From: Landry Breuil <landry@openbsd.org>
Subject: Re: UPDATE: libvpx 1.15.2
To: Brad Smith <brad@comstyle.com>
Cc: ports@openbsd.org
Date: Tue, 8 Jul 2025 08:56:40 +0200

Le Mon, Jul 07, 2025 at 11:40:39PM -0400, Brad Smith a écrit :
> On 2025-07-05 7:19 a.m., Landry Breuil wrote:
> > Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a écrit :
> > > Here is an update to libvpx 1.15.2.
> > > 
> > > CVE-2025-5283
> > > 
> > > Tested on aarch64.
> > was it tested on BTI ? with what consumers ? i'll try to put it on the
> > omnibook w/firefox.
> > 
> > does the cve warrant a backport to 7.7 which has 1.15.0 ?
> > and if so, why the major bump, removed syms ?
> 
> I don't have such a system. But the only change between .0 and .2 is the
> security fix. https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/
> 
> 
> It sounds like it probably should be.
> 
> The bump comes because there is an internal version check and if you do not
> bump the major it'll fail. You can't build with one version and run with
> another even if the ABI has not changed. [libvpx-vp9 @ 0x16ca7e3400] Failed
> to initialize encoder: ABI version mismatch

so the backport of the update isnt possible if we cant do it without the
bump..  have you tested what would happen if only the commit was
backported ?

Landry