* [Buildroot] [PATCH 1/1] package/libavif: security bump to version 1.1.1
@ 2024-08-05 11:52 Adrian Perez de Castro
2024-08-05 13:48 ` Thomas Petazzoni via buildroot
2024-08-06 8:08 ` [Buildroot] [PATCH v2] " Adrian Perez de Castro
0 siblings, 2 replies; 3+ messages in thread
From: Adrian Perez de Castro @ 2024-08-05 11:52 UTC (permalink / raw)
To: buildroot; +Cc: Adrian Perez de Castro
The release notes for version 1.1.0 mention fixes for memory handling
issues and bugs found out by fuzzing, which is the reason why this may
be considered a security update, despite them not having CVEs assigned:
https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.0
https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.1
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
package/libavif/libavif.hash | 2 +-
package/libavif/libavif.mk | 9 +++++----
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/package/libavif/libavif.hash b/package/libavif/libavif.hash
index f4599cdb0b..e9930b7f34 100644
--- a/package/libavif/libavif.hash
+++ b/package/libavif/libavif.hash
@@ -1,3 +1,3 @@
-sha256 dc56708c83a4b934a8af2b78f67f866ba2fb568605c7cf94312acf51ee57d146 libavif-1.0.4.tar.gz
+sha256 914662e16245e062ed73f90112fbb4548241300843a7772d8d441bb6859de45b libavif-1.1.1.tar.gz
sha256 10952217a6d404de8bf8a997fbea9b88f682df1fe98cb9b9f467ade641525639 LICENSE
diff --git a/package/libavif/libavif.mk b/package/libavif/libavif.mk
index 1ca3add82b..0c2a8e4dae 100644
--- a/package/libavif/libavif.mk
+++ b/package/libavif/libavif.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBAVIF_VERSION = 1.0.4
+LIBAVIF_VERSION = 1.1.1
LIBAVIF_SITE = $(call github,AOMediaCodec,libavif,v$(LIBAVIF_VERSION))
LIBAVIF_LICENSE = BSD-2-Clause, IJG, Apache-2.0
LIBAVIF_LICENSE_FILES = LICENSE
@@ -19,17 +19,18 @@ LIBAVIF_CONF_OPTS = \
-DAVIF_BUILD_MAN_PAGES=OFF \
-DAVIF_BUILD_TESTS=OFF \
-DAVIF_CODEC_AOM=OFF \
- -DAVIF_CODEC_DAV1D=ON \
+ -DAVIF_CODEC_DAV1D=SYSTEM \
-DAVIF_CODEC_LIBGAV1=OFF \
-DAVIF_CODEC_RAV1E=OFF \
-DAVIF_CODEC_SVT=OFF \
-DAVIF_CODEC_AVM=OFF \
-DAVIF_ENABLE_GTEST=OFF
-# There is no CMake options to explicitly enable/disable usage of
-# libyuv, only autodetection :-(
ifeq ($(BR2_PACKAGE_LIBYUV),y)
LIBAVIF_DEPENDENCIES += libyuv
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=SYSTEM
+else
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=OFF
endif
$(eval $(cmake-package))
--
2.46.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/libavif: security bump to version 1.1.1
2024-08-05 11:52 [Buildroot] [PATCH 1/1] package/libavif: security bump to version 1.1.1 Adrian Perez de Castro
@ 2024-08-05 13:48 ` Thomas Petazzoni via buildroot
2024-08-06 8:08 ` [Buildroot] [PATCH v2] " Adrian Perez de Castro
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-08-05 13:48 UTC (permalink / raw)
To: Adrian Perez de Castro; +Cc: buildroot
Hello Adrian,
On Mon, 5 Aug 2024 14:52:22 +0300
Adrian Perez de Castro <aperez@igalia.com> wrote:
> The release notes for version 1.1.0 mention fixes for memory handling
> issues and bugs found out by fuzzing, which is the reason why this may
> be considered a security update, despite them not having CVEs assigned:
>
> https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.0
> https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.1
>
> Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> ---
> package/libavif/libavif.hash | 2 +-
> package/libavif/libavif.mk | 9 +++++----
> 2 files changed, 6 insertions(+), 5 deletions(-)
This update breaks legal-info:
ERROR: while checking hashes from package/libavif/libavif.hash
ERROR: LICENSE has wrong sha256 hash:
ERROR: expected: 10952217a6d404de8bf8a997fbea9b88f682df1fe98cb9b9f467ade641525639
ERROR: got : 165abf92cc04b39e80d29cadea7a6a7e8fddf59407d4ad2616507a7ebe8216f9
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
the hash of the license file needs to be updated, with an explanation
in the commit log detailing why the license file changed (especially to
confirm that there's no impact on the licensing conditions).
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH v2] package/libavif: security bump to version 1.1.1
2024-08-05 11:52 [Buildroot] [PATCH 1/1] package/libavif: security bump to version 1.1.1 Adrian Perez de Castro
2024-08-05 13:48 ` Thomas Petazzoni via buildroot
@ 2024-08-06 8:08 ` Adrian Perez de Castro
1 sibling, 0 replies; 3+ messages in thread
From: Adrian Perez de Castro @ 2024-08-06 8:08 UTC (permalink / raw)
To: buildroot; +Cc: Adrian Perez de Castro
The release notes for version 1.1.0 mention fixes for memory handling
issues and bugs found out by fuzzing, which is the reason why this may
be considered a security update, despite them not having CVEs assigned:
https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.0
https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.1
The change checksum for the LICENSE file is caused by a path change for
one of the submodules, and the addition of the licensing terms for the
bundled libyuv sources. The latter are never built from the libavif tree
as there is a separate libyuv package, so BSD-3-Clause does not need to
be added to LIBAVIF_LICENSE.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
package/libavif/libavif.hash | 4 ++--
package/libavif/libavif.mk | 9 +++++----
2 files changed, 7 insertions(+), 6 deletions(-)
---
Changes v1 -> v2:
- Updated LICENSE checksum, added explanation in commit log about the
change.
diff --git a/package/libavif/libavif.hash b/package/libavif/libavif.hash
index f4599cdb0b..b26e678abf 100644
--- a/package/libavif/libavif.hash
+++ b/package/libavif/libavif.hash
@@ -1,3 +1,3 @@
-sha256 dc56708c83a4b934a8af2b78f67f866ba2fb568605c7cf94312acf51ee57d146 libavif-1.0.4.tar.gz
+sha256 914662e16245e062ed73f90112fbb4548241300843a7772d8d441bb6859de45b libavif-1.1.1.tar.gz
-sha256 10952217a6d404de8bf8a997fbea9b88f682df1fe98cb9b9f467ade641525639 LICENSE
+sha256 165abf92cc04b39e80d29cadea7a6a7e8fddf59407d4ad2616507a7ebe8216f9 LICENSE
diff --git a/package/libavif/libavif.mk b/package/libavif/libavif.mk
index 1ca3add82b..0c2a8e4dae 100644
--- a/package/libavif/libavif.mk
+++ b/package/libavif/libavif.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBAVIF_VERSION = 1.0.4
+LIBAVIF_VERSION = 1.1.1
LIBAVIF_SITE = $(call github,AOMediaCodec,libavif,v$(LIBAVIF_VERSION))
LIBAVIF_LICENSE = BSD-2-Clause, IJG, Apache-2.0
LIBAVIF_LICENSE_FILES = LICENSE
@@ -19,17 +19,18 @@ LIBAVIF_CONF_OPTS = \
-DAVIF_BUILD_MAN_PAGES=OFF \
-DAVIF_BUILD_TESTS=OFF \
-DAVIF_CODEC_AOM=OFF \
- -DAVIF_CODEC_DAV1D=ON \
+ -DAVIF_CODEC_DAV1D=SYSTEM \
-DAVIF_CODEC_LIBGAV1=OFF \
-DAVIF_CODEC_RAV1E=OFF \
-DAVIF_CODEC_SVT=OFF \
-DAVIF_CODEC_AVM=OFF \
-DAVIF_ENABLE_GTEST=OFF
-# There is no CMake options to explicitly enable/disable usage of
-# libyuv, only autodetection :-(
ifeq ($(BR2_PACKAGE_LIBYUV),y)
LIBAVIF_DEPENDENCIES += libyuv
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=SYSTEM
+else
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=OFF
endif
$(eval $(cmake-package))
--
2.46.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-06 8:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-05 11:52 [Buildroot] [PATCH 1/1] package/libavif: security bump to version 1.1.1 Adrian Perez de Castro
2024-08-05 13:48 ` Thomas Petazzoni via buildroot
2024-08-06 8:08 ` [Buildroot] [PATCH v2] " Adrian Perez de Castro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox