[Cin] Libvpx vulnerability
Phyllis Smith
phylsmith2017 at gmail.com
Sat Oct 7 01:48:48 CEST 2023
Ran several tests decoding vp8/vp9 video and rendering 3 video files so all
looks OK. Encountered no problems and have checked into GIT. Thanks.
On Tue, Oct 3, 2023 at 7:24 PM Phyllis Smith <phylsmith2017 at gmail.com>
wrote:
> OK, I will do a few tests yet of vp8/9.
>
> On Tue, Oct 3, 2023 at 7:19 PM Andrew Randrianasulu <
> randrianasulu at gmail.com> wrote:
>
>>
>>
>> ср, 4 окт. 2023 г., 04:13 Phyllis Smith <phylsmith2017 at gmail.com>:
>>
>>> Seems OK to me and compiled but 2 questions:
>>> 1. When I downloaded with the link you provided, it did not put a "v" in
>>> the name - it was just libvpx-1.13.1.tar.gz so I am a little confused about
>>> the difference.
>>>
>>
>> I downloaded with wget, may be it explain difference in resulting
>> filename? Anyway, if our build system happy with file as-is - the better!
>>
>> 2. I think we also need to include the 1.13.0 patch because it changes
>>> the line from:
>>> -#define DECLARE_ALIGNED(n, typ, val) typ val __attribute__((aligned(
>>> *n*)))
>>> +#define DECLARE_ALIGNED(n, typ, val) typ val __attribute__((aligned(
>>> *64*)))
>>> so I will do that if you concur?
>>>
>>
>>
>> Ah, this is change from before I started to look into this part of build.
>> I guess it just hardcodes alignment?
>>
>> I just renamed patch so filenames of source and patch matched, without
>> looking into it ...
>>
>>
>> If encoding (and decoding) of vp8/9 go brrr I think we can keep it ....
>>
>>>
>>> On Tue, Oct 3, 2023 at 1:32 PM Andrew Randrianasulu via Cin <
>>> cin at lists.cinelerra-gg.org> wrote:
>>>
>>>>
>>>>
>>>> вт, 3 окт. 2023 г., 16:50 Andrew Randrianasulu <randrianasulu at gmail.com
>>>> >:
>>>>
>>>>>
>>>>>
>>>>> вт, 3 окт. 2023 г., 11:56 Andrea paz via Cin <
>>>>> cin at lists.cinelerra-gg.org>:
>>>>>
>>>>>> A vulnerability hole in the vpx library has come out these days. Do
>>>>>> you think it is worth updating?
>>>>>>
>>>>>
>>>>> I think yes, because we at 1.13.0 already ... may be we can just
>>>>> add/apply relevant patches without touching main tarball?
>>>>>
>>>>
>>>>
>>>> so I tried to download new source directly from
>>>>
>>>>
>>>> https://github.com/webmproject/libvpx/archive/v1.13.1/libvpx-v1.13.1.tar.gz
>>>>
>>>> renamed it libvpx-1.13.1.tar.gz (without "v") then put in
>>>> thirdparty/src, renamed corresponding libvpx patch, edited
>>>> configure.ac <http://confifure.ac> and now ffmpeg configures ....
>>>> compiles ...
>>>>
>>>>
>>>>> https://ubuntu.com/security/notices/USN-6403-1
>>>>>> --
>>>>>> Cin mailing list
>>>>>> Cin at lists.cinelerra-gg.org
>>>>>> https://lists.cinelerra-gg.org/mailman/listinfo/cin
>>>>>>
>>>>> --
>>>> Cin mailing list
>>>> Cin at lists.cinelerra-gg.org
>>>> https://lists.cinelerra-gg.org/mailman/listinfo/cin
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20231006/6c941fc2/attachment-0001.htm>
More information about the Cin
mailing list