graphviz-10.0.1

[Bruce Dubbs]

New major version.

[Joe Locash]

I'm seeing vala-0.56.14 FTBFS with this update. I passed --disable-valadoc to configure to get around it until I can dig further into it.

[Joe Locash]

Replying to Joe Locash:

I'm seeing vala-0.56.14 FTBFS with this update. I passed --disable-valadoc to configure to get around it until I can dig further into it.

I've tracked it down to graphviz-10 removing this section in /usr/include/graphviz/types.h:

#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE (!FALSE)
#endif

This sed fixes the build of vala when graphviz-10 is installed:

sed -i '/gvc.h/a#define TRUE 1' libvaladoc/gvc-compat.c

[Douglas R. Reno]

Replying to Joe Locash:

Replying to Joe Locash:

I'm seeing vala-0.56.14 FTBFS with this update. I passed --disable-valadoc to configure to get around it until I can dig further into it.

I've tracked it down to graphviz-10 removing this section in /usr/include/graphviz/types.h:

#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE (!FALSE)
#endif

This sed fixes the build of vala when graphviz-10 is installed:

sed -i '/gvc.h/a#define TRUE 1' libvaladoc/gvc-compat.c

Thank you for this, we should probably report it to Vala upstream. The macros have been officially removed upstream and it's a documented change:

10.0.1 – 2024-02-11

Added

Releases now include packages for Rocky Linux 8 and
9.
A new output format, -Tsvg_inline, has been added to generate a header-less
SVG suitable for inlining into HTML. #2285

The functionality of the acyclic, tred and unflatten command line tools
are now exposed via the graphviz_acyclic, graphviz_tred and
graphviz_unflatten API functions in libcgraph. #2194


graphviz_node_induce is available as a new API function in cgraph.h.

tred gained a -o command line option to redirect its output to a file.


Changed

The Criterion unit tests have been removed and migrated to Pytest. This is
primarily relevant to downstream packagers of Graphviz. #2443


Breaking: Dtdisc_t.memoryf and its associated macros has been removed.

Breaking: The Dt_t.type field has been removed.

Breaking: The dtfound, DT_FOUND, dtleast, and dtmost macros have
been removed.
The nrtmain.c test program has been removed from the portable tarball.
The TCL Graphviz packages for inter-release versions/snapshots report
themselves as <next release>b<internal number> instead of
<next release>~dev.<internal number>. This fixes a problem wherein TCL would
see ~dev as being invalid characters to appear in a version. #2370

Support for discovering Lua via lua-config* has been removed from the
Autotools build system.
Lua discovery in the Autotools build system should now respect the location of
your Lua installation and not unconditionally attempt installation into
/usr. #2152

The GTK plugin is no longer built or distributed. This plugin relies on GTK 2
and X11. If you use this plugin, please contact the maintainers to let
them know it is worthwhile re-enabling this and forward porting it to GTK 3/4
and Wayland. #1848

In the Autotools build system, LIBPOSTFIX= can now be used to suppress 64
being appended to the library installation path.
The -m command line option, whose functionality was disabled in Graphviz
3.0.0, has been removed.
Man page typography has been slightly improved.
macOS release artifacts no longer include vimdot. This may be restored in
future. #2423

macOS release artifacts no longer include smyrna. This may be restored in
future. #2422

The PDF output format, -Tpdf, respects the environment variable
$SOURCE_DATE_EPOCH for overriding CreationDate when built against Cairo
≥ 1.16.0. #2473

The legacy C# viewer app is no longer distributed in the portable source
tarball.
Graphviz headers no longer define the FALSE and TRUE constants.
The Autotools build system no longer supports Darwin 9 (Mac OSX Leopard).

Breaking: Agraph_t.link has been split into Agraph_t.id_link and
Agraph_t.seq_link. Agraph_t.g_dict has been split into Agraph_t.g_id
and Agraph_t.g_seq.

Breaking: gvpropts.n_outgraphs is now a size_t.
The OCaml bindings have been removed. If you use these bindings, please contact
the maintainers to notify them of the existence of users.

Breaking: polygon_t.sides and polygon_t.peripheries are now size_ts.

Breaking: liblab_gamut is no longer included in a Graphviz installation.
This library had no accompanying header, so using it was not easy. If you are
using this library, please contact the maintainers to notify them of the
existence of users. #2489


Breaking: bezier.size and splines.size are now size_ts.

Breaking: the gv.i and gv.cpp SWIG inputs are no longer included in a
Graphviz installation. #2491


Breaking: the gvrender_engine_t.beziercurve,
gvrender_engine_t.library_shape, gvrender_engine_t.polygon,  and
gvrender_engine_t.polyline callbacks now take the number of points, n, as
a size_t.

Breaking: the AVG macro has been removed.

Breaking: the inside_t.s union member gained members lastn, radius,
last_poly, last, outp, scalex, scaley, box_URx, and box_URy.
Zero initialize these when you construct instances of this type. #2498



Fixed

The paper size for Doxygen docs generation in the Autotools build system has
been corrected to a4.
References to eventf and hashf data structures in the libcdt man page
have been removed. These data structures were removed in Graphviz 9.0.0.
References to DTOFFSET in the libcdt man page have been removed. This macro
was removed in Graphviz 2.40.0.
A number of further updates to the libcdt man page have been made to reflect
other changes that happened in Graphviz 9.0.0.
Use of the non-portable PATH_MAX constant has been removed. This was a
regression in Graphviz 7.0.1. In addition to fixing the regression, code has
been adjusted to remove assumptions on the maximum path length and treat it as
unbounded. #2452

Compilation on NetBSD has been repaired. This was a regression in Graphviz
9.0.0.
Compilation on SunOS has been repaired. This appears to have been broken since
the xlib plugin was added some time prior to Graphviz 2.38.0.
gvpr programs that attempt to close out of range file descriptors no longer
cause out of bounds memory accesses.
When large edge weights are used that cause an integer overflow when summing
them up, Graphviz now gracefully exits with an error message instead of
crashing. #2450

Support for the %n specifier in scanf in gvpr has been restored. This was
a regression in Graphviz 9.0.0. #2454

In the Autotools build system, make dist now processes cmd/gvedit correctly
when Qt is not installed. Generating Qt “mocables” is postponed from configure
time to build time. #2463

The Autotools build system correctly detects Ruby headers, even when
pkg-config support is unavailable. #2464

Escaped characters in xdot fields no longer lead to the containing text being
truncated. #2460

When building against a libgd that is configured with !gif && (jpeg || png),
the GD plugin is once again compilable. This was a regression in Graphviz
2.46.0.
edgepaint spline intersection code would previously incorrectly use the second
spline in one instance where it should have used the first. #1464

In the Autotools build, libexpat discovery on macOS has been improved. #2477

A bug that caused compound edges to sometimes be drawn in the wrong direction
has been corrected. This was a regression in Graphviz 8.0.3. #2478

When operating on multiple graphs, unflatten no longer retains chain node
and size internal state across graphs.
Repeated runs of a graph with subgraphs now produce a stable subgraph
ordering. #2242

The dot and gml2gv tools are now built with case-insensitive parsing
by the CMake and MSBuild systems, as they always were by autotools, and
in accordance with the graphviz specification. #2481

Putting nodes in a subgraph no longer causes their layout order to be
reversed. #1585

Edges are no longer lost when using subgraphs and record shapes in
combination. #1624

A malformed config6 file that leads to plugin search failing no longer causes
out-of-bounds memory reads. This now causes an error message and graceful
failure. #2441

Discovery of php in the Autotools build system has been improved.
Text in the PIC output format is no longer forced to font size 1. This was a
regression in Graphviz 8.0.2. Even with this fix, the PIC output format is
limited in its utility. #2487

When encountering a syntactically invalid HTML-like label, Graphviz.app no
longer aborts. The abort was an intentional change in Graphviz 8.0.1 to avoid
invalid memory reads in dot, but had the undesirable side effect of the
graphical Graphviz.app exiting with no obvious cause. #2488

Use of an uninitialized variable in poly_inside has been corrected. #2498

Input containing UTF-8 data that is destined to appear as-is in the output
(e.g. UTF-8 characters in a label when using the -Tdot output format) is
once again processed correctly. On platforms with a signed char this could
previously crash. This was a regression in Graphviz 2.49.0. #2502

[Joe Locash]

Replying to Douglas R. Reno:

Thank you for this, we should probably report it to Vala upstream.

I've reported it. Upstream ticket is ​https://gitlab.gnome.org/GNOME/vala/-/issues/1524

[Douglas R. Reno]

Replying to Joe Locash:

Replying to Douglas R. Reno:

Thank you for this, we should probably report it to Vala upstream.

I've reported it. Upstream ticket is ​https://gitlab.gnome.org/GNOME/vala/-/issues/1524

Thank you for reporting it up to them!

[Douglas R. Reno]

I'm aware of CVE-2023-46045 now, from ​https://gitlab.com/graphviz/graphviz/-/issues/2441. However, since it requires root access already and that you overwrite /usr/lib/graphviz/config6 first, I'm inclined to not file an SA for this. See ​https://seclists.org/fulldisclosure/2024/Jan/73 for upstream's position as well.

It's been marked as High by NVD, but I don't see why since it requires overwriting a file installed in /usr/lib (and owned by root) first.

[Douglas R. Reno]

Fixed at b4b561044fa1e11dc28165cc03729758c7d534a5

Vala fixed at 3f925a4275b5fc6c419836a6aace011320319c3c