[Cin] Fwd: CVE in libwebp

Sun Sep 17 23:46:01 CEST 2023

Andrew,
Tested on 32-bit Debian 9.1 which has cmake version 3.7.2 so it appears to
work.
Tested on64-bit Ubuntu 16 which has cmake version 3.5.1 WHICH SHOULD NOT
WORK, but appears to anyway.  WHY??
In the file CMakeLists.txt, one of the first things it does is to check the
cmake version for Apple of 3.17 else 3.7.1 for everything else.  But it
seems to just keep going anyway and a single render using webp.webp seems
to work.

Also, I attempted to create libwebp-1.3.2.patch3 to match
libwebp-1.1.0.patch3but it fails on line 3.  See attached. There are so
many extra libwebp related messages in the build log file now -- 254 versus
about 82 previously.

On Sat, Sep 16, 2023 at 10:22 AM Phyllis Smith <phylsmith2017 at gmail.com>
wrote:

> With patch 0002, it now builds and a single render test worked.  Will test
> on Ubuntu 16 and older Debian sometime today yet after looking at Andrea's
> odt/pdf file and other's commentary on it.
>
> On Fri, Sep 15, 2023 at 10:38 PM Andrew Randrianasulu via Cin <
> cin at lists.cinelerra-gg.org> wrote:
>
>> ---------- Forwarded message ---------
>> From: Andrew Randrianasulu <randrianasulu at gmail.com>
>> Date: Sat, Sep 16, 2023 at 7:22 AM
>> Subject: Re: CVE in libwebp
>> To: Phyllis Smith <phylsmith2017 at gmail.com>
>>
>>
>> ah, it was "working" here because I had libwebp installed
>>
>> what about adding patch 0002 on top of previous one?
>>
>> On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu
>> <randrianasulu at gmail.com> wrote:
>> >
>> >
>> >
>> > сб, 16 сент. 2023 г., 04:48 Phyllis Smith <phylsmith2017 at gmail.com>:
>> >>
>> >> Attaching log file from build on Fedora that failed.
>> >
>> >
>> > Can I also see
>> >
>> > ffbuild/config.log ?
>> >
>> >
>> >> I carefully verified that configure.ac and thirdparty/Makefile have
>> the mods in from 0001-Change...
>> >> First time I tried, I used the tar.gz and when it did not work I
>> re-made as tar.xz as was the previous libwebp 1.1.0 version.
>> >> Tomorrow I will try 1.3.2 (using current build procedure) on an older
>> Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to
>> 3.5.  BUT since I make the AppImage, maybe I can either leave 1.3.2 out or
>> upgrade the cmake to 3.5.
>> >>
>> >> On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu <
>> randrianasulu at gmail.com> wrote:
>> >>>
>> >>> can you check this attached patch with libwebp downloaded from
>> >>>
>> >>>
>> https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
>> >>>
>> >>> just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <
>> randrianasulu at gmail.com>:
>> >>>>
>> >>>>
>> >>>>
>> >>>> пт, 15 сент. 2023 г., 18:26 Phyllis Smith <phylsmith2017 at gmail.com>:
>> >>>>>
>> >>>>> libwebp is currently at version 1.1.0 for a reason:  it requires
>> cmake 3.5 and older versions of ubuntu as well as some other older O/S do
>> not have that.  This is documented in the manual with the suggestion of
>> users who want an upgrade will have to first upgrade cmake to 3.5.  BUT by
>> now it may even require a later version of cmake (not sure).\
>> >>>>
>> >>>>
>> >>>> At least 1.2.4 (with this bug fixed) still contain
>> autogen.sh/configure script?
>> >>>>
>> >>>> https://github.com/webmproject/libwebp/tree/1.2.4
>> >>>>
>> >>>> so may be we can switch our build to this scheme ...
>> >>>>
>> >>>>>
>> >>>>> On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <
>> randrianasulu at gmail.com> wrote:
>> >>>>>>
>> >>>>>>
>> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
>> >>>>>>
>> >>>>>> so far Slackware 15.0 bumped libwebp to 1.3.2
>> >>>>>>
>> >>>>>> guess we ought to do the same?
>> --
>> Cin mailing list
>> Cin at lists.cinelerra-gg.org
>> https://lists.cinelerra-gg.org/mailman/listinfo/cin
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230917/865d9646/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libwebp-1.3.2.patch3
Type: application/octet-stream
Size: 1724 bytes
Desc: not available
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230917/865d9646/attachment.obj>