On 2025-07-08 2:56 a.m., Landry Breuil wrote:
> Le Mon, Jul 07, 2025 at 11:40:39PM -0400, Brad Smith a écrit :
>> On 2025-07-05 7:19 a.m., Landry Breuil wrote:
>>> Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a écrit :
>>>> Here is an update to libvpx 1.15.2.
>>>>
>>>> CVE-2025-5283
>>>>
>>>> Tested on aarch64.
>>> was it tested on BTI ? with what consumers ? i'll try to put it on the
>>> omnibook w/firefox.
>>>
>>> does the cve warrant a backport to 7.7 which has 1.15.0 ?
>>> and if so, why the major bump, removed syms ?
>> I don't have such a system. But the only change between .0 and .2 is the
>> security fix. https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/
>>
>>
>> It sounds like it probably should be.
>>
>> The bump comes because there is an internal version check and if you do not
>> bump the major it'll fail. You can't build with one version and run with
>> another even if the ABI has not changed. [libvpx-vp9 @ 0x16ca7e3400] Failed
>> to initialize encoder: ABI version mismatch
> so the backport of the update isnt possible if we cant do it without the
> bump..  have you tested what would happen if only the commit was
> backported ?

I have not yet. I'll see how it goes and get back to you.