[1/1] package/libavif: security bump to version 1.1.1

Message ID	20240805115224.3473431-1-aperez@igalia.com
State	Changes Requested
Headers	show Return-Path: <buildroot-bounces@buildroot.org> DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org D1F8E80BF0 Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.60.130.6; helo=fanzine2.igalia.com; envelope-from=aperez@igalia.com; receiver=<UNKNOWN> From: Adrian Perez de Castro <aperez@igalia.com> To: buildroot@buildroot.org Date: Mon, 5 Aug 2024 14:52:22 +0300 Message-ID: <20240805115224.3473431-1-aperez@igalia.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject: Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Gl/6T51Y62ScQOT/D2nkvEbdMyK5ejT40x8lR571OiU=; b=OMapRyuUiz62ox9X7JYf0bxnfc mZaA5sLixdZ6u1GyyLYiL/QVKKyoKqNX/GltHQI9yb4HaxkUXBa9XogCmO/01RvYCwnEI7x9I+0jw TLbP9c1Orkfs8V+kBuflvbbLH4WU6NjesV/pk68wbmca0TQqi/P+LzjEzLM84/iOsJk88V66ruFeP Kn6o64MG29ZdbAjNtEEFGr7QbJ6cY0j97rvkLQwKnAvbV7YWUc9+KOkCCIFtYn0TJE5fLd9Sd5KY0 Tc8qH6DMIpmpVhvzSJSPBaiMirJRs/KUaOoe+GVympkEuytCsIZgLrRdy5Ae7uYMcIeByNIw264jJ 2v/ceczw==; X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dmarc=none (p=none dis=none) header.from=igalia.com X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=igalia.com header.i=@igalia.com header.a=rsa-sha256 header.s=20170329 header.b=OMapRyuU Subject: [Buildroot] [PATCH 1/1] package/libavif: security bump to version 1.1.1 Precedence: list Cc: Adrian Perez de Castro <aperez@igalia.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[1/1] package/libavif: security bump to version 1.1.1 \| expand [1/1] package/libavif: security bump to version 1.1.1

Message ID

20240805115224.3473431-1-aperez@igalia.com

State

Changes Requested

Headers

DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org D1F8E80BF0
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.60.130.6;
 helo=fanzine2.igalia.com; envelope-from=aperez@igalia.com;
 receiver=<UNKNOWN>
From: Adrian Perez de Castro <aperez@igalia.com>
To: buildroot@buildroot.org
Date: Mon,  5 Aug 2024 14:52:22 +0300
Message-ID: <20240805115224.3473431-1-aperez@igalia.com>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp1.osuosl.org;
 dmarc=none (p=none dis=none)
 header.from=igalia.com
X-Mailman-Original-Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key,
 unprotected) header.d=igalia.com header.i=@igalia.com header.a=rsa-sha256
 header.s=20170329 header.b=OMapRyuU
Subject: [Buildroot] [PATCH 1/1] package/libavif: security bump to version
 1.1.1
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
Cc: Adrian Perez de Castro <aperez@igalia.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[1/1] package/libavif: security bump to version 1.1.1 | expand

Commit Message

Adrian Perez de Castro Aug. 5, 2024, 11:52 a.m. UTC

The release notes for version 1.1.0 mention fixes for memory handling
issues and bugs found out by fuzzing, which is the reason why this may
be considered a security update, despite them not having CVEs assigned:

  https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.0
  https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.1

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 package/libavif/libavif.hash | 2 +-
 package/libavif/libavif.mk   | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

Comments

Thomas Petazzoni Aug. 5, 2024, 1:48 p.m. UTC | #1

Hello Adrian,

On Mon,  5 Aug 2024 14:52:22 +0300
Adrian Perez de Castro <aperez@igalia.com> wrote:

> The release notes for version 1.1.0 mention fixes for memory handling
> issues and bugs found out by fuzzing, which is the reason why this may
> be considered a security update, despite them not having CVEs assigned:
> 
>   https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.0
>   https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.1
> 
> Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> ---
>  package/libavif/libavif.hash | 2 +-
>  package/libavif/libavif.mk   | 9 +++++----
>  2 files changed, 6 insertions(+), 5 deletions(-)

This update breaks legal-info:

ERROR: while checking hashes from package/libavif/libavif.hash
ERROR: LICENSE has wrong sha256 hash:
ERROR: expected: 10952217a6d404de8bf8a997fbea9b88f682df1fe98cb9b9f467ade641525639
ERROR: got     : 165abf92cc04b39e80d29cadea7a6a7e8fddf59407d4ad2616507a7ebe8216f9
ERROR: Incomplete download, or man-in-the-middle (MITM) attack

the hash of the license file needs to be updated, with an explanation
in the commit log detailing why the license file changed (especially to
confirm that there's no impact on the licensing conditions).

Thanks!

Thomas

diff --git a/package/libavif/libavif.hash b/package/libavif/libavif.hash
index f4599cdb0b..e9930b7f34 100644
--- a/package/libavif/libavif.hash
+++ b/package/libavif/libavif.hash
@@ -1,3 +1,3 @@ 
-sha256  dc56708c83a4b934a8af2b78f67f866ba2fb568605c7cf94312acf51ee57d146  libavif-1.0.4.tar.gz
+sha256  914662e16245e062ed73f90112fbb4548241300843a7772d8d441bb6859de45b  libavif-1.1.1.tar.gz
 
 sha256  10952217a6d404de8bf8a997fbea9b88f682df1fe98cb9b9f467ade641525639  LICENSE
diff --git a/package/libavif/libavif.mk b/package/libavif/libavif.mk
index 1ca3add82b..0c2a8e4dae 100644
--- a/package/libavif/libavif.mk
+++ b/package/libavif/libavif.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBAVIF_VERSION = 1.0.4
+LIBAVIF_VERSION = 1.1.1
 LIBAVIF_SITE = $(call github,AOMediaCodec,libavif,v$(LIBAVIF_VERSION))
 LIBAVIF_LICENSE = BSD-2-Clause, IJG, Apache-2.0
 LIBAVIF_LICENSE_FILES = LICENSE
@@ -19,17 +19,18 @@  LIBAVIF_CONF_OPTS = \
 	-DAVIF_BUILD_MAN_PAGES=OFF \
 	-DAVIF_BUILD_TESTS=OFF \
 	-DAVIF_CODEC_AOM=OFF \
-	-DAVIF_CODEC_DAV1D=ON \
+	-DAVIF_CODEC_DAV1D=SYSTEM \
 	-DAVIF_CODEC_LIBGAV1=OFF \
 	-DAVIF_CODEC_RAV1E=OFF \
 	-DAVIF_CODEC_SVT=OFF \
 	-DAVIF_CODEC_AVM=OFF \
 	-DAVIF_ENABLE_GTEST=OFF
 
-# There is no CMake options to explicitly enable/disable usage of
-# libyuv, only autodetection :-(
 ifeq ($(BR2_PACKAGE_LIBYUV),y)
 LIBAVIF_DEPENDENCIES += libyuv
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=SYSTEM
+else
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=OFF
 endif
 
 $(eval $(cmake-package))

[1/1] package/libavif: security bump to version 1.1.1

Commit Message

Comments

Patch