diff mbox series

[v2] package/libavif: security bump to version 1.1.1

Message ID 20240806080900.999109-1-aperez@igalia.com
State Accepted
Headers show
Series [v2] package/libavif: security bump to version 1.1.1 | expand

Commit Message

Adrian Perez de Castro Aug. 6, 2024, 8:08 a.m. UTC 
The release notes for version 1.1.0 mention fixes for memory handling
issues and bugs found out by fuzzing, which is the reason why this may
be considered a security update, despite them not having CVEs assigned:

  https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.0
  https://github.com/AOMediaCodec/libavif/releases/tag/v1.1.1

The change checksum for the LICENSE file is caused by a path change for
one of the submodules, and the addition of the licensing terms for the
bundled libyuv sources. The latter are never built from the libavif tree
as there is a separate libyuv package, so BSD-3-Clause does not need to
be added to LIBAVIF_LICENSE.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 package/libavif/libavif.hash | 4 ++--
 package/libavif/libavif.mk   | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

---
Changes v1 -> v2:
- Updated LICENSE checksum, added explanation in commit log about the
  change.
diff mbox series

Patch

diff --git a/package/libavif/libavif.hash b/package/libavif/libavif.hash
index f4599cdb0b..b26e678abf 100644
--- a/package/libavif/libavif.hash
+++ b/package/libavif/libavif.hash
@@ -1,3 +1,3 @@ 
-sha256  dc56708c83a4b934a8af2b78f67f866ba2fb568605c7cf94312acf51ee57d146  libavif-1.0.4.tar.gz
+sha256  914662e16245e062ed73f90112fbb4548241300843a7772d8d441bb6859de45b  libavif-1.1.1.tar.gz
 
-sha256  10952217a6d404de8bf8a997fbea9b88f682df1fe98cb9b9f467ade641525639  LICENSE
+sha256  165abf92cc04b39e80d29cadea7a6a7e8fddf59407d4ad2616507a7ebe8216f9  LICENSE
diff --git a/package/libavif/libavif.mk b/package/libavif/libavif.mk
index 1ca3add82b..0c2a8e4dae 100644
--- a/package/libavif/libavif.mk
+++ b/package/libavif/libavif.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBAVIF_VERSION = 1.0.4
+LIBAVIF_VERSION = 1.1.1
 LIBAVIF_SITE = $(call github,AOMediaCodec,libavif,v$(LIBAVIF_VERSION))
 LIBAVIF_LICENSE = BSD-2-Clause, IJG, Apache-2.0
 LIBAVIF_LICENSE_FILES = LICENSE
@@ -19,17 +19,18 @@  LIBAVIF_CONF_OPTS = \
 	-DAVIF_BUILD_MAN_PAGES=OFF \
 	-DAVIF_BUILD_TESTS=OFF \
 	-DAVIF_CODEC_AOM=OFF \
-	-DAVIF_CODEC_DAV1D=ON \
+	-DAVIF_CODEC_DAV1D=SYSTEM \
 	-DAVIF_CODEC_LIBGAV1=OFF \
 	-DAVIF_CODEC_RAV1E=OFF \
 	-DAVIF_CODEC_SVT=OFF \
 	-DAVIF_CODEC_AVM=OFF \
 	-DAVIF_ENABLE_GTEST=OFF
 
-# There is no CMake options to explicitly enable/disable usage of
-# libyuv, only autodetection :-(
 ifeq ($(BR2_PACKAGE_LIBYUV),y)
 LIBAVIF_DEPENDENCIES += libyuv
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=SYSTEM
+else
+LIBAVIF_CONF_OPTS += -DAVIF_LIBYUV=OFF
 endif
 
 $(eval $(cmake-package))