---------- Forwarded message --------- From: Andrew Randrianasulu <[email protected]> Date: Sat, Sep 16, 2023 at 7:22 AM Subject: Re: CVE in libwebp To: Phyllis Smith <[email protected]> ah, it was "working" here because I had libwebp installed what about adding patch 0002 on top of previous one? On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu <[email protected]> wrote:
сб, 16 сент. 2023 г., 04:48 Phyllis Smith <[email protected]>:
Attaching log file from build on Fedora that failed.
Can I also see
ffbuild/config.log ?
I carefully verified that configure.ac and thirdparty/Makefile have the mods in from 0001-Change... First time I tried, I used the tar.gz and when it did not work I re-made as tar.xz as was the previous libwebp 1.1.0 version. Tomorrow I will try 1.3.2 (using current build procedure) on an older Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to 3.5. BUT since I make the AppImage, maybe I can either leave 1.3.2 out or upgrade the cmake to 3.5.
On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu <[email protected]> wrote:
can you check this attached patch with libwebp downloaded from
https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <[email protected]>:
пт, 15 сент. 2023 г., 18:26 Phyllis Smith <[email protected]>:
libwebp is currently at version 1.1.0 for a reason: it requires cmake 3.5 and older versions of ubuntu as well as some other older O/S do not have that. This is documented in the manual with the suggestion of users who want an upgrade will have to first upgrade cmake to 3.5. BUT by now it may even require a later version of cmake (not sure).\
At least 1.2.4 (with this bug fixed) still contain autogen.sh/configure script?
https://github.com/webmproject/libwebp/tree/1.2.4
so may be we can switch our build to this scheme ...
On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <[email protected]> wrote:
https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8...
so far Slackware 15.0 bumped libwebp to 1.3.2
guess we ought to do the same?
With patch 0002, it now builds and a single render test worked. Will test on Ubuntu 16 and older Debian sometime today yet after looking at Andrea's odt/pdf file and other's commentary on it. On Fri, Sep 15, 2023 at 10:38 PM Andrew Randrianasulu via Cin < [email protected]> wrote:
---------- Forwarded message --------- From: Andrew Randrianasulu <[email protected]> Date: Sat, Sep 16, 2023 at 7:22 AM Subject: Re: CVE in libwebp To: Phyllis Smith <[email protected]>
ah, it was "working" here because I had libwebp installed
what about adding patch 0002 on top of previous one?
On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu <[email protected]> wrote:
сб, 16 сент. 2023 г., 04:48 Phyllis Smith <[email protected]>:
Attaching log file from build on Fedora that failed.
Can I also see
ffbuild/config.log ?
I carefully verified that configure.ac and thirdparty/Makefile have
the mods in from 0001-Change...
First time I tried, I used the tar.gz and when it did not work I re-made as tar.xz as was the previous libwebp 1.1.0 version. Tomorrow I will try 1.3.2 (using current build procedure) on an older Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to 3.5. BUT since I make the AppImage, maybe I can either leave 1.3.2 out or upgrade the cmake to 3.5.
On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu < [email protected]> wrote:
can you check this attached patch with libwebp downloaded from
https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <
пт, 15 сент. 2023 г., 18:26 Phyllis Smith <[email protected]>:
libwebp is currently at version 1.1.0 for a reason: it requires
cmake 3.5 and older versions of ubuntu as well as some other older O/S do not have that. This is documented in the manual with the suggestion of users who want an upgrade will have to first upgrade cmake to 3.5. BUT by now it may even require a later version of cmake (not sure).\
At least 1.2.4 (with this bug fixed) still contain
autogen.sh/configure script?
https://github.com/webmproject/libwebp/tree/1.2.4
so may be we can switch our build to this scheme ...
On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <
[email protected]> wrote:
> > https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8... > > so far Slackware 15.0 bumped libwebp to 1.3.2 > > guess we ought to do the same? -- Cin mailing list [email protected] https://lists.cinelerra-gg.org/mailman/listinfo/cin
Andrew, Tested on 32-bit Debian 9.1 which has cmake version 3.7.2 so it appears to work. Tested on64-bit Ubuntu 16 which has cmake version 3.5.1 WHICH SHOULD NOT WORK, but appears to anyway. WHY?? In the file CMakeLists.txt, one of the first things it does is to check the cmake version for Apple of 3.17 else 3.7.1 for everything else. But it seems to just keep going anyway and a single render using webp.webp seems to work. Also, I attempted to create libwebp-1.3.2.patch3 to match libwebp-1.1.0.patch3but it fails on line 3. See attached. There are so many extra libwebp related messages in the build log file now -- 254 versus about 82 previously. On Sat, Sep 16, 2023 at 10:22 AM Phyllis Smith <[email protected]> wrote:
With patch 0002, it now builds and a single render test worked. Will test on Ubuntu 16 and older Debian sometime today yet after looking at Andrea's odt/pdf file and other's commentary on it.
On Fri, Sep 15, 2023 at 10:38 PM Andrew Randrianasulu via Cin < [email protected]> wrote:
---------- Forwarded message --------- From: Andrew Randrianasulu <[email protected]> Date: Sat, Sep 16, 2023 at 7:22 AM Subject: Re: CVE in libwebp To: Phyllis Smith <[email protected]>
ah, it was "working" here because I had libwebp installed
what about adding patch 0002 on top of previous one?
On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu <[email protected]> wrote:
сб, 16 сент. 2023 г., 04:48 Phyllis Smith <[email protected]>:
Attaching log file from build on Fedora that failed.
Can I also see
ffbuild/config.log ?
I carefully verified that configure.ac and thirdparty/Makefile have
the mods in from 0001-Change...
First time I tried, I used the tar.gz and when it did not work I re-made as tar.xz as was the previous libwebp 1.1.0 version. Tomorrow I will try 1.3.2 (using current build procedure) on an older Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to 3.5. BUT since I make the AppImage, maybe I can either leave 1.3.2 out or upgrade the cmake to 3.5.
On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu < [email protected]> wrote:
can you check this attached patch with libwebp downloaded from
https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <
пт, 15 сент. 2023 г., 18:26 Phyllis Smith <[email protected]>: > > libwebp is currently at version 1.1.0 for a reason: it requires
cmake 3.5 and older versions of ubuntu as well as some other older O/S do not have that. This is documented in the manual with the suggestion of users who want an upgrade will have to first upgrade cmake to 3.5. BUT by now it may even require a later version of cmake (not sure).\
At least 1.2.4 (with this bug fixed) still contain
autogen.sh/configure script?
https://github.com/webmproject/libwebp/tree/1.2.4
so may be we can switch our build to this scheme ...
> > On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <
[email protected]> wrote:
>> >> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8... >> >> so far Slackware 15.0 bumped libwebp to 1.3.2 >> >> guess we ought to do the same? -- Cin mailing list [email protected] https://lists.cinelerra-gg.org/mailman/listinfo/cin
пн, 18 сент. 2023 г., 00:46 Phyllis Smith <[email protected]>:
Andrew, Tested on 32-bit Debian 9.1 which has cmake version 3.7.2 so it appears to work. Tested on64-bit Ubuntu 16 which has cmake version 3.5.1 WHICH SHOULD NOT WORK, but appears to anyway. WHY??
because I switched libwebp build from cmake build system to autotools build system ..... In the file CMakeLists.txt, one of the first things it does is to check the
cmake version for Apple of 3.17 else 3.7.1 for everything else. But it seems to just keep going anyway and a single render using webp.webp seems to work.
you can also try to make patch dialing that 3.7.1 down to 3.5.1 like for libaom and see if this works ....
Also, I attempted to create libwebp-1.3.2.patch3 to match libwebp-1.1.0.patch3but it fails on line 3. See attached. There are so many extra libwebp related messages in the build log file now -- 254 versus about 82 previously.
src/libwebp-1.1.0.patch3 seems to disable things I disabled by configure switches, so not necessary anymore if this mini patch series works as intended...
On Sat, Sep 16, 2023 at 10:22 AM Phyllis Smith <[email protected]> wrote:
With patch 0002, it now builds and a single render test worked. Will test on Ubuntu 16 and older Debian sometime today yet after looking at Andrea's odt/pdf file and other's commentary on it.
On Fri, Sep 15, 2023 at 10:38 PM Andrew Randrianasulu via Cin < [email protected]> wrote:
---------- Forwarded message --------- From: Andrew Randrianasulu <[email protected]> Date: Sat, Sep 16, 2023 at 7:22 AM Subject: Re: CVE in libwebp To: Phyllis Smith <[email protected]>
ah, it was "working" here because I had libwebp installed
what about adding patch 0002 on top of previous one?
On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu <[email protected]> wrote:
сб, 16 сент. 2023 г., 04:48 Phyllis Smith <[email protected]>:
Attaching log file from build on Fedora that failed.
Can I also see
ffbuild/config.log ?
I carefully verified that configure.ac and thirdparty/Makefile have
the mods in from 0001-Change...
First time I tried, I used the tar.gz and when it did not work I re-made as tar.xz as was the previous libwebp 1.1.0 version. Tomorrow I will try 1.3.2 (using current build procedure) on an older Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to 3.5. BUT since I make the AppImage, maybe I can either leave 1.3.2 out or upgrade the cmake to 3.5.
On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu < [email protected]> wrote:
can you check this attached patch with libwebp downloaded from
https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <
> > > > пт, 15 сент. 2023 г., 18:26 Phyllis Smith <[email protected] : >> >> libwebp is currently at version 1.1.0 for a reason: it requires cmake 3.5 and older versions of ubuntu as well as some other older O/S do not have that. This is documented in the manual with the suggestion of users who want an upgrade will have to first upgrade cmake to 3.5. BUT by now it may even require a later version of cmake (not sure).\ > > > At least 1.2.4 (with this bug fixed) still contain autogen.sh/configure script? > > https://github.com/webmproject/libwebp/tree/1.2.4 > > so may be we can switch our build to this scheme ... > >> >> On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu < [email protected]> wrote: >>> >>> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8... >>> >>> so far Slackware 15.0 bumped libwebp to 1.3.2 >>> >>> guess we ought to do the same? -- Cin mailing list [email protected] https://lists.cinelerra-gg.org/mailman/listinfo/cin
participants (2)
-
Andrew Randrianasulu -
Phyllis Smith