From: Brad Smith Subject: Re: UPDATE: libvpx 1.15.2 To: Landry Breuil Cc: ports@openbsd.org Date: Tue, 8 Jul 2025 03:05:31 -0400 On 2025-07-08 2:56 a.m., Landry Breuil wrote: > Le Mon, Jul 07, 2025 at 11:40:39PM -0400, Brad Smith a écrit : >> On 2025-07-05 7:19 a.m., Landry Breuil wrote: >>> Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a écrit : >>>> Here is an update to libvpx 1.15.2. >>>> >>>> CVE-2025-5283 >>>> >>>> Tested on aarch64. >>> was it tested on BTI ? with what consumers ? i'll try to put it on the >>> omnibook w/firefox. >>> >>> does the cve warrant a backport to 7.7 which has 1.15.0 ? >>> and if so, why the major bump, removed syms ? >> I don't have such a system. But the only change between .0 and .2 is the >> security fix. https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/ >> >> >> It sounds like it probably should be. >> >> The bump comes because there is an internal version check and if you do not >> bump the major it'll fail. You can't build with one version and run with >> another even if the ABI has not changed. [libvpx-vp9 @ 0x16ca7e3400] Failed >> to initialize encoder: ABI version mismatch > so the backport of the update isnt possible if we cant do it without the > bump.. have you tested what would happen if only the commit was > backported ? I have not yet. I'll see how it goes and get back to you.