[Cin] Fwd: CVE in libwebp

Andrew Randrianasulu randrianasulu at gmail.com
Sat Sep 16 06:23:04 CEST 2023


---------- Forwarded message ---------
From: Andrew Randrianasulu <randrianasulu at gmail.com>
Date: Sat, Sep 16, 2023 at 7:22 AM
Subject: Re: CVE in libwebp
To: Phyllis Smith <phylsmith2017 at gmail.com>


ah, it was "working" here because I had libwebp installed

what about adding patch 0002 on top of previous one?

On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu
<randrianasulu at gmail.com> wrote:
>
>
>
> сб, 16 сент. 2023 г., 04:48 Phyllis Smith <phylsmith2017 at gmail.com>:
>>
>> Attaching log file from build on Fedora that failed.
>
>
> Can I also see
>
> ffbuild/config.log ?
>
>
>> I carefully verified that configure.ac and thirdparty/Makefile have the mods in from 0001-Change...
>> First time I tried, I used the tar.gz and when it did not work I re-made as tar.xz as was the previous libwebp 1.1.0 version.
>> Tomorrow I will try 1.3.2 (using current build procedure) on an older Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to 3.5.  BUT since I make the AppImage, maybe I can either leave 1.3.2 out or upgrade the cmake to 3.5.
>>
>> On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu <randrianasulu at gmail.com> wrote:
>>>
>>> can you check this attached patch with libwebp downloaded from
>>>
>>> https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
>>>
>>> just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
>>>
>>>
>>>
>>>
>>>
>>> пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <randrianasulu at gmail.com>:
>>>>
>>>>
>>>>
>>>> пт, 15 сент. 2023 г., 18:26 Phyllis Smith <phylsmith2017 at gmail.com>:
>>>>>
>>>>> libwebp is currently at version 1.1.0 for a reason:  it requires cmake 3.5 and older versions of ubuntu as well as some other older O/S do not have that.  This is documented in the manual with the suggestion of users who want an upgrade will have to first upgrade cmake to 3.5.  BUT by now it may even require a later version of cmake (not sure).\
>>>>
>>>>
>>>> At least 1.2.4 (with this bug fixed) still contain autogen.sh/configure script?
>>>>
>>>> https://github.com/webmproject/libwebp/tree/1.2.4
>>>>
>>>> so may be we can switch our build to this scheme ...
>>>>
>>>>>
>>>>> On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <randrianasulu at gmail.com> wrote:
>>>>>>
>>>>>> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
>>>>>>
>>>>>> so far Slackware 15.0 bumped libwebp to 1.3.2
>>>>>>
>>>>>> guess we ought to do the same?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Change-libwebp-to-1.3.2-autotools-build.patch
Type: application/x-patch
Size: 3343 bytes
Desc: not available
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230916/f22c90c6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Fix-libwebp-1.3.2-includes.patch
Type: application/x-patch
Size: 750 bytes
Desc: not available
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230916/f22c90c6/attachment-0001.bin>


More information about the Cin mailing list