Skip to content

Add IPE_VIPS_MINIMAL env var to skip magick/openexr/libraw loaders in libvips #1292

Description

@pataar

Problem

On Debian-based images, install-php-extensions vips runs apt-get install libvips libvips-dev, which transitively pulls in:

  • libmagickcore-7.q16-10 (ImageMagick core)
  • libraw23t64 (camera RAW)
  • libopenexr-3-1-30 (HDR/VFX format)
  • libpoppler*, libjxl0.11, libnss3, libhdf5-310, libmatio13, libopenjp2-7, …

These come from Debian's choice to build libvips with --with-magick, --with-openexr, --with-libraw enabled. The bundled magick/openexr/libraw loaders are useful for reading exotic formats (camera RAW, EXR, etc.) but most PHP workloads using vips for web image manipulation (JPEG/PNG/WebP/HEIC/TIFF) never use them.

On the current php:8.5-fpm + Debian 13 (trixie) base image as of 2026-05, those transitive deps account for 5 CRITICAL CVEs with no fixed version available:

  • CVE-2026-20884, CVE-2026-24450, CVE-2026-24660 (libraw23t64)
  • CVE-2026-42216, CVE-2026-42217 (libopenexr-3-1-30)

Plus 25+ HIGH and 60+ MEDIUM that disappear with a slimmer libvips.

Proposed solution

Add IPE_VIPS_MINIMAL=1 (analogous to IPE_GD_WITHOUTAVIF=1). When set on Debian, instead of apt install libvips libvips-dev, the script builds libvips from the upstream tarball with the heavy loaders disabled, then builds pecl-vips against it.

Meson flags used in the PoC:

-Dmagick=disabled
-Dopenexr=disabled
-Dlibraw=disabled
-Dpoppler=disabled
-Dopenslide=disabled
-Dmatio=disabled
-Dnifti=disabled
-Dpdfium=disabled
-Dcfitsio=disabled

Working PoC

Two non-obvious points uncovered while building it:

  1. Meson installs to /usr/local/lib/<triplet>/ by default; pkg-config doesn't search that path consistently across distros — pass --libdir=lib to force /usr/local/lib/.
  2. The generated vips.pc lists Requires.private: referencing fftw3, libtiff-4, etc. Their .pc files only ship with the matching -dev packages. For dynamic linking of pecl-vips against an already-linked libvips.so, those .pc files aren't needed — but pkg-config fails if they're missing. Stripping the Requires.private: line from vips.pc works around this.

Measured impact

On a derivative php:8.5-fpm image:

Variant Total vulns CRITICAL HIGH Image size
stock (apt libvips) 1254 5 89 822 MB
IPE_VIPS_MINIMAL=1 (PoC) 974 0 56 798 MB

Happy to open a PR if the design is acceptable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions