package/libvips: security bump to v8.17.2

See the many release notes: https://github.com/libvips/libvips/releases

Along that version bump:
- Change source code archive compression from .gz to .xz as this the
  new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
  538aa2a841)
- Update the LICENSE file (see upstream commit
  057703938e)

This fixes the following vulnerabilities:
- CVE-2025-29769:
    libvips is a demand-driven, horizontally threaded image processing
    library.  The heifsave operation could incorrectly determine the
    presence of an alpha channel in an input when it was not possible to
    determine the colour interpretation, known internally within libvips
    as "multiband". There aren't many ways to create a "multiband" input,
    but it is possible with a well-crafted TIFF image. If a "multiband"
    TIFF input image had 4 channels and HEIF-based output was requested,
    this led to libvips creating a 3 channel HEIF image without an alpha
    channel but then attempting to write 4 channels of data. This caused a
    heap buffer overflow, which could crash the process. This
    vulnerability is fixed in 8.16.1.
    https://www.cve.org/CVERecord?id=CVE-2025-29769

- CVE-2025-59933:
    libvips is a demand-driven, horizontally threaded image processing
    library. For versions 8.17.1 and below, when libvips is compiled with
    support for PDF input via poppler, the pdfload operation is affected
    by a buffer read overflow when parsing the header of a crafted PDF
    with a page that defines a width but not a height. Those using libvips
    compiled without support for PDF input are unaffected as well as
    thosewith support for PDF input via PDFium. This issue is fixed in
    version 8.17.2. A workaround for those affected is to block the
    VipsForeignLoadPdf operation via vips_operation_block_set, which is
    available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
    environment variable at runtime, which will block all untrusted
    loaders including PDF input via poppler.
    https://www.cve.org/CVERecord?id=CVE-2025-59933

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/libvips/libvips.hash

@@ -1,3 +1,3 @@
-# Locally calculated
-sha256  2468088d958e0e2de1be2991ff8940bf45664a826c0dad12342e1804e2805a6e  vips-8.10.6.tar.gz
-sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING
+# From https://github.com/libvips/libvips/releases/download/v8.17.2/vips-8.17.2.tar.xz.sha256sum
+sha256  57ea0ec4f30ea04748c9e8eec5415e7c9ac7cafe6822e4788fc110376a1d224a  vips-8.17.2.tar.xz
+sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  LICENSE

package/libvips/libvips.mk

@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-LIBVIPS_VERSION = 8.10.6
-LIBVIPS_SOURCE = vips-$(LIBVIPS_VERSION).tar.gz
+LIBVIPS_VERSION = 8.17.2
+LIBVIPS_SOURCE = vips-$(LIBVIPS_VERSION).tar.xz
 LIBVIPS_SITE = https://github.com/libvips/libvips/releases/download/v$(LIBVIPS_VERSION)
 LIBVIPS_LICENSE = LGPL-2.1+
-LIBVIPS_LICENSE_FILES = COPYING
+LIBVIPS_LICENSE_FILES = LICENSE
 LIBVIPS_CPE_ID_VENDOR = libvips
 
 # Sparc64 compile fails, for all optimization levels except -O0. To
@@ -22,135 +22,125 @@ LIBVIPS_CONF_ENV += CXXFLAGS="$(TARGET_CXXFLAGS) $(LIBVIPS_CXXFLAGS)" \
 	LIBS=$(TARGET_NLS_LIBS)
 
 LIBVIPS_CONF_OPTS = \
-	--without-dmalloc \
-	--without-gsf \
-	--without-OpenEXR \
-	--without-openslide \
-	--without-cfitsio \
-	--without-pangoft2 \
-	--without-x
+	-Dopenexr=disabled \
+	-Dopenslide=disabled \
+	-Dcfitsio=disabled \
+	-Dpangocairo=disabled
 LIBVIPS_INSTALL_STAGING = YES
 LIBVIPS_DEPENDENCIES = \
 	host-pkgconf expat libglib2 \
 	$(TARGET_NLS_DEPENDENCIES)
 
-ifeq ($(BR2_PACKAGE_GIFLIB),y)
-LIBVIPS_CONF_OPTS += --with-giflib
-LIBVIPS_DEPENDENCIES += giflib
-else
-LIBVIPS_CONF_OPTS += --without-giflib
-endif
-
 ifeq ($(BR2_PACKAGE_GOBJECT_INTROSPECTION),y)
-LIBVIPS_CONF_OPTS += --enable-introspection
+LIBVIPS_CONF_OPTS += -Dintrospection=enabled
 LIBVIPS_DEPENDENCIES += gobject-introspection
 else
-LIBVIPS_CONF_OPTS += --disable-introspection
+LIBVIPS_CONF_OPTS += -Dintrospection=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_IMAGEMAGICK),y)
 LIBVIPS_CONF_OPTS += \
-	--with-magick \
-	--with-magickpackage=MagickCore
+	-Dmagick=enabled \
+	-Dmagick-package=MagickCore
 LIBVIPS_DEPENDENCIES += imagemagick
 else ifeq ($(BR2_PACKAGE_GRAPHICSMAGICK),y)
 LIBVIPS_CONF_OPTS += \
-	--with-magick \
-	--with-magickpackage=GraphicsMagick
+	-Dmagick=enabled \
+	-Dmagick-package=GraphicsMagick
 LIBVIPS_DEPENDENCIES += graphicsmagick
 else
-LIBVIPS_CONF_OPTS += --without-magick
+LIBVIPS_CONF_OPTS += -Dmagick=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_JPEG),y)
-LIBVIPS_CONF_OPTS += --with-jpeg
+LIBVIPS_CONF_OPTS += -Djpeg=enabled
 LIBVIPS_DEPENDENCIES += jpeg
 else
-LIBVIPS_CONF_OPTS += --without-jpeg
+LIBVIPS_CONF_OPTS += -Djpeg=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LCMS2),y)
-LIBVIPS_CONF_OPTS += --with-lcms
+LIBVIPS_CONF_OPTS += -Dlcms=enabled
 LIBVIPS_DEPENDENCIES += lcms2
 else
-LIBVIPS_CONF_OPTS += --without-lcms
+LIBVIPS_CONF_OPTS += -Dlcms=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBPNG),y)
-LIBVIPS_CONF_OPTS += --with-png
+LIBVIPS_CONF_OPTS += -Dpng=enabled
 LIBVIPS_DEPENDENCIES += libpng
 else
-LIBVIPS_CONF_OPTS += --without-png
+LIBVIPS_CONF_OPTS += -Dpng=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBRSVG),y)
-LIBVIPS_CONF_OPTS += --with-rsvg
+LIBVIPS_CONF_OPTS += -Drsvg=enabled
 LIBVIPS_DEPENDENCIES += librsvg
 else
-LIBVIPS_CONF_OPTS += --without-rsvg
+LIBVIPS_CONF_OPTS += -Drsvg=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_MATIO),y)
-LIBVIPS_CONF_OPTS += --with-matio
+LIBVIPS_CONF_OPTS += -Dmatio=enabled
 LIBVIPS_DEPENDENCIES += matio
 else
-LIBVIPS_CONF_OPTS += --without-matio
+LIBVIPS_CONF_OPTS += -Dmatio=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_ORC),y)
-LIBVIPS_CONF_OPTS += --with-orc
+LIBVIPS_CONF_OPTS += -Dorc=enabled
 LIBVIPS_DEPENDENCIES += orc
 else
-LIBVIPS_CONF_OPTS += --without-orc
+LIBVIPS_CONF_OPTS += -Dorc=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_POPPLER),y)
-LIBVIPS_CONF_OPTS += --with-poppler
+LIBVIPS_CONF_OPTS += -Dpoppler=enabled
 LIBVIPS_DEPENDENCIES += poppler
 else
-LIBVIPS_CONF_OPTS += --without-poppler
+LIBVIPS_CONF_OPTS += -Dpoppler=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_TIFF),y)
-LIBVIPS_CONF_OPTS += --with-tiff
+LIBVIPS_CONF_OPTS += -Dtiff=enabled
 LIBVIPS_DEPENDENCIES += tiff
 else
-LIBVIPS_CONF_OPTS += --without-tiff
+LIBVIPS_CONF_OPTS += -Dtiff=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_FFTW_DOUBLE),y)
-LIBVIPS_CONF_OPTS += --with-fftw
+LIBVIPS_CONF_OPTS += -Dfftw=enabled
 LIBVIPS_DEPENDENCIES += fftw-double
 else
-LIBVIPS_CONF_OPTS += --without-fftw
+LIBVIPS_CONF_OPTS += -Dfftw=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBEXIF),y)
-LIBVIPS_CONF_OPTS += --with-libexif
+LIBVIPS_CONF_OPTS += -Dexif=enabled
 LIBVIPS_DEPENDENCIES += libexif
 else
-LIBVIPS_CONF_OPTS += --without-libexif
+LIBVIPS_CONF_OPTS += -Dexif=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBHEIF),y)
-LIBVIPS_CONF_OPTS += --with-heif
+LIBVIPS_CONF_OPTS += -Dheif=enabled
 LIBVIPS_DEPENDENCIES += libheif
 else
-LIBVIPS_CONF_OPTS += --without-heif
+LIBVIPS_CONF_OPTS += -Dheif=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_WEBP_DEMUX)$(BR2_PACKAGE_WEBP_MUX),yy)
-LIBVIPS_CONF_OPTS += --with-libwebp
+LIBVIPS_CONF_OPTS += -Dwebp=enabled
 LIBVIPS_DEPENDENCIES += webp
 else
-LIBVIPS_CONF_OPTS += --without-libwebp
+LIBVIPS_CONF_OPTS += -Dwebp=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_ZLIB),y)
-LIBVIPS_CONF_OPTS += --with-zlib
+LIBVIPS_CONF_OPTS += -Dzlib=enabled
 LIBVIPS_DEPENDENCIES += zlib
 else
-LIBVIPS_CONF_OPTS += --without-zlib
+LIBVIPS_CONF_OPTS += -Dzlib=disabled
 endif
 
-$(eval $(autotools-package))
+$(eval $(meson-package))