Skip to content

Comments

libwebp: 1.3.0 -> 1.3.1#240893

Merged
SuperSandro2000 merged 1 commit intoNixOS:stagingfrom
helsinki-systems:upd/libwebp
Jul 2, 2023
Merged

libwebp: 1.3.0 -> 1.3.1#240893
SuperSandro2000 merged 1 commit intoNixOS:stagingfrom
helsinki-systems:upd/libwebp

Conversation

@ajs124
Copy link
Member

@ajs124 ajs124 commented Jul 1, 2023
edited
Loading

Description of changes

https://github.com/webmproject/libwebp/releases/tag/v1.3.1

shouldn't be security relevant, because we already fixed the CVE with the patch that's dropped now

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot added 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 2501-5000 This PR causes many rebuilds on Darwin and should target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jul 1, 2023
SuperSandro2000
SuperSandro2000 reviewed Jul 1, 2023
View reviewed changes
@SuperSandro2000 SuperSandro2000 merged commit 9fc468d into NixOS:staging Jul 2, 2023
@github-actions github-actions bot mentioned this pull request Jul 2, 2023
Merged
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Jul 2, 2023

Successfully created backport PR for staging-23.05:

@ajs124 ajs124 deleted the upd/libwebp branch July 2, 2023 15:52
@vcunat
Copy link
Member

vcunat commented Jul 14, 2023

Build of chafa was broken by this, apparently. Also on 23.05. /cc maintainer: @mogorman

@vcunat
Copy link
Member

vcunat commented Jul 14, 2023

Same with swayimg. /cc maintainer: @MatthewCroughan

@vcunat vcunat mentioned this pull request Jul 14, 2023
Merged
1 task
@ajs124
Copy link
Member Author

ajs124 commented Jul 14, 2023

oops. both fail to link, because they can't find (different) symbols. I'll see if I can find anything.

@ajs124
Copy link
Member Author

ajs124 commented Jul 14, 2023
edited
Loading

my pkg-config isn't very good, but there's some differences between 1.3.0 and 1.3.1 in the *.pc files webmproject/libwebp@31c28db

seems link application bugs, see e.g. artemsen/swayimg@bd3d6c8

edit: and here https://github.com/hpjansson/chafa/blob/a98c086b7b577a4870ca964b566b4ba563ef55ae/configure.ac#L153 needs patching. should probably report upstream

@vcunat
Copy link
Member

vcunat commented Jul 14, 2023

Changing which libs get linked (by .pc) sounds slightly risky for stable backport, but maybe it will be fine to fix up the individual packages 🤔 (often just NIX_CFLAGS_COMPILE = "-lwebp"; I expect)

@ajs124
Copy link
Member Author

ajs124 commented Jul 14, 2023

My main motivation for the backport was the (potential) security fix. Plus, I assumed they won't have any breaking changes, since this is a patch release. But this change does indeed sound kind of risky.

vcunat added a commit that referenced this pull request Jul 14, 2023
@vcunat
libwebp: revert the .pc changes from 1.3.1
c05ddc6 
Fixes build of chafa and swayimg.  On nixpkgs master we should
probably fix those instead.  See the discussion on PR #240893
@vcunat
Copy link
Member

vcunat commented Jul 14, 2023

I agree it's surprising, given that the release notes explicitly call it "binary compatible release".

Upstream ticket for that CVE still isn't public: https://bugs.chromium.org/p/webp/issues/detail?id=603

So on 23.05 (c05ddc6) I reverted just the .pc change. For nixpkgs master we should probably fix the individual packages instead.

vcunat added a commit that referenced this pull request Jul 15, 2023
@vcunat
swayimg: patch build with libwebp-1.3.1
88e8786 
/cc PR #240893 which caused this.
vcunat added a commit that referenced this pull request Jul 15, 2023
@vcunat
chafa: fixup build with libwebp-1.3.1
42be0b1 
/cc PR #240893 which caused this.
@vcunat vcunat mentioned this pull request Jul 15, 2023
Closed
@ajs124
Copy link
Member Author

ajs124 commented Jul 17, 2023

alright. thanks for taking care of this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

Assignees

No one assigned

Labels

10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 2501-5000 This PR causes many rebuilds on Darwin and should target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ajs124 @vcunat @SuperSandro2000