diff --git a/_service b/_service index 00d96c9..3842945 100644 --- a/_service +++ b/_service @@ -3,7 +3,7 @@ https://gitlab.gnome.org/GNOME/librsvg.git git - refs/tags/2.56.3 + 2.59.2 @PARENT_TAG@+@TAG_OFFSET@ (.*)\+0 \1 @@ -13,13 +13,10 @@ *.tar - xz + zst librsvg true - - librsvg - diff --git a/cargo_config b/cargo_config deleted file mode 100644 index 6fb4ff4..0000000 --- a/cargo_config +++ /dev/null @@ -1,5 +0,0 @@ -[source.crates-io] -replace-with = "vendored-sources" - -[source.vendored-sources] -directory = "vendor" \ No newline at end of file diff --git a/librsvg-2.56.3.obscpio b/librsvg-2.56.3.obscpio deleted file mode 100644 index f429563..0000000 --- a/librsvg-2.56.3.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9d5687e9204347c696a4bed63e5ecdc6db5d28c0860408f1cd7823d6fce963a8 -size 14294541 diff --git a/librsvg-2.59.2.obscpio b/librsvg-2.59.2.obscpio new file mode 100644 index 0000000..5d1fd34 --- /dev/null +++ b/librsvg-2.59.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5e966328f1bfda38f749efb35ff87d316696fdc3959b69bb61dc22bb978a7ed +size 16623117 diff --git a/librsvg.changes b/librsvg.changes index 2a2bd33..905237e 100644 --- a/librsvg.changes +++ b/librsvg.changes @@ -1,3 +1,273 @@ +------------------------------------------------------------------- +Thu Oct 31 20:40:57 UTC 2024 - Michael Gorse + +- Change license to LGPL-2.1-or-later AND MIT. + +------------------------------------------------------------------- +Wed Oct 30 06:58:33 UTC 2024 - Dominique Leuenberger + +- Update to version 2.59.2: + + Fix stack overflow due to unbounded recursion. Now there is + a hard limit on the number of nested layers that an SVG + document may have. This is not a hard limit on the amount of + stack space consumed, but it is a general mitigation. + + Fix regression when rendering paths with very flat elliptical + arcs. This bug was introduced in 2.59.1 as part of the + mitigation for paths with coordinates that Cairo is unable to + handle. + + Fix centering and text-anchor in general for scaled text. + + Fix building with Rust 1.82 on Windows (Christoph Reiter). + + Make cancellation work for all the resource loading + functions. + + Add documentation for rsvg-bench to the development guide. + + Slight improvement in memory consumption for language tags. + + Many updates to the developer's documentation, for Outreachy + interns. + +------------------------------------------------------------------- +Sat Sep 28 20:03:57 UTC 2024 - Bjørn Lie + +- Update to version 2.59.1: + + Two mitigations for crashes found throuh fuzz testing: + - Cairo is easy to crash by giving it path coordinates that are + outside of the range that it can represent internally with + its fixed-point arithmetic. Fuzzers usually produce SVGs with + very large numbers for coordinates, which overflow Cairo's + arithmetic. + This is just a *mitigation*, not a complete fix: librsvg will + now check if path coordinates are outside of Cairo's + supported range, and it will not render shapes with + problematic coordinates. However, fuzzers may still produce + coordinates that are in range but that still make Cairo + crash. I am starting to learn Cairo's code to see if this can + be fixed gradually. + +------------------------------------------------------------------- +Mon Sep 16 06:07:46 UTC 2024 - Bjørn Lie + +- Update to version 2.59.0: + + The biggest change in this release is that librsvg now uses the + Meson build system instead of autotools. + + With Meson, librsvg now builds a lot more reliably on Windows + and MacOS. + + Librsvg now uses Meson instead of Autotools + + There is a -Davif meson option to include support for AVIF in + the image-rs crate, which librsvg uses to load raster images. + + Librsvg now explicitly builds only its supported raster formats + for image-rs: JPEG, PNG, GIF, WEBP, and optional compile-time + support for AVIF). Other raster image formats are not + supported, to minimize the attack surface. + + Librsvg now supports cancellable rendering; you can start + rendering an RsvgHandle in one thread, and stop it from another + thread with a GCancellable. In the C API, you can use the + rsvg_handle_set_cancellable_for_rendering() function; in the + Rust API, CairoRenderer now has a with_cancellable() method. + + For Rust users, there is now a 'librsvg-rebind' crate that + binds the C API for use from Rust. Internally this links to the + system's librsvg shared library, in contrast with the 'librsvg' + crate, which is statically linked and which has a native Rust + API. The 'librsvg-rebind' crate is for cases where the + additional code size from static linking is not desired. This + librsvg-rebind crate is available from crates.io. + + A bunch of fixes to bugs found through fuzz testing. +- Use ldconfig_scriptlets macro for some of the post(un) handling. + +------------------------------------------------------------------- +Sun Sep 15 08:19:13 UTC 2024 - Bjørn Lie + +- Update to version 2.58.94: + + The minimum supported Rust version (MSRV) is 1.77.2. + + Fix assertion failures with large Hue value in hsl() or hwb() + colors. + + Limit the baseFrequency for feTurbulence to avoid integer + overflow. + + Only make exported symbols visible in the library's binary. + + Fix the -Davif=enabled feature; it was not being handled + correctly at compilation time. + + Ensure compatibility with Binutils < 2.39. + + Build fixes for Windows. + +------------------------------------------------------------------- +Sat Sep 14 08:09:02 UTC 2024 - Bjørn Lie + +- Update to version 2.58.92: + + Librsvg is now part of Google's oss-fuzz and is fuzz-tested + automatically - see + https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/oss_fuzz.html + for details. + + This release has two bug fixes from fuzz testing, and a new API + call: + - Don't leak XML entities when the XML document fails to parse. + - Fix stack overflow in reference cycle. + - Librsvg now supports cancellable rendering; you can start + rendering an RsvgHandle in one thread, and stop it from + another thread with a GCancellable. In the C API, you can use + the rsvg_handle_set_cancellable_for_rendering() function; in + the Rust API, CairoRenderer now has a with_cancellable() + method. + + Many build fixes for Windows, MacOS, iOS, and cross-compilation + + Continued refactoring for a render tree. + + Many fixes to the documentation. + +------------------------------------------------------------------- +Fri Sep 13 08:09:01 UTC 2024 - Dominique Leuenberger + +- Update to version 2.58.91: + + Librsvg now requires cairo version 1.18.0 or later. + + Librsvg now explicitly builds only its supported raster + formats for image-rs: JPEG, PNG, GIF, WEBP, and optional + compile-time support for AVIF. Other raster image formats are + not supported, to minimize the attack surface. + + Don't generate gdk-pixbuf loaders cache if DESTDIR is set. + + Documentation updates for meson. + + Document the fact that the default DPI in the C API for + RsvgHandle is 90 DPI, unlike rsvg-convert and the Rust API, + which use 96 DPI. + + Document the security considerations for the image-rs crate + and the raster image formats that librsvg supports. + + Fix and fine-tune compilation on Windows (MSVC and msys2), + MacOS, and Android. + + Fix installation when only compiling the static library. + + Update Pango for CI and fix a test file. The test suite now + includes the DejaVu Sans font, which supports extra + glyphs/languages for the test suite. +- Changesfrom version 2.58.90: + + librsvg has been ported to the Meson build system. Librsvg no + longer uses autotools! + + Changes in this release: + - Librsvg now uses Meson instead of Autotools. + - There is a -Davif meson option to include support for AVIF in + the image-rs crate, which librsvg uses to load raster images. + - Start revamping the fuzzing infrastructure. +- Add cargo-c and pkgconfig(dav1d) BuildRequires: new dependencies. + +------------------------------------------------------------------- +Thu Sep 12 17:05:38 UTC 2024 - Bjørn Lie + +- Update to version 2.58.4: + + Fix regression when using an SVG inside a feImage element. + +------------------------------------------------------------------- +Fri Aug 16 23:28:29 UTC 2024 - Bjørn Lie + +- Update to version 2.58.3: + + A couple of fixes from fuzz testing: + - Fix assertion failures with large Hue value in hsl() or hwb() + colors. + - Limit the baseFrequency for feTurbulence to avoid integer + overflow. + - Remove an obsolete test. + +------------------------------------------------------------------- +Fri Jul 12 21:21:35 UTC 2024 - Bjørn Lie + +- Update to version 2.58.2: + + Don't leak XML entities when the XML document fails to parse. + + Fix stack overflow in reference cycle. + +------------------------------------------------------------------- +Mon May 27 06:37:49 UTC 2024 - Dominique Leuenberger + +- Update to version 2.58.1: + + Fix failing test with Pango 1.52.1. + +------------------------------------------------------------------- +Mon Mar 18 08:03:01 UTC 2024 - Dominique Leuenberger + +- Update to version 2.58.0: + + The most significant change in this release is that librsvg no + longer uses gdk-pixbuf for loading raster images. All image + loading uses Rust codecs now. + + Librsvg's gdk-pixbuf loader for SVG documents is unchanged; you + can still load SVG files from gdk-pixbuf with it as usual. + + Add basic support for "ch" length units in CSS. + + Support "var(--foo, #aabbcc)" just for colors. This is the + minimum required to render color SVG emoji fonts that provide + color fallbacks, but it is not yet full support for CSS var(). + + Limit numOctaves in feTurbulence to avoid unbounded CPU + consumption. + + Don't panic when a :lang selector has an argument that is not a + language-range. + +------------------------------------------------------------------- +Sat Mar 9 18:36:25 UTC 2024 - Dominique Leuenberger + +- Update to version 2.57.92: + + Don't panic when rendering feOffset with a too-large offset. + + Don't panic when a decoded image has dimensions of zero. + +------------------------------------------------------------------- +Wed Mar 6 08:52:18 UTC 2024 - Dominique Leuenberger + +- Update to version 2.57.91: + + Rsvg-convert now prints a helpful message if you run it + without arguments, to indicate that it is reading from standard + input. + + Take text orientation into account for 'ch' units + + For Rust programs, the rsvg crate no longer depends on + gdk-pixbuf. Hopefully this means that your Rust programs will + have to link to one fewer library. + + The C enumeration RsvgUnit now has a RSVG_UNIT_CH variant for + "ch" units. However, this is only used for reporting the size + of SVG documents, which should very seldom come in "ch" units. + + Fix unsoundness in the use of the selectors crate. + + Update gtk-rs crates. + +------------------------------------------------------------------- +Thu Jan 4 17:19:37 UTC 2024 - Dominique Leuenberger + +- Update to version 2.57.1: + + Fix small-caps and bump the version of Pango required to 1.50.0. + + Fix panic when using negative scaling transforms on the + toplevel. + + Support "var(--foo, #aabbcc)" just for colors. This is the + minimum required to render color SVG emoji fonts that provide + color fallbacks, but it is not yet full support for CSS var(). + + Fix the VS2017 build. + + Update cairo-rs. + + Update the project metadata files. + +------------------------------------------------------------------- +Thu Nov 30 12:36:14 UTC 2023 - Bjørn Lie + +- Run service with new obs-service-cargo, drop cargo_config as + source and clean up spec and service, and switch to zst as + buildtime compression. + +------------------------------------------------------------------- +Thu Sep 14 08:45:45 UTC 2023 - Bjørn Lie + +- Update to version 2.57.0: + + rsvg-convert can now output PDF versions 1.4, 1.5, 1.6, in + addition to the default 1.7, especially for LaTeX users. See + the rsvg-convert(1) man page for options like --format=pdf1.4 + + Support the image-rendering property. + + For consistency with other command-line tools, rsvg-convert now + supports an argument "-" to specify the standard input. This is + in addition to the already-supported syntax of not specifying + an input file at all. + + Partial support for the edgeMode attribute in feGaussianBlur, + only for small blurs right now. + + The minimum supported Rust version (MSRV) is 1.70.0. + +------------------------------------------------------------------- +Tue Sep 12 11:38:48 UTC 2023 - Bjørn Lie + +- Skip bugs_bug668_small_caps_svg test, started failing with + harfbuzz-8.2.0 + +------------------------------------------------------------------- +Tue Aug 15 11:45:26 UTC 2023 - Bjørn Lie + +- Update to version 2.56.92: + + Fix the build for aarch64. + + More extensive logging for filter primitives. + + Update gtk-rs-core to 0.18. + + Update dependencies. + + Include license text in packaged crates. + + The minimum supported Rust version (MSRV) is 1.70.0, due to the + gtk-rs-core update. + ------------------------------------------------------------------- Fri Jul 21 10:17:36 UTC 2023 - Bjørn Lie @@ -189,7 +459,7 @@ Fri Aug 26 22:08:17 UTC 2022 - Bjørn Lie Fri Jul 8 02:52:20 UTC 2022 - William Brown - Replace dependency on unmaintained rust-packaging with - cargo-packaging. + cargo-packaging (boo#1198129). ------------------------------------------------------------------- Mon Jun 20 03:27:28 UTC 2022 - William Brown @@ -297,6 +567,15 @@ Fri Mar 18 01:42:21 UTC 2022 - Bjørn Lie - Add python3-docutils and pkgconfig(gi-docgen) BuildRequires following upstream changes. +------------------------------------------------------------------- +Fri Mar 18 01:42:20 UTC 2022 - Federico Mena Quintero + +- Update to version 2.52.10: + + + Fix arbitrary file read when href has special characters. + +- bsc#1213502 - CVE-2023-38633 - directory traversal in URI decoder. + ------------------------------------------------------------------- Fri Mar 18 01:42:20 UTC 2022 - Luciano Santos diff --git a/librsvg.obsinfo b/librsvg.obsinfo index 10bdcfd..8f1e4fa 100644 --- a/librsvg.obsinfo +++ b/librsvg.obsinfo @@ -1,4 +1,4 @@ name: librsvg -version: 2.56.3 -mtime: 1689887914 -commit: 312c4b8c28c99b9051ee6de6fa966cf977b0f7b4 +version: 2.59.2 +mtime: 1730236856 +commit: fe6c6b7e5d5dddb751c2ad28188137dc8a50b9f4 diff --git a/librsvg.spec b/librsvg.spec index e4132f0..93881c3 100644 --- a/librsvg.spec +++ b/librsvg.spec @@ -1,7 +1,7 @@ # # spec file for package librsvg # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,25 +20,26 @@ %define librsvg_sover 2 Name: librsvg -Version: 2.56.3 +Version: 2.59.2 Release: 0 Summary: A Library for Rendering SVG Data -License: GPL-2.0-or-later AND LGPL-2.0-or-later AND MIT +License: LGPL-2.1-or-later AND MIT Group: Development/Libraries/C and C++ URL: https://wiki.gnome.org/Projects/LibRsvg -Source: %{name}-%{version}.tar.xz -Source2: vendor.tar.zst -Source3: cargo_config +Source0: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst Source99: baselibs.conf +BuildRequires: cargo-c BuildRequires: cargo-packaging >= 1.2.0+3 BuildRequires: gobject-introspection-devel -BuildRequires: libtool +BuildRequires: meson BuildRequires: pkgconfig BuildRequires: python3-docutils BuildRequires: vala -BuildRequires: pkgconfig(cairo) >= 1.16.0 +BuildRequires: pkgconfig(cairo) >= 1.18.0 BuildRequires: pkgconfig(cairo-png) >= 1.2.0 +BuildRequires: pkgconfig(dav1d) BuildRequires: pkgconfig(fontconfig) BuildRequires: pkgconfig(freetype2) >= 20.0.14 BuildRequires: pkgconfig(gdk-pixbuf-2.0) >= 2.20 @@ -135,42 +136,30 @@ This package contains a thumbnailer to render SVG (scalable vector graphics) data. %prep -%autosetup -p1 -a2 -mkdir .cargo -cp %{SOURCE3} .cargo/config +%autosetup -p1 -a1 %build -export RUSTFLAGS="%{build_rustflags}" -NOCONFIGURE=1 ./autogen.sh -%configure \ - --disable-static\ - --enable-introspection\ - --enable-vala \ - %{nil} -%make_build +%meson +%meson_build %install -export RUSTFLAGS="%{build_rustflags}" -%make_install -find %{buildroot} -type f -name "*.la" -delete -print -# %%doc is used to package such contents -rm -rf %{buildroot}%{_datadir}/doc/%{name}/CO*.md +%meson_install %check -export RUSTFLAGS="%{build_rustflags}" +export LANG=C %ifarch x86_64 %{?x86_64} # 2023-01-15: the pdf-related tests are failing (bsc#1207167) # 2023-03-17 cairo-1.17.8 filter_morphology svg test is failing -%{cargo_test} -- --skip pdf_has_text --skip pdf_has_link --skip filter_morphology_from_reference_page_svg +%{cargo_test} -- \ +--skip pdf_has_text --skip pdf_has_link \ +--skip filter_morphology_from_reference_page_svg --skip bugs_bug668_small_caps_svg %endif -%post -n librsvg-2-%{librsvg_sover} -p /sbin/ldconfig +%ldconfig_scriptlets -n librsvg-2-%{librsvg_sover} %post -n gdk-pixbuf-loader-rsvg %{gdk_pixbuf_loader_post} -%postun -n librsvg-2-%{librsvg_sover} -p /sbin/ldconfig - %postun -n gdk-pixbuf-loader-rsvg %{gdk_pixbuf_loader_postun} @@ -183,7 +172,7 @@ export RUSTFLAGS="%{build_rustflags}" %{_libdir}/girepository-1.0/Rsvg-2.0.typelib %files -n gdk-pixbuf-loader-rsvg -%{_libdir}/gdk-pixbuf-2.0/*/loaders/libpixbufloader-svg.so +%{_libdir}/gdk-pixbuf-2.0/*/loaders/libpixbufloader_svg.so %files -n rsvg-convert %{_bindir}/rsvg-convert @@ -195,7 +184,6 @@ export RUSTFLAGS="%{build_rustflags}" %files devel %doc AUTHORS -%doc %{_datadir}/doc/%{name}/ %doc %{_datadir}/doc/Rsvg-2.0/ %{_includedir}/librsvg-2.0/ %{_libdir}/librsvg-2.so @@ -203,5 +191,6 @@ export RUSTFLAGS="%{build_rustflags}" %{_datadir}/gir-1.0/Rsvg-2.0.gir %dir %{_datadir}/vala/vapi %{_datadir}/vala/vapi/librsvg-2.0.vapi +%{_datadir}/vala/vapi/librsvg-2.0.deps %changelog diff --git a/vendor.tar.zst b/vendor.tar.zst index ae0a6fa..500c4f6 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:81cf11bed91c7802a4f3ab51384a19f9d13a5a7c58c20cae6378925e6ea91d2e -size 36712350 +oid sha256:50bf9a0eed43289a76be68a36025b03432217787fa15ae4514b9278503fa20bd +size 23332205