Index | Thread | Search

From:
Landry Breuil <landry@openbsd.org>
Subject:
Re: UPDATE: libvpx 1.15.2
To:
Brad Smith <brad@comstyle.com>
Cc:
ports@openbsd.org
Date:
Tue, 8 Jul 2025 09:04:14 +0200

Download raw body.

Thread 
Le Tue, Jul 08, 2025 at 08:56:40AM +0200, Landry Breuil a écrit :
> Le Mon, Jul 07, 2025 at 11:40:39PM -0400, Brad Smith a écrit :
> > On 2025-07-05 7:19 a.m., Landry Breuil wrote:
> > > Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a écrit :
> > > > Here is an update to libvpx 1.15.2.
> > > > 
> > > > CVE-2025-5283
> > > > 
> > > > Tested on aarch64.
> > > was it tested on BTI ? with what consumers ? i'll try to put it on the
> > > omnibook w/firefox.
> > > 
> > > does the cve warrant a backport to 7.7 which has 1.15.0 ?
> > > and if so, why the major bump, removed syms ?
> > 
> > I don't have such a system. But the only change between .0 and .2 is the
> > security fix. https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/
> > 
> > 
> > It sounds like it probably should be.
> > 
> > The bump comes because there is an internal version check and if you do not
> > bump the major it'll fail. You can't build with one version and run with
> > another even if the ABI has not changed. [libvpx-vp9 @ 0x16ca7e3400] Failed
> > to initialize encoder: ABI version mismatch
> 
> so the backport of the update isnt possible if we cant do it without the
> bump..  have you tested what would happen if only the commit was
> backported ?

looking at the changelog, upstream did an abi bump for 1.15.0 or 1.15.1,
and 1.15.2 only contains the cve fix.

2025-05-28 v1.15.2 "Wigeon Duck"
  This release fixes CVE-2025-5283 (bug webm:413411335), and is ABI compatible
  with the previous release.

2025-01-09 v1.15.1 "Wigeon Duck"
  This release bumps up the SO major version and fixes the language about ABI
  compatibility in the previous release changelog.

2024-10-22 v1.15.0 "Wigeon Duck"
  This release includes new codec control for key frame filtering, more Neon
  optimizations, improvements to RTC encoding and bug fixes.

  - Upgrading:
    This release is ABI incompatible with the previous release.

    It is strongly recommended to skip this release and upgrade to v1.15.1 since
    the shared object was versioned incorrectly, as shown in
    https://issues.webmproject.org/issues/384672478.