[Cin] Fwd: CVE in libwebp

Sat Sep 16 18:22:34 CEST 2023

With patch 0002, it now builds and a single render test worked.  Will test
on Ubuntu 16 and older Debian sometime today yet after looking at Andrea's
odt/pdf file and other's commentary on it.

On Fri, Sep 15, 2023 at 10:38 PM Andrew Randrianasulu via Cin <
cin at lists.cinelerra-gg.org> wrote:

> ---------- Forwarded message ---------
> From: Andrew Randrianasulu <randrianasulu at gmail.com>
> Date: Sat, Sep 16, 2023 at 7:22 AM
> Subject: Re: CVE in libwebp
> To: Phyllis Smith <phylsmith2017 at gmail.com>
>
>
> ah, it was "working" here because I had libwebp installed
>
> what about adding patch 0002 on top of previous one?
>
> On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu
> <randrianasulu at gmail.com> wrote:
> >
> >
> >
> > сб, 16 сент. 2023 г., 04:48 Phyllis Smith <phylsmith2017 at gmail.com>:
> >>
> >> Attaching log file from build on Fedora that failed.
> >
> >
> > Can I also see
> >
> > ffbuild/config.log ?
> >
> >
> >> I carefully verified that configure.ac and thirdparty/Makefile have
> the mods in from 0001-Change...
> >> First time I tried, I used the tar.gz and when it did not work I
> re-made as tar.xz as was the previous libwebp 1.1.0 version.
> >> Tomorrow I will try 1.3.2 (using current build procedure) on an older
> Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to
> 3.5.  BUT since I make the AppImage, maybe I can either leave 1.3.2 out or
> upgrade the cmake to 3.5.
> >>
> >> On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu <
> randrianasulu at gmail.com> wrote:
> >>>
> >>> can you check this attached patch with libwebp downloaded from
> >>>
> >>> https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
> >>>
> >>> just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <
> randrianasulu at gmail.com>:
> >>>>
> >>>>
> >>>>
> >>>> пт, 15 сент. 2023 г., 18:26 Phyllis Smith <phylsmith2017 at gmail.com>:
> >>>>>
> >>>>> libwebp is currently at version 1.1.0 for a reason:  it requires
> cmake 3.5 and older versions of ubuntu as well as some other older O/S do
> not have that.  This is documented in the manual with the suggestion of
> users who want an upgrade will have to first upgrade cmake to 3.5.  BUT by
> now it may even require a later version of cmake (not sure).\
> >>>>
> >>>>
> >>>> At least 1.2.4 (with this bug fixed) still contain
> autogen.sh/configure script?
> >>>>
> >>>> https://github.com/webmproject/libwebp/tree/1.2.4
> >>>>
> >>>> so may be we can switch our build to this scheme ...
> >>>>
> >>>>>
> >>>>> On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <
> randrianasulu at gmail.com> wrote:
> >>>>>>
> >>>>>>
> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
> >>>>>>
> >>>>>> so far Slackware 15.0 bumped libwebp to 1.3.2
> >>>>>>
> >>>>>> guess we ought to do the same?
> --
> Cin mailing list
> Cin at lists.cinelerra-gg.org
> https://lists.cinelerra-gg.org/mailman/listinfo/cin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230916/223dbae4/attachment.htm>