See bug 914874.
The commits don't apply cleanly to 1.13.0 but they do if we use upstream's cherry-picks from the m14-5735 branch (https://github.com/webmproject/libvpx/commits/m114-5735): * https://github.com/webmproject/libvpx/commit/972691e9af302f0bc14998e78a6d54f7861c92e5 * https://github.com/webmproject/libvpx/commit/7aaffe2df4c9426ab204a272ca5ca52286ca86d4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e33ebf94469ab30c5878d789081e6e8e6fcc732 commit 4e33ebf94469ab30c5878d789081e6e8e6fcc732 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-28 05:10:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-28 05:11:08 +0000 media-libs/libvpx: backport CVE-2023-5217 fix Bug: https://bugs.gentoo.org/914871 Bug: https://bugs.gentoo.org/914875 Closes: https://github.com/gentoo/gentoo/pull/33095 Signed-off-by: Sam James <sam@gentoo.org> ...-1.13.0-VP8-disallow-thread-count-changes.patch | 53 ++++++++ ...pi_test-add-ConfigResizeChangeThreadCount.patch | 94 +++++++++++++ media-libs/libvpx/libvpx-1.13.0-r1.ebuild | 145 +++++++++++++++++++++ 3 files changed, 292 insertions(+)
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=78441d962cbe20f36c819692b8c5ea5befbaf0be commit 78441d962cbe20f36c819692b8c5ea5befbaf0be Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-04 10:49:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-04 10:49:54 +0000 [ GLSA 202310-04 ] libvpx: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/914875 Bug: https://bugs.gentoo.org/914987 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202310-04.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
Please cleanup, thanks!
commit c9ecf0bde49f27177c9f1b979293b01378809309 Author: John Helmert III <ajak@gentoo.org> Date: Thu Dec 21 17:26:51 2023 -0800 media-libs/libvpx: drop 1.12.0-r1, 1.13.0, 1.13.0-r1