[Cin] CVE in libwebp

[Phyllis Smith]

Checked into GIT after testing on Fedora, Ubuntu 16, and Debian 9.1
32-bit.  Only minimal testing done though so if Andrew and/or Andrea can
checkout GIT and test also to make sure I made no checkin errors, that
would be appreciated.

Also, should I not be able to do a build that exclude libwebp by adding
"--without-libwebp" or "--disable-libwebp"?  For some reason I am never
able to disable any of the packages that I would like to????

On Fri, Sep 15, 2023 at 12:23 PM Andrew Randrianasulu <
randrianasulu at gmail.com> wrote:

> can you check this attached patch with libwebp downloaded from
>
> https://github.com/webmproject/libwebp/archive/refs/tags/v1.3.2.tar.gz
>
> just rename to libwebp-1.3.2.tar.gz and put in thirdparty/src
>
>
>
>
>
> пт, 15 сент. 2023 г., 18:31 Andrew Randrianasulu <randrianasulu at gmail.com
> >:
>
>>
>>
>> пт, 15 сент. 2023 г., 18:26 Phyllis Smith <phylsmith2017 at gmail.com>:
>>
>>> libwebp is currently at version 1.1.0 for a reason:  it requires cmake
>>> 3.5 and older versions of ubuntu as well as some other older O/S do not
>>> have that.  This is documented in the manual with the suggestion of users
>>> who want an upgrade will have to first upgrade cmake to 3.5.  BUT by now it
>>> may even require a later version of cmake (not sure).\
>>>
>>
>> At least 1.2.4 (with this bug fixed) still contain autogen.sh/configure
>> script?
>>
>> https://github.com/webmproject/libwebp/tree/1.2.4
>>
>> so may be we can switch our build to this scheme ...
>>
>>
>>> On Fri, Sep 15, 2023 at 7:01 AM Andrew Randrianasulu <
>>> randrianasulu at gmail.com> wrote:
>>>
>>>>
>>>> https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
>>>>
>>>> so far Slackware 15.0 bumped libwebp to 1.3.2
>>>>
>>>> guess we ought to do the same?
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cinelerra-gg.org/pipermail/cin/attachments/20230918/82f4a3ba/attachment.htm>