[Cin] Fwd: CVE in libwebp

Sun Sep 17 23:52:05 CEST 2023

пн, 18 сент. 2023 г., 00:46 Phyllis Smith <phylsmith2017 at gmail.com>:

> Andrew,
> Tested on 32-bit Debian 9.1 which has cmake version 3.7.2 so it appears to
> work.
> Tested on64-bit Ubuntu 16 which has cmake version 3.5.1 WHICH SHOULD NOT
> WORK, but appears to anyway.  WHY??
>

because I switched libwebp build from cmake build system to autotools build
system .....

In the file CMakeLists.txt, one of the first things it does is to check the
> cmake version for Apple of 3.17 else 3.7.1 for everything else.  But it
> seems to just keep going anyway and a single render using webp.webp seems
> to work.
>

you can also try to make patch dialing that 3.7.1 down to 3.5.1 like for
libaom and see if this works ....

> Also, I attempted to create libwebp-1.3.2.patch3 to match
> libwebp-1.1.0.patch3but it fails on line 3.  See attached. There are so
> many extra libwebp related messages in the build log file now -- 254 versus
> about 82 previously.
>

src/libwebp-1.1.0.patch3

seems to disable things I disabled by configure switches, so not necessary
anymore if this mini patch series works as intended...

> On Sat, Sep 16, 2023 at 10:22 AM Phyllis Smith <phylsmith2017 at gmail.com>
> wrote:
>
>> With patch 0002, it now builds and a single render test worked.  Will
>> test on Ubuntu 16 and older Debian sometime today yet after looking at
>> Andrea's odt/pdf file and other's commentary on it.
>>
>> On Fri, Sep 15, 2023 at 10:38 PM Andrew Randrianasulu via Cin <
>> cin at lists.cinelerra-gg.org> wrote:
>>
>>> ---------- Forwarded message ---------
>>> From: Andrew Randrianasulu <randrianasulu at gmail.com>
>>> Date: Sat, Sep 16, 2023 at 7:22 AM
>>> Subject: Re: CVE in libwebp
>>> To: Phyllis Smith <phylsmith2017 at gmail.com>
>>>
>>>
>>> ah, it was "working" here because I had libwebp installed
>>>
>>> what about adding patch 0002 on top of previous one?
>>>
>>> On Sat, Sep 16, 2023 at 5:47 AM Andrew Randrianasulu
>>> <randrianasulu at gmail.com> wrote:
>>> >
>>> >
>>> >
>>> > сб, 16 сент. 2023 г., 04:48 Phyllis Smith <phylsmith2017 at gmail.com>:
>>> >>
>>> >> Attaching log file from build on Fedora that failed.
>>> >
>>> >
>>> > Can I also see
>>> >
>>> > ffbuild/config.log ?
>>> >
>>> >
>>> >> I carefully verified that configure.ac and thirdparty/Makefile have
>>> the mods in from 0001-Change...
>>> >> First time I tried, I used the tar.gz and when it did not work I
>>> re-made as tar.xz as was the previous libwebp 1.1.0 version.
>>> >> Tomorrow I will try 1.3.2 (using current build procedure) on an older
>>> Debian and Ubuntu 16 which I am almost sure use a prior version of cmake to
>>> 3.5.  BUT since I make the AppImage, maybe I can either leave 1.3.2 out or
>>> upgrade the cmake to 3.5.
>>> >>
>>> >> On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu <
>>> randrianasulu at gmail.com> wrote:
>>> >>>
>>> >>> can you check this attached patch with libwebp downloaded from
>>> >>>
>>> >>>
>>> https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
>>> >>>
>>> >>> just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <
>>> randrianasulu at gmail.com>:
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> пт, 15 сент. 2023 г., 18:26 Phyllis Smith <phylsmith2017 at gmail.com
>>> >:
>>> >>>>>
>>> >>>>> libwebp is currently at version 1.1.0 for a reason:  it requires
>>> cmake 3.5 and older versions of ubuntu as well as some other older O/S do
>>> not have that.  This is documented in the manual with the suggestion of
>>> users who want an upgrade will have to first upgrade cmake to 3.5.  BUT by
>>> now it may even require a later version of cmake (not sure).\
>>> >>>>
>>> >>>>
>>> >>>> At least 1.2.4 (with this bug fixed) still contain
>>> autogen.sh/configure script?
>>> >>>>
>>> >>>> https://github.com/webmproject/libwebp/tree/1.2.4
>>> >>>>
>>> >>>> so may be we can switch our build to this scheme ...
>>> >>>>
>>> >>>>>
>>> >>>>> On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <
>>> randrianasulu at gmail.com> wrote:
>>> >>>>>>
>>> >>>>>>
>>> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
>>> >>>>>>
>>> >>>>>> so far Slackware 15.0 bumped libwebp to 1.3.2
>>> >>>>>>
>>> >>>>>> guess we ought to do the same?
>>> --
>>> Cin mailing list
>>> Cin at lists.cinelerra-gg.org
>>> https://lists.cinelerra-gg.org/mailman/listinfo/cin
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230918/e8b26e9b/attachment-0001.htm>