Commit: 8c7cca66f06ba756dd29354e3583d7aba9145bfa Author: Brecht Van Lommel Date: Thu Feb 2 16:42:03 2023 +0100 Branches: blender-v3.3-release https://developer.blender.org/rB8c7cca66f06ba756dd29354e3583d7aba9145bfa
Build: library security updates for Blender 3.3.4 Various things found by make cve_check. Differential Revision: https://developer.blender.org/D16956 =================================================================== M build_files/build_environment/cmake/cve_check.csv.in M build_files/build_environment/cmake/python_site_packages.cmake M build_files/build_environment/cmake/versions.cmake =================================================================== diff --git a/build_files/build_environment/cmake/cve_check.csv.in b/build_files/build_environment/cmake/cve_check.csv.in index 946dda5ab17..5a4acb97a4d 100644 --- a/build_files/build_environment/cmake/cve_check.csv.in +++ b/build_files/build_environment/cmake/cve_check.csv.in @@ -1,5 +1,10 @@ vendor,product,version,cve_number,remarks,comment +@FMT_ID@,OSV-2021-991,Ignored,CVE marked as invalid but OSV not updated +@FREETYPE_ID@,CVE-2022-27404,Ignored,does not affect blender usage of freetype +@FREETYPE_ID@,CVE-2022-27405,Ignored,does not affect blender usage of freetype +@FREETYPE_ID@,CVE-2022-27406,Ignored,does not affect blender usage of freetype @OPENJPEG_ID@,CVE-2016-9675,Ignored,issue in convert command line tool not used by blender +@OPENJPEG_ID@,OSV-2022-416,Mitigated,using newer git revision with fix included @PYTHON_ID@,CVE-2009-2940,Ignored,issue in pygresql not used by blender @PYTHON_ID@,CVE-2020-29396,Ignored,issue in odoo not used by blender @PYTHON_ID@,CVE-2021-32052,Ignored,issue in django not used by blender @@ -23,7 +28,13 @@ vendor,product,version,cve_number,remarks,comment @TIFF_ID@,CVE-2022-3599,Ignored,issue in tiff command line tool not used by blender @TIFF_ID@,CVE-2022-3626,Ignored,issue in tiff command line tool not used by blender @TIFF_ID@,CVE-2022-3627,Ignored,issue in tiff command line tool not used by blender +@TIFF_ID@,CVE-2022-48281,Ignored,issue in tiff command line tool not used by blender @XML2_ID@,CVE-2016-3709,Ignored,not affecting blender and not considered a security issue upstream +@XML2_ID@,OSV-2021-777,Ignored,already fixed in version used so OSV invalid +@XML2_ID@,CVE-2022-40303,Ignored,fixed and cve_check version comparison is wrong +@XML2_ID@,CVE-2022-40304,Ignored,fixed and cve_check version comparison is wrong @GMP_ID@,CVE-2021-43618,Mitigated,patched using upstream commit 561a9c25298e @SQLITE_ID@,CVE-2022-35737,Ignored,only affects SQLITE_ENABLE_STAT4 compile option not used by blender or python +@SQLITE_ID@,CVE-2022-46908,Ignored,only affects CLI tools not used by blender or python +@BROTLI_ID@,CVE-2020-8927,Ignored,fixed and cve_check version comparison is wrong @SBOMCONTENTS@ diff --git a/build_files/build_environment/cmake/python_site_packages.cmake b/build_files/build_environment/cmake/python_site_packages.cmake index 55d0d6c7400..3bb12512d44 100644 --- a/build_files/build_environment/cmake/python_site_packages.cmake +++ b/build_files/build_environment/cmake/python_site_packages.cmake @@ -15,7 +15,21 @@ ExternalProject_Add(external_python_site_packages CONFIGURE_COMMAND ${PIP_CONFIGURE_COMMAND} BUILD_COMMAND "" PREFIX ${BUILD_DIR}/site_packages - INSTALL_COMMAND ${PYTHON_BINARY} -m pip install --no-cache-dir ${SITE_PACKAGES_EXTRA} cython==${CYTHON_VERSION} idna==${IDNA_VERSION} charset-normalizer==${CHARSET_NORMALIZER_VERSION} urllib3==${URLLIB3_VERSION} certifi==${CERTIFI_VERSION} requests==${REQUESTS_VERSION} zstandard==${ZSTANDARD_VERSION} autopep8==${AUTOPEP8_VERSION} pycodestyle==${PYCODESTYLE_VERSION} toml==${TOML_VERSION} --no-binary :all: + # setuptools is downgraded to 63.2.0 (same as python 3.10.8) since numpy 1.23.x seemingly has + # issues building on windows with the newer versions that ships with python 3.10.9+ + INSTALL_COMMAND ${PYTHON_BINARY} -m pip install --no-cache-dir ${SITE_PACKAGES_EXTRA} + setuptools==63.2.0 + cython==${CYTHON_VERSION} + idna==${IDNA_VERSION} + charset-normalizer==${CHARSET_NORMALIZER_VERSION} + urllib3==${URLLIB3_VERSION} + certifi==${CERTIFI_VERSION} + requests==${REQUESTS_VERSION} + zstandard==${ZSTANDARD_VERSION} + autopep8==${AUTOPEP8_VERSION} + pycodestyle==${PYCODESTYLE_VERSION} + toml==${TOML_VERSION} + --no-binary :all: ) if(USE_PIP_NUMPY) diff --git a/build_files/build_environment/cmake/versions.cmake b/build_files/build_environment/cmake/versions.cmake index 6f7c62477cf..d6727dbacfe 100644 --- a/build_files/build_environment/cmake/versions.cmake +++ b/build_files/build_environment/cmake/versions.cmake @@ -182,9 +182,9 @@ set(ROBINMAP_HASH c08ec4b1bf1c85eb0d6432244a6a89862229da1cb834f3f90fba8dc35d8c8e set(ROBINMAP_HASH_TYPE SHA256) set(ROBINMAP_FILE robinmap-${ROBINMAP_VERSION}.tar.gz) -set(TIFF_VERSION 4.4.0) +set(TIFF_VERSION 4.5.0) set(TIFF_URI http://download.osgeo.org/libtiff/tiff-${TIFF_VERSION}.tar.gz) -set(TIFF_HASH 376f17f189e9d02280dfe709b2b2bbea) +set(TIFF_HASH db9e220a1971acc64487f1d51a20dcaa) set(TIFF_HASH_TYPE MD5) set(TIFF_FILE tiff-${TIFF_VERSION}.tar.gz) set(TIFF_CPE "cpe:2.3:a:libtiff:libtiff:${TIFF_VERSION}:*:*:*:*:*:*:*") @@ -195,11 +195,11 @@ set(OSL_HASH 63265472ce14548839ace2e21e401544) set(OSL_HASH_TYPE MD5) set(OSL_FILE OpenShadingLanguage-${OSL_VERSION}.tar.gz) -set(PYTHON_VERSION 3.10.8) +set(PYTHON_VERSION 3.10.9) set(PYTHON_SHORT_VERSION 3.10) set(PYTHON_SHORT_VERSION_NO_DOTS 310) set(PYTHON_URI https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz) -set(PYTHON_HASH e92356b012ed4d0e09675131d39b1bde) +set(PYTHON_HASH dc8c0f274b28ee9e95923d20cfc364c9) set(PYTHON_HASH_TYPE MD5) set(PYTHON_FILE Python-${PYTHON_VERSION}.tar.xz) set(PYTHON_CPE "cpe:2.3:a:python:python:${PYTHON_VERSION}:-:*:*:*:*:*:*") @@ -266,9 +266,9 @@ set(THEORA_HASH b6ae1ee2fa3d42ac489287d3ec34c5885730b1296f0801ae577a35193d3affbc set(THEORA_HASH_TYPE SHA256) set(THEORA_FILE libtheora-${THEORA_VERSION}.tar.bz2) -set(FLAC_VERSION 1.3.4) +set(FLAC_VERSION 1.4.2) set(FLAC_URI http://downloads.xiph.org/releases/flac/flac-${FLAC_VERSION}.tar.xz) -set(FLAC_HASH 8ff0607e75a322dd7cd6ec48f4f225471404ae2730d0ea945127b1355155e737 ) +set(FLAC_HASH e322d58a1f48d23d9dd38f432672865f6f79e73a6f9cc5a5f57fcaa83eb5a8e4 ) set(FLAC_HASH_TYPE SHA256) set(FLAC_FILE flac-${FLAC_VERSION}.tar.xz) set(FLAC_CPE "cpe:2.3:a:flac_project:flac:${FLAC_VERSION}:*:*:*:*:*:*:*") @@ -300,10 +300,11 @@ set(XVIDCORE_FILE xvidcore-${XVIDCORE_VERSION}.tar.gz) set(OPENJPEG_VERSION 2.5.0) set(OPENJPEG_SHORT_VERSION 2.5) -set(OPENJPEG_URI https://github.com/uclouvain/openjpeg/archive/v${OPENJPEG_VERSION}.tar.gz) -set(OPENJPEG_HASH 0333806d6adecc6f7a91243b2b839ff4d2053823634d4f6ed7a59bc87409122a) +set(OPENJPEG_GIT_HASH 2d606701e8b7aa83f657d113c3367508e99bd12b) +set(OPENJPEG_URI https://github.com/uclouvain/openjpeg/archive/${OPENJPEG_GIT_HASH}.tar.gz) +set(OPENJPEG_HASH f90941955eb66a81762df5e989f13ade48d753d3182e7f9a82d2bfce3fb5cef2) set(OPENJPEG_HASH_TYPE SHA256) -set(OPENJPEG_FILE openjpeg-v${OPENJPEG_VERSION}.tar.gz) +set(OPENJPEG_FILE openjpeg-v${OPENJPEG_GIT_HASH}.tar.gz) set(OPENJPEG_CPE "cpe:2.3:a:uclouvain:openjpeg:${OPENJPEG_VERSION}:*:*:*:*:*:*:*") set(FFMPEG_VERSION 5.1.2) _______________________________________________ Bf-blender-cvs mailing list Bf-blender-cvs@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-blender-cvs