[Bf-blender-cvs] [1f3233374b7] tmp-libs-2.93-lts: Build: update various libraries for 2.93, fixing bugs and security issues

Thu Nov 24 17:29:52 CET 2022

Commit: 1f3233374b7ad8f4631ef27fbbab8b9ca7aa0a42
Author: Brecht Van Lommel
Date:   Mon Nov 7 17:57:22 2022 +0100
Branches: tmp-libs-2.93-lts
https://developer.blender.org/rB1f3233374b7ad8f4631ef27fbbab8b9ca7aa0a42

Build: update various libraries for 2.93, fixing bugs and security issues

This is based on similar updates in 3.3 and 3.4 from D16269.

expat 2.5.0
ffmpeg 4.4.3
flac 1.3.4
freetype 2.12.1
imath 3.1.5
numpy 1.22.0
ogg 1.3.5
openexr 2.5.8
openjpeg 2.5.0
python 3.9.15
sndfile 1.1.0
sqlite 3.37.2
ssl 1.1.1q
tiff 4.4.0
vorbis 1.3.7
vpx 1.11.0
webp 1.2.2
xml2 2.10.3
zlib 1.2.13

===================================================================

M	build_files/build_environment/CMakeLists.txt
M	build_files/build_environment/cmake/cve_check.cmake
M	build_files/build_environment/cmake/cve_check.csv.in
M	build_files/build_environment/cmake/download.cmake
M	build_files/build_environment/cmake/ffmpeg.cmake
M	build_files/build_environment/cmake/freetype.cmake
M	build_files/build_environment/cmake/gmp.cmake
M	build_files/build_environment/cmake/harvest.cmake
M	build_files/build_environment/cmake/llvm.cmake
M	build_files/build_environment/cmake/opencollada.cmake
M	build_files/build_environment/cmake/osl.cmake
M	build_files/build_environment/cmake/png.cmake
M	build_files/build_environment/cmake/python.cmake
M	build_files/build_environment/cmake/sndfile.cmake
M	build_files/build_environment/cmake/sqlite.cmake
M	build_files/build_environment/cmake/ssl.cmake
M	build_files/build_environment/cmake/tiff.cmake
M	build_files/build_environment/cmake/versions.cmake
M	build_files/build_environment/cmake/xml2.cmake
M	build_files/build_environment/dependencies.dot
A	build_files/build_environment/patches/aom.diff
M	build_files/build_environment/patches/ffmpeg.diff
A	build_files/build_environment/patches/gmp.diff
M	build_files/build_environment/patches/opencollada.diff
M	build_files/build_environment/patches/osl.diff
D	build_files/build_environment/patches/sndfile.diff
D	build_files/build_environment/patches/sqlite.diff
A	build_files/build_environment/patches/ssl.diff
M	build_files/cmake/platform/platform_win32.cmake

===================================================================

diff --git a/build_files/build_environment/CMakeLists.txt b/build_files/build_environment/CMakeLists.txt
index a679eeddc2f..2175e9aa2f9 100644
--- a/build_files/build_environment/CMakeLists.txt
+++ b/build_files/build_environment/CMakeLists.txt
@@ -104,6 +104,8 @@ include(cmake/pugixml.cmake)
 include(cmake/ispc.cmake)
 include(cmake/openimagedenoise.cmake)
 include(cmake/embree.cmake)
+include(cmake/xml2.cmake)
+
 if(NOT APPLE)
   include(cmake/xr_openxr.cmake)
 endif()
@@ -144,7 +146,6 @@ if(NOT WIN32 OR ENABLE_MINGW64)
     endif()
     if(UNIX)
       include(cmake/flac.cmake)
-      include(cmake/xml2.cmake)
       if(NOT APPLE)
         include(cmake/spnav.cmake)
         include(cmake/jemalloc.cmake)
diff --git a/build_files/build_environment/cmake/cve_check.cmake b/build_files/build_environment/cmake/cve_check.cmake
index dfb190bcffa..ac42444aef1 100644
--- a/build_files/build_environment/cmake/cve_check.cmake
+++ b/build_files/build_environment/cmake/cve_check.cmake
@@ -27,10 +27,12 @@ get_cmake_property(_variableNames VARIABLES)
 foreach (_variableName ${_variableNames})
   if(_variableName MATCHES "CPE$")
       string(REPLACE ":" ";" CPE_LIST ${${_variableName}})
+      string(REPLACE "_CPE" "_ID" CPE_DEPNAME ${_variableName})
       list(GET CPE_LIST 3 CPE_VENDOR)
       list(GET CPE_LIST 4 CPE_NAME)
       list(GET CPE_LIST 5 CPE_VERSION)
-      set(SBOMCONTENTS "${SBOMCONTENTS}${CPE_VENDOR},${CPE_NAME},${CPE_VERSION}\n")
+      set(${CPE_DEPNAME} "${CPE_VENDOR},${CPE_NAME},${CPE_VERSION}")
+      set(SBOMCONTENTS "${SBOMCONTENTS}${CPE_VENDOR},${CPE_NAME},${CPE_VERSION},,,\n")
   endif()
 endforeach()
 configure_file(${CMAKE_SOURCE_DIR}/cmake/cve_check.csv.in ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv @ONLY)
diff --git a/build_files/build_environment/cmake/cve_check.csv.in b/build_files/build_environment/cmake/cve_check.csv.in
index 6e7e8db5609..946dda5ab17 100644
--- a/build_files/build_environment/cmake/cve_check.csv.in
+++ b/build_files/build_environment/cmake/cve_check.csv.in
@@ -1,2 +1,29 @@
-vendor,product,version
+vendor,product,version,cve_number,remarks,comment
+ at OPENJPEG_ID@,CVE-2016-9675,Ignored,issue in convert command line tool not used by blender
+ at PYTHON_ID@,CVE-2009-2940,Ignored,issue in pygresql not used by blender
+ at PYTHON_ID@,CVE-2020-29396,Ignored,issue in odoo not used by blender
+ at PYTHON_ID@,CVE-2021-32052,Ignored,issue in django not used by blender
+ at PYTHON_ID@,CVE-2009-3720,Ignored,already fixed in libexpat version used
+ at SSL_ID@,CVE-2009-1390,Ignored,issue in mutt not used by blender
+ at SSL_ID@,CVE-2009-3765,Ignored,issue in mutt not used by blender
+ at SSL_ID@,CVE-2009-3766,Ignored,issue in mutt not used by blender
+ at SSL_ID@,CVE-2009-3767,Ignored,issue in ldap not used by blender
+ at SSL_ID@,CVE-2019-0190,Ignored,issue in apache not used by blender
+ at TIFF_ID@,CVE-2022-2056,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2057,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2058,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2519,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2520,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2521,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-2953,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-34526,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-3570,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-3597,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-3598,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-3599,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-3626,Ignored,issue in tiff command line tool not used by blender
+ at TIFF_ID@,CVE-2022-3627,Ignored,issue in tiff command line tool not used by blender
+ at XML2_ID@,CVE-2016-3709,Ignored,not affecting blender and not considered a security issue upstream
+ at GMP_ID@,CVE-2021-43618,Mitigated,patched using upstream commit 561a9c25298e
+ at SQLITE_ID@,CVE-2022-35737,Ignored,only affects SQLITE_ENABLE_STAT4 compile option not used by blender or python
 @SBOMCONTENTS@
diff --git a/build_files/build_environment/cmake/download.cmake b/build_files/build_environment/cmake/download.cmake
index 37ad8f77372..d8b60ad4dfa 100644
--- a/build_files/build_environment/cmake/download.cmake
+++ b/build_files/build_environment/cmake/download.cmake
@@ -55,7 +55,7 @@ function(download_source dep)
     # since the actual build of the dep will notify the
     # platform maintainer if there is a problem with the
     # source package and refuse to build.
-    if(NOT PACKAGE_USE_UPSTREAM_SOURCES)
+    if(NOT PACKAGE_USE_UPSTREAM_SOURCES OR FORCE_CHECK_HASH)
       file(${TARGET_HASH_TYPE} ${TARGET_FILE} LOCAL_HASH)
       if(NOT ${TARGET_HASH} STREQUAL ${LOCAL_HASH})
         message(FATAL_ERROR "${TARGET_FILE} ${TARGET_HASH_TYPE} mismatch\nExpected\t: ${TARGET_HASH}\nActual\t: ${LOCAL_HASH}")
@@ -113,7 +113,6 @@ endif()
 download_source(SPNAV)
 download_source(JEMALLOC)
 download_source(XML2)
-download_source(TINYXML)
 download_source(YAMLCPP)
 download_source(EXPAT)
 download_source(PUGIXML)
diff --git a/build_files/build_environment/cmake/ffmpeg.cmake b/build_files/build_environment/cmake/ffmpeg.cmake
index 2dad9c38877..f5d757e4e7f 100644
--- a/build_files/build_environment/cmake/ffmpeg.cmake
+++ b/build_files/build_environment/cmake/ffmpeg.cmake
@@ -31,12 +31,6 @@ if(WIN32)
     --disable-pthreads
     --enable-libopenjpeg
   )
-  if("${CMAKE_SIZEOF_VOID_P}" EQUAL "4")
-    set(FFMPEG_EXTRA_FLAGS
-      ${FFMPEG_EXTRA_FLAGS}
-      --x86asmexe=yasm
-    )
-  endif()
 else()
   set(FFMPEG_EXTRA_FLAGS
     ${FFMPEG_EXTRA_FLAGS}
diff --git a/build_files/build_environment/cmake/freetype.cmake b/build_files/build_environment/cmake/freetype.cmake
index 49a83cb3377..c365d493016 100644
--- a/build_files/build_environment/cmake/freetype.cmake
+++ b/build_files/build_environment/cmake/freetype.cmake
@@ -19,13 +19,14 @@
 set(FREETYPE_EXTRA_ARGS
   -DCMAKE_RELEASE_POSTFIX:STRING=2ST
   -DCMAKE_DEBUG_POSTFIX:STRING=2ST_d
-  -DWITH_BZip2=OFF
-  -DWITH_HarfBuzz=OFF
-  -DFT_WITH_HARFBUZZ=OFF
-  -DFT_WITH_BZIP2=OFF
-  -DCMAKE_DISABLE_FIND_PACKAGE_HarfBuzz=TRUE
-  -DCMAKE_DISABLE_FIND_PACKAGE_BZip2=TRUE
-  -DCMAKE_DISABLE_FIND_PACKAGE_BrotliDec=TRUE)
+  -DFT_DISABLE_BZIP2=ON
+  -DFT_DISABLE_HARFBUZZ=ON
+  -DFT_DISABLE_PNG=ON
+  -DFT_REQUIRE_BROTLI=OFF
+  -DFT_REQUIRE_ZLIB=ON
+  -DZLIB_LIBRARY=${LIBDIR}/zlib/lib/${ZLIB_LIBRARY}
+  -DZLIB_INCLUDE_DIR=${LIBDIR}/zlib/include
+  )
 
 ExternalProject_Add(external_freetype
   URL file://${PACKAGE_DIR}/${FREETYPE_FILE}
@@ -36,6 +37,11 @@ ExternalProject_Add(external_freetype
   INSTALL_DIR ${LIBDIR}/freetype
 )
 
+add_dependencies(
+  external_freetype
+  external_zlib
+)
+
 if(BUILD_MODE STREQUAL Release AND WIN32)
   ExternalProject_Add_Step(external_freetype after_install
     COMMAND ${CMAKE_COMMAND} -E copy_directory ${LIBDIR}/freetype ${HARVEST_TARGET}/freetype
diff --git a/build_files/build_environment/cmake/gmp.cmake b/build_files/build_environment/cmake/gmp.cmake
index 323630a63aa..c0ac8305439 100644
--- a/build_files/build_environment/cmake/gmp.cmake
+++ b/build_files/build_environment/cmake/gmp.cmake
@@ -50,6 +50,7 @@ ExternalProject_Add(external_gmp
   DOWNLOAD_DIR ${DOWNLOAD_DIR}
   URL_HASH ${GMP_HASH_TYPE}=${GMP_HASH}
   PREFIX ${BUILD_DIR}/gmp
+  PATCH_COMMAND ${PATCH_CMD} -p 1 -d ${BUILD_DIR}/gmp/src/external_gmp < ${PATCH_DIR}/gmp.diff
   CONFIGURE_COMMAND ${CONFIGURE_ENV_NO_PERL} && cd ${BUILD_DIR}/gmp/src/external_gmp/ && ${CONFIGURE_COMMAND} --prefix=${LIBDIR}/gmp ${GMP_OPTIONS} ${GMP_EXTRA_ARGS}
   BUILD_COMMAND ${CONFIGURE_ENV_NO_PERL} && cd ${BUILD_DIR}/gmp/src/external_gmp/ && make -j${MAKE_THREADS}
   INSTALL_COMMAND ${CONFIGURE_ENV_NO_PERL} && cd ${BUILD_DIR}/gmp/src/external_gmp/ && make install
diff --git a/build_files/build_environment/cmake/harvest.cmake b/build_files/build_environment/cmake/harvest.cmake
index c12d29715cd..c6ef3b11c0b 100644
--- a/build_files/build_environment/cmake/harvest.cmake
+++ b/build_files/build_environment/cmake/harvest.cmake
@@ -26,7 +26,6 @@ endif()
 message("HARVEST_TARGET = ${HARVEST_TARGET}")
 
 if(WIN32)
-
   if(BUILD_MODE STREQUAL Release)
     add_custom_target(Harvest_Release_Results
       COMMAND # jpeg rename libfile + copy include
@@ -48,7 +47,7 @@ if(WIN32)
     )
   endif()
 
-else(WIN32)
+else()
 
   function(harvest from to)
     set(pattern "")
@@ -74,6 +73,7 @@ else(WIN32)
         PATTERN "__pycache__" EXCLUDE
         PATTERN "tests" EXCLUDE)
     endif()
+  endfunction()
 
   harvest(alembic/include alembic/include "*.h")
   harvest(alembic/lib/libAlembic.a alembic/lib/libAlembic.a)
@@ -194,5 +194,4 @@ else(WIN32)
     harvest(libglu/lib mesa/lib "*.so*")
     harvest(mesa/lib64 mesa/lib "*.so*")
   endif()
-
 endif()
diff --git a/build_files/build_environment/cmake/llvm.cmake b/build_files/build_environment/cmake/llvm.cmake
index f067267a416..fb00f5f78a3 100644
--- a/build_files/build_environment/cmake/llvm.cmake
+++ b/build_files/build_environment/cmake/llvm.cmake
@@ -25,6 +25,7 @@ endif()
 if(APPLE)
   set(LLVM_XML2_ARGS
     -DLIBXML2_LIBRARY=${LIBDIR}/xml2/lib/libxml2.a
+    -DLIBXML2_INCLUDE_DIR=${LIBDIR}/xml2/include/libxml2
   )
   set(LLVM_BUILD_CLANG_TOOLS_EXTRA ^^clang-tools-extra)
   set(BUILD_CLANG_TOOLS ON)
diff --git a/build_files/build_environment/cmake/opencollada.cmake b/build_files/build_environment/cmake/opencollada.cmake
index 417c4d21594..4275dbc064e 100644
--- a/build_files/build_environment/cmake/opencollada.cmake
+++ b/build_files/build_environment/cmake/opencollada.cmake
@@ -20,6 +20,29 @@ if(UNIX)
   set(OPENCOLLADA_EXTRA_ARGS
     -DLIBXML2_INCLUDE_DIR=${LIBDIR}/xml2/include/libxml2
     -DLIBXML2_LIBRARIES=${LIBDIR}/xml2/lib/libxml2.a)
+
+  # WARNING: the patch contains mixed UNIX and DOS line endings
+  # as does the OPENCOLLADA package, if this can be corrected upstream that would be better.
+  # For now use `sed` to force UNIX line endings so t

@@ Diff output truncated at 10240 characters. @@

