Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
51e8f2adafb54a9638cfc0725b75b1fdaf3e0fcc
rpi-buildroot/package/libvips/libvips.hash
Titouan Christophe b60cdb1c76 package/libvips: security bump to v8.17.2 
See the many release notes: https://github.com/libvips/libvips/releases

Along that version bump:
- Change source code archive compression from .gz to .xz as this the
  new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
  538aa2a841)
- Update the LICENSE file (see upstream commit
  057703938e)

This fixes the following vulnerabilities:
- CVE-2025-29769:
    libvips is a demand-driven, horizontally threaded image processing
    library.  The heifsave operation could incorrectly determine the
    presence of an alpha channel in an input when it was not possible to
    determine the colour interpretation, known internally within libvips
    as "multiband". There aren't many ways to create a "multiband" input,
    but it is possible with a well-crafted TIFF image. If a "multiband"
    TIFF input image had 4 channels and HEIF-based output was requested,
    this led to libvips creating a 3 channel HEIF image without an alpha
    channel but then attempting to write 4 channels of data. This caused a
    heap buffer overflow, which could crash the process. This
    vulnerability is fixed in 8.16.1.
    https://www.cve.org/CVERecord?id=CVE-2025-29769

- CVE-2025-59933:
    libvips is a demand-driven, horizontally threaded image processing
    library. For versions 8.17.1 and below, when libvips is compiled with
    support for PDF input via poppler, the pdfload operation is affected
    by a buffer read overflow when parsing the header of a crafted PDF
    with a page that defines a width but not a height. Those using libvips
    compiled without support for PDF input are unaffected as well as
    thosewith support for PDF input via PDFium. This issue is fixed in
    version 8.17.2. A workaround for those affected is to block the
    VipsForeignLoadPdf operation via vips_operation_block_set, which is
    available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
    environment variable at runtime, which will block all untrusted
    loaders including PDF input via poppler.
    https://www.cve.org/CVERecord?id=CVE-2025-59933

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 72c7d99e22)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-10-30 08:56:12 +01:00

4 lines
272 B
Plaintext
Raw Blame History

# From https://github.com/libvips/libvips/releases/download/v8.17.2/vips-8.17.2.tar.xz.sha256sum
sha256 57ea0ec4f30ea04748c9e8eec5415e7c9ac7cafe6822e4788fc110376a1d224a vips-8.17.2.tar.xz
sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 LICENSE
Reference in New Issue View Git Blame Copy Permalink