cargo_vendor" mode="manual">
  <param name="srcdir">librsvg</param>
  <param name="update">true</param>
  </service>
-  <service name="cargo_audit" mode="manual">
-  <param name="srcdir">librsvg</param>
-  </service>
 </services>
--- a/5
+++ b/5
@ -1,5 +0,0 @@
-[source.crates-io]
-replace-with = "vendored-sources"
-
-[source.vendored-sources]
-directory = "vendor"
--- a/librsvg-2.56.3.obscpio
+++ b/librsvg-2.56.3.obscpio
--- a/librsvg-2.59.2.obscpio
+++ b/librsvg-2.59.2.obscpio
--- a/librsvg.changes
+++ b/librsvg.changes
@ -1,3 +1,273 @@
+-------------------------------------------------------------------
+Thu Oct 31 20:40:57 UTC 2024 - Michael Gorse <mgorse@suse.com>
+
+- Change license to LGPL-2.1-or-later AND MIT.
+
+-------------------------------------------------------------------
+Wed Oct 30 06:58:33 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.59.2:
+  + Fix stack overflow due to unbounded recursion.  Now there is
+    a hard limit on the number of nested layers that an SVG
+    document may have.  This is not a hard limit on the amount of
+    stack space consumed, but it is a general mitigation.
+  + Fix regression when rendering paths with very flat elliptical
+    arcs.  This bug was introduced in 2.59.1 as part of the
+    mitigation for paths with coordinates that Cairo is unable to
+    handle.
+  + Fix centering and text-anchor in general for scaled text.
+  + Fix building with Rust 1.82 on Windows (Christoph Reiter).
+  + Make cancellation work for all the resource loading
+    functions.
+  + Add documentation for rsvg-bench to the development guide.
+  + Slight improvement in memory consumption for language tags.
+  + Many updates to the developer's documentation, for Outreachy
+    interns.
+
+-------------------------------------------------------------------
+Sat Sep 28 20:03:57 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.59.1:
+  + Two mitigations for crashes found throuh fuzz testing:
+    - Cairo is easy to crash by giving it path coordinates that are
+      outside of the range that it can represent internally with
+      its fixed-point arithmetic. Fuzzers usually produce SVGs with
+      very large numbers for coordinates, which overflow Cairo's
+      arithmetic.
+      This is just a *mitigation*, not a complete fix: librsvg will
+      now check if path coordinates are outside of Cairo's
+      supported range, and it will not render shapes with
+      problematic coordinates. However, fuzzers may still produce
+      coordinates that are in range but that still make Cairo
+      crash. I am starting to learn Cairo's code to see if this can
+      be fixed gradually.
+
+-------------------------------------------------------------------
+Mon Sep 16 06:07:46 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.59.0:
+  + The biggest change in this release is that librsvg now uses the
+    Meson build system instead of autotools.
+  + With Meson, librsvg now builds a lot more reliably on Windows
+    and MacOS.
+  + Librsvg now uses Meson instead of Autotools
+  + There is a -Davif meson option to include support for AVIF in
+    the image-rs crate, which librsvg uses to load raster images.
+  + Librsvg now explicitly builds only its supported raster formats
+    for image-rs: JPEG, PNG, GIF, WEBP, and optional compile-time
+    support for AVIF). Other raster image formats are not
+    supported, to minimize the attack surface.
+  + Librsvg now supports cancellable rendering; you can start
+    rendering an RsvgHandle in one thread, and stop it from another
+    thread with a GCancellable. In the C API, you can use the
+    rsvg_handle_set_cancellable_for_rendering() function; in the
+    Rust API, CairoRenderer now has a with_cancellable() method.
+  + For Rust users, there is now a 'librsvg-rebind' crate that
+    binds the C API for use from Rust. Internally this links to the
+    system's librsvg shared library, in contrast with the 'librsvg'
+    crate, which is statically linked and which has a native Rust
+    API. The 'librsvg-rebind' crate is for cases where the
+    additional code size from static linking is not desired. This
+    librsvg-rebind crate is available from crates.io.
+  + A bunch of fixes to bugs found through fuzz testing.
+- Use ldconfig_scriptlets macro for some of the post(un) handling.
+
+-------------------------------------------------------------------
+Sun Sep 15 08:19:13 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.58.94:
+  + The minimum supported Rust version (MSRV) is 1.77.2.
+  + Fix assertion failures with large Hue value in hsl() or hwb()
+    colors.
+  + Limit the baseFrequency for feTurbulence to avoid integer
+    overflow.
+  + Only make exported symbols visible in the library's binary.
+  + Fix the -Davif=enabled feature; it was not being handled
+    correctly at compilation time.
+  + Ensure compatibility with Binutils < 2.39.
+  + Build fixes for Windows.
+
+-------------------------------------------------------------------
+Sat Sep 14 08:09:02 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.58.92:
+  + Librsvg is now part of Google's oss-fuzz and is fuzz-tested
+    automatically - see
+    https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/oss_fuzz.html
+    for details.
+  + This release has two bug fixes from fuzz testing, and a new API
+    call:
+    - Don't leak XML entities when the XML document fails to parse.
+    - Fix stack overflow in <use> reference cycle.
+    - Librsvg now supports cancellable rendering; you can start
+      rendering an RsvgHandle in one thread, and stop it from
+      another thread with a GCancellable. In the C API, you can use
+      the rsvg_handle_set_cancellable_for_rendering() function; in
+      the Rust API, CairoRenderer now has a with_cancellable()
+      method.
+  + Many build fixes for Windows, MacOS, iOS, and cross-compilation
+  + Continued refactoring for a render tree.
+  + Many fixes to the documentation.
+
+-------------------------------------------------------------------
+Fri Sep 13 08:09:01 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.58.91:
+  + Librsvg now requires cairo version 1.18.0 or later.
+  + Librsvg now explicitly builds only its supported raster
+    formats for image-rs: JPEG, PNG, GIF, WEBP, and optional
+    compile-time support for AVIF. Other raster image formats are
+    not supported, to minimize the attack surface.
+  + Don't generate gdk-pixbuf loaders cache if DESTDIR is set.
+  + Documentation updates for meson.
+  + Document the fact that the default DPI in the C API for
+    RsvgHandle is 90 DPI, unlike rsvg-convert and the Rust API,
+    which use 96 DPI.
+  + Document the security considerations for the image-rs crate
+    and the raster image formats that librsvg supports.
+  + Fix and fine-tune compilation on Windows (MSVC and msys2),
+    MacOS, and Android.
+  + Fix installation when only compiling the static library.
+  + Update Pango for CI and fix a test file. The test suite now
+    includes the DejaVu Sans font, which supports extra
+    glyphs/languages for the test suite.
+- Changesfrom version 2.58.90:
+  + librsvg has been ported to the Meson build system.  Librsvg no
+    longer uses autotools!
+  + Changes in this release:
+    - Librsvg now uses Meson instead of Autotools.
+    - There is a -Davif meson option to include support for AVIF in
+      the image-rs crate, which librsvg uses to load raster images.
+    - Start revamping the fuzzing infrastructure.
+- Add cargo-c and pkgconfig(dav1d) BuildRequires: new dependencies.
+
+-------------------------------------------------------------------
+Thu Sep 12 17:05:38 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.58.4:
+  + Fix regression when using an SVG inside a feImage element.
+
+-------------------------------------------------------------------
+Fri Aug 16 23:28:29 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.58.3:
+  + A couple of fixes from fuzz testing:
+    - Fix assertion failures with large Hue value in hsl() or hwb()
+      colors.
+    - Limit the baseFrequency for feTurbulence to avoid integer
+      overflow.
+    - Remove an obsolete test.
+
+-------------------------------------------------------------------
+Fri Jul 12 21:21:35 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.58.2:
+  + Don't leak XML entities when the XML document fails to parse.
+  + Fix stack overflow in <use> reference cycle.
+
+-------------------------------------------------------------------
+Mon May 27 06:37:49 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.58.1:
+  + Fix failing test with Pango 1.52.1.
+
+-------------------------------------------------------------------
+Mon Mar 18 08:03:01 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.58.0:
+  + The most significant change in this release is that librsvg no
+    longer uses gdk-pixbuf for loading raster images. All image
+    loading uses Rust codecs now.
+  + Librsvg's gdk-pixbuf loader for SVG documents is unchanged; you
+    can still load SVG files from gdk-pixbuf with it as usual.
+  + Add basic support for "ch" length units in CSS.
+  + Support "var(--foo, #aabbcc)" just for colors. This is the
+    minimum required to render color SVG emoji fonts that provide
+    color fallbacks, but it is not yet full support for CSS var().
+  + Limit numOctaves in feTurbulence to avoid unbounded CPU
+    consumption.
+  + Don't panic when a :lang selector has an argument that is not a
+    language-range.
+
+-------------------------------------------------------------------
+Sat Mar  9 18:36:25 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.57.92:
+  + Don't panic when rendering feOffset with a too-large offset.
+  + Don't panic when a decoded image has dimensions of zero.
+
+-------------------------------------------------------------------
+Wed Mar  6 08:52:18 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.57.91:
+  + Rsvg-convert now prints a helpful message if you run it
+    without arguments, to indicate that it is reading from standard
+    input.
+  + Take text orientation into account for 'ch' units
+  + For Rust programs, the rsvg crate no longer depends on
+    gdk-pixbuf. Hopefully this means that your Rust programs will
+    have to link to one fewer library.
+  + The C enumeration RsvgUnit now has a RSVG_UNIT_CH variant for
+    "ch" units. However, this is only used for reporting the size
+    of SVG documents, which should very seldom come in "ch" units.
+  + Fix unsoundness in the use of the selectors crate.
+  + Update gtk-rs crates.
+
+-------------------------------------------------------------------
+Thu Jan  4 17:19:37 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 2.57.1:
+  + Fix small-caps and bump the version of Pango required to 1.50.0.
+  + Fix panic when using negative scaling transforms on the
+    toplevel.
+  + Support "var(--foo, #aabbcc)" just for colors.  This is the
+    minimum required to render color SVG emoji fonts that provide
+    color fallbacks, but it is not yet full support for CSS var().
+  + Fix the VS2017 build.
+  + Update cairo-rs.
+  + Update the project metadata files.
+
+-------------------------------------------------------------------
+Thu Nov 30 12:36:14 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Run service with new obs-service-cargo, drop cargo_config as
+  source and clean up spec and service, and switch to zst as
+  buildtime compression.
+
+-------------------------------------------------------------------
+Thu Sep 14 08:45:45 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.57.0:
+  + rsvg-convert can now output PDF versions 1.4, 1.5, 1.6, in
+    addition to the default 1.7, especially for LaTeX users. See
+    the rsvg-convert(1) man page for options like --format=pdf1.4
+  + Support the image-rendering property.
+  + For consistency with other command-line tools, rsvg-convert now
+    supports an argument "-" to specify the standard input. This is
+    in addition to the already-supported syntax of not specifying
+    an input file at all.
+  + Partial support for the edgeMode attribute in feGaussianBlur,
+    only for small blurs right now.
+  + The minimum supported Rust version (MSRV) is 1.70.0.
+
+-------------------------------------------------------------------
+Tue Sep 12 11:38:48 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Skip bugs_bug668_small_caps_svg test, started failing with
+  harfbuzz-8.2.0
+
+-------------------------------------------------------------------
+Tue Aug 15 11:45:26 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 2.56.92:
+  + Fix the build for aarch64.
+  + More extensive logging for filter primitives.
+  + Update gtk-rs-core to 0.18.
+  + Update dependencies.
+  + Include license text in packaged crates.
+  + The minimum supported Rust version (MSRV) is 1.70.0, due to the
+    gtk-rs-core update.
+
 -------------------------------------------------------------------
 Fri Jul 21 10:17:36 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>

@ -189,7 +459,7 @@ Fri Aug 26 22:08:17 UTC 2022 - Bjørn Lie <bjorn.lie@gmail.com>
 Fri Jul  8 02:52:20 UTC 2022 - William Brown <william.brown@suse.com>

 - Replace dependency on unmaintained rust-packaging with
-  cargo-packaging.
+  cargo-packaging (boo#1198129).

 -------------------------------------------------------------------
 Mon Jun 20 03:27:28 UTC 2022 - William Brown <william.brown@suse.com>
@ -297,6 +567,15 @@ Fri Mar 18 01:42:21 UTC 2022 - Bjørn Lie <bjorn.lie@gmail.com>
 - Add python3-docutils and pkgconfig(gi-docgen) BuildRequires
  following upstream changes.

+-------------------------------------------------------------------
+Fri Mar 18 01:42:20 UTC 2022 - Federico Mena Quintero <federico@suse.com>
+
+- Update to version 2.52.10:
+
+  + Fix arbitrary file read when href has special characters.
+
+- bsc#1213502 - CVE-2023-38633 - directory traversal in URI decoder.
+
 -------------------------------------------------------------------
 Fri Mar 18 01:42:20 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>

--- a/librsvg.obsinfo
+++ b/librsvg.obsinfo
@ -1,4 +1,4 @@
 name: librsvg
-version: 2.56.3
-mtime: 1689887914
-commit: 312c4b8c28c99b9051ee6de6fa966cf977b0f7b4
+version: 2.59.2
+mtime: 1730236856
+commit: fe6c6b7e5d5dddb751c2ad28188137dc8a50b9f4
--- a/librsvg.spec
+++ b/librsvg.spec
@ -1,7 +1,7 @@
 #
 # spec file for package librsvg
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -20,25 +20,26 @@
 %define librsvg_sover 2

 Name:           librsvg
-Version:        2.56.3
+Version:        2.59.2
 Release:        0
 Summary:        A Library for Rendering SVG Data
-License:        GPL-2.0-or-later AND LGPL-2.0-or-later AND MIT
+License:        LGPL-2.1-or-later AND MIT
 Group:          Development/Libraries/C and C++
 URL:            https://wiki.gnome.org/Projects/LibRsvg
-Source:         %{name}-%{version}.tar.xz
-Source2:        vendor.tar.zst
-Source3:        cargo_config
+Source0:        %{name}-%{version}.tar.zst
+Source1:        vendor.tar.zst
 Source99:       baselibs.conf

+BuildRequires:  cargo-c
 BuildRequires:  cargo-packaging >= 1.2.0+3
 BuildRequires:  gobject-introspection-devel
-BuildRequires:  libtool
+BuildRequires:  meson
 BuildRequires:  pkgconfig
 BuildRequires:  python3-docutils
 BuildRequires:  vala
-BuildRequires:  pkgconfig(cairo) >= 1.16.0
+BuildRequires:  pkgconfig(cairo) >= 1.18.0
 BuildRequires:  pkgconfig(cairo-png) >= 1.2.0
+BuildRequires:  pkgconfig(dav1d)
 BuildRequires:  pkgconfig(fontconfig)
 BuildRequires:  pkgconfig(freetype2) >= 20.0.14
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0) >= 2.20
@ -135,42 +136,30 @@ This package contains a thumbnailer to render SVG (scalable vector
 graphics) data.

 %prep
-%autosetup -p1 -a2
-mkdir .cargo
-cp %{SOURCE3} .cargo/config
+%autosetup -p1 -a1

 %build
-export RUSTFLAGS="%{build_rustflags}"
-NOCONFIGURE=1 ./autogen.sh
-%configure \
-	--disable-static\
-	--enable-introspection\
-	--enable-vala \
-	%{nil}
-%make_build
+%meson
+%meson_build

 %install
-export RUSTFLAGS="%{build_rustflags}"
-%make_install
-find %{buildroot} -type f -name "*.la" -delete -print
-# %%doc is used to package such contents
-rm -rf %{buildroot}%{_datadir}/doc/%{name}/CO*.md
+%meson_install

 %check
-export RUSTFLAGS="%{build_rustflags}"
+export LANG=C
 %ifarch x86_64 %{?x86_64}
 # 2023-01-15: the pdf-related tests are failing (bsc#1207167)
 # 2023-03-17 cairo-1.17.8 filter_morphology svg test is failing
-%{cargo_test} -- --skip pdf_has_text --skip pdf_has_link --skip filter_morphology_from_reference_page_svg
+%{cargo_test} -- \
+--skip pdf_has_text --skip pdf_has_link \
+--skip filter_morphology_from_reference_page_svg --skip bugs_bug668_small_caps_svg
 %endif

-%post -n librsvg-2-%{librsvg_sover} -p /sbin/ldconfig
+%ldconfig_scriptlets -n librsvg-2-%{librsvg_sover}

 %post -n gdk-pixbuf-loader-rsvg
 %{gdk_pixbuf_loader_post}

-%postun -n librsvg-2-%{librsvg_sover} -p /sbin/ldconfig
-
 %postun -n gdk-pixbuf-loader-rsvg
 %{gdk_pixbuf_loader_postun}

@ -183,7 +172,7 @@ export RUSTFLAGS="%{build_rustflags}"
 %{_libdir}/girepository-1.0/Rsvg-2.0.typelib

 %files -n gdk-pixbuf-loader-rsvg
-%{_libdir}/gdk-pixbuf-2.0/*/loaders/libpixbufloader-svg.so
+%{_libdir}/gdk-pixbuf-2.0/*/loaders/libpixbufloader_svg.so

 %files -n rsvg-convert
 %{_bindir}/rsvg-convert
@ -195,7 +184,6 @@ export RUSTFLAGS="%{build_rustflags}"

 %files devel
 %doc AUTHORS
-%doc %{_datadir}/doc/%{name}/
 %doc %{_datadir}/doc/Rsvg-2.0/
 %{_includedir}/librsvg-2.0/
 %{_libdir}/librsvg-2.so
@ -203,5 +191,6 @@ export RUSTFLAGS="%{build_rustflags}"
 %{_datadir}/gir-1.0/Rsvg-2.0.gir
 %dir %{_datadir}/vala/vapi
 %{_datadir}/vala/vapi/librsvg-2.0.vapi
+%{_datadir}/vala/vapi/librsvg-2.0.deps

 %changelog
--- a/vendor.tar.zst
+++ b/vendor.tar.zst