On 2025-07-08 2:56 a.m., Landry Breuil wrote:
Le Mon, Jul 07, 2025 at 11:40:39PM -0400, Brad Smith a écrit :
On 2025-07-05 7:19 a.m., Landry Breuil wrote:
Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a écrit :
Here is an update to libvpx 1.15.2.
CVE-2025-5283
Tested on aarch64.
was it tested on BTI ? with what consumers ? i'll try to put it on the
omnibook w/firefox.
does the cve warrant a backport to 7.7 which has 1.15.0 ?
and if so, why the major bump, removed syms ?
I don't have such a system. But the only change between .0 and .2 is the
security fix.
https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/
It sounds like it probably should be.
The bump comes because there is an internal version check and if you do not
bump the major it'll fail. You can't build with one version and run with
another even if the ABI has not changed. [libvpx-vp9 @ 0x16ca7e3400] Failed
to initialize encoder: ABI version mismatch
so the backport of the update isnt possible if we cant do it without the
bump.. have you tested what would happen if only the commit was
backported ?
I have not yet. I'll see how it goes and get back to you.
