Build: update 4.0 libraries to address CVEs and bugs

And ignore a few CVEs that do not affect Blender.

openimageio 2.4.15
openssl 3.1.2
python 3.10.13
sndfile 1.2.2
webp 1.3.2

Ref #109244

Pull Request: https://projects.blender.org/blender/blender/pulls/112529

build_files/build_environment/cmake/cve_check.csv.in

@@ -4,6 +4,8 @@ vendor,product,version,cve_number,remarks,comment
 @PYTHON_ID@,CVE-2020-29396,Ignored,issue in odoo not used by blender
 @PYTHON_ID@,CVE-2021-32052,Ignored,issue in django not used by blender
 @PYTHON_ID@,CVE-2009-3720,Ignored,already fixed in libexpat version used
+@PYTHON_ID@,CVE-2023-36632,Ignored,not used in blender and not considered a bug upstream
+@PYTHON_ID@,CVE-2023-27043,Ignored,not used in blender
 @SSL_ID@,CVE-2009-1390,Ignored,issue in mutt not used by blender
 @SSL_ID@,CVE-2009-3765,Ignored,issue in mutt not used by blender
 @SSL_ID@,CVE-2009-3766,Ignored,issue in mutt not used by blender
@@ -24,6 +26,8 @@ vendor,product,version,cve_number,remarks,comment
 @TIFF_ID@,CVE-2022-3626,Ignored,issue in tiff command line tool not used by blender
 @TIFF_ID@,CVE-2022-3627,Ignored,issue in tiff command line tool not used by blender
 @XML2_ID@,CVE-2016-3709,Ignored,not affecting blender and not considered a security issue upstream
+@XML2_ID@,CVE-2023-39615,Ignored,not affecting blender and not considered a security issue upstream
+@XML2_ID@,CVE-2020-7595,Ignored,already fixed in the libxml2 version used
 @GMP_ID@,CVE-2021-43618,Mitigated,patched using upstream commit 561a9c25298e
 @SQLITE_ID@,CVE-2022-35737,Ignored,only affects SQLITE_ENABLE_STAT4 compile option not used by blender or python
 @SBOMCONTENTS@

build_files/build_environment/cmake/openimageio.cmake

@@ -108,9 +108,9 @@ ExternalProject_Add(external_openimageio
   CMAKE_GENERATOR ${PLATFORM_ALT_GENERATOR}
   PREFIX ${BUILD_DIR}/openimageio
   PATCH_COMMAND ${PATCH_CMD} -p 1 -N -d ${BUILD_DIR}/openimageio/src/external_openimageio/ < ${PATCH_DIR}/openimageio.diff &&
-                ${PATCH_CMD} -p 1 -N -d ${BUILD_DIR}/openimageio/src/external_openimageio/ < ${PATCH_DIR}/oiio_3832.diff &&
                 ${PATCH_CMD} -p 1 -N -d ${BUILD_DIR}/openimageio/src/external_openimageio/ < ${PATCH_DIR}/oiio_deadlock.diff &&
-                ${PATCH_CMD} -p 1 -N -d ${BUILD_DIR}/openimageio/src/external_openimageio/ < ${PATCH_DIR}/oiio_psd_8da473e254.diff
+                ${PATCH_CMD} -p 1 -N -d ${BUILD_DIR}/openimageio/src/external_openimageio/ < ${PATCH_DIR}/oiio_3984.diff &&
+                ${PATCH_CMD} -p 1 -N -d ${BUILD_DIR}/openimageio/src/external_openimageio/ < ${PATCH_DIR}/oiio_webp.diff
   CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${LIBDIR}/openimageio ${DEFAULT_CMAKE_FLAGS} ${OPENIMAGEIO_EXTRA_ARGS}
   INSTALL_DIR ${LIBDIR}/openimageio
 )

build_files/build_environment/cmake/python.cmake

@@ -88,7 +88,7 @@ else()
     export CFLAGS=${PYTHON_CFLAGS} &&
     export CPPFLAGS=${PYTHON_CFLAGS} &&
     export LDFLAGS=${PYTHON_LDFLAGS} &&
-    export PKG_CONFIG_PATH=${LIBDIR}/ffi/lib/pkgconfig:${LIBDIR}/ssl/lib64/pkgconfig)
+    export PKG_CONFIG_PATH=${LIBDIR}/ffi/lib/pkgconfig:${LIBDIR}/ssl/lib/pkgconfig:${LIBDIR}/ssl/lib64/pkgconfig)
 
   # NOTE: untested on APPLE so far.
   if(NOT APPLE)

build_files/build_environment/cmake/versions.cmake

@@ -174,9 +174,9 @@ set(OPENMP_URI https://github.com/llvm/llvm-project/releases/download/llvmorg-${
 set(OPENMP_HASH_TYPE MD5)
 set(OPENMP_FILE openmp-${OPENMP_VERSION}.src.tar.xz)
 
-set(OPENIMAGEIO_VERSION v2.4.11.0)
+set(OPENIMAGEIO_VERSION v2.4.15.0)
 set(OPENIMAGEIO_URI https://github.com/OpenImageIO/oiio/archive/refs/tags/${OPENIMAGEIO_VERSION}.tar.gz)
-set(OPENIMAGEIO_HASH 7eb997479ecfe7d9fa59cc8ddd35d0ae)
+set(OPENIMAGEIO_HASH aa4f077e5ba2a2e548afc1c4faddd8ff)
 set(OPENIMAGEIO_HASH_TYPE MD5)
 set(OPENIMAGEIO_FILE OpenImageIO-${OPENIMAGEIO_VERSION}.tar.gz)
 
@@ -219,11 +219,11 @@ set(OSL_FILE OpenShadingLanguage-${OSL_VERSION}.tar.gz)
 # BZIP2, FFI, SQLITE and change the versions in this file as well. For compliance
 # reasons there can be no exceptions to this.
 
-set(PYTHON_VERSION 3.10.12)
+set(PYTHON_VERSION 3.10.13)
 set(PYTHON_SHORT_VERSION 3.10)
 set(PYTHON_SHORT_VERSION_NO_DOTS 310)
 set(PYTHON_URI https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz)
-set(PYTHON_HASH 49b0342476b984e106d308c25d657f12)
+set(PYTHON_HASH 8847dc6458d1431d0ae0f55942deeb89)
 set(PYTHON_HASH_TYPE MD5)
 set(PYTHON_FILE Python-${PYTHON_VERSION}.tar.xz)
 set(PYTHON_CPE "cpe:2.3:a:python:python:${PYTHON_VERSION}:-:*:*:*:*:*:*")
@@ -370,16 +370,16 @@ set(ICONV_HASH_TYPE MD5)
 set(ICONV_FILE libiconv-${ICONV_VERSION}.tar.gz)
 set(ICONV_HOMEPAGE https://www.gnu.org/software/libiconv/)
 
-set(SNDFILE_VERSION 1.1.0)
-set(SNDFILE_URI https://github.com/libsndfile/libsndfile/releases/download/1.1.0/libsndfile-${SNDFILE_VERSION}.tar.xz)
-set(SNDFILE_HASH e63dead2b4f0aaf323687619d007ee6a)
+set(SNDFILE_VERSION 1.2.2)
+set(SNDFILE_URI https://github.com/libsndfile/libsndfile/releases/download/1.2.2/libsndfile-${SNDFILE_VERSION}.tar.xz)
+set(SNDFILE_HASH 04e2e6f726da7c5dc87f8cf72f250d04)
 set(SNDFILE_HASH_TYPE MD5)
 set(SNDFILE_FILE libsndfile-${SNDFILE_VERSION}.tar.xz)
 set(SNDFILE_CPE "cpe:2.3:a:libsndfile_project:libsndfile:${SNDFILE_VERSION}:*:*:*:*:*:*:*")
 
-set(WEBP_VERSION 1.2.2)
+set(WEBP_VERSION 1.3.2)
 set(WEBP_URI https://storage.googleapis.com/downloads.webmproject.org/releases/webp/libwebp-${WEBP_VERSION}.tar.gz)
-set(WEBP_HASH b5e2e414a8adee4c25fe56b18dd9c549)
+set(WEBP_HASH 34869086761c0e2da6361035f7b64771)
 set(WEBP_HASH_TYPE MD5)
 set(WEBP_FILE libwebp-${WEBP_VERSION}.tar.gz)
 set(WEBP_CPE "cpe:2.3:a:webmproject:libwebp:${WEBP_VERSION}:*:*:*:*:*:*:*")
@@ -481,9 +481,9 @@ set(LZMA_FILE xz-${LZMA_VERSION}.tar.bz2)
 set(LZMA_HOMEPAGE https://tukaani.org/lzma/)
 
 # NOTE: Python's build has been modified to use our ssl version.
-set(SSL_VERSION 3.0.9)
+set(SSL_VERSION 3.1.2)
 set(SSL_URI https://www.openssl.org/source/openssl-${SSL_VERSION}.tar.gz)
-set(SSL_HASH eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90)
+set(SSL_HASH a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539)
 set(SSL_HASH_TYPE SHA256)
 set(SSL_FILE openssl-${SSL_VERSION}.tar.gz)
 set(SSL_CPE "cpe:2.3:a:openssl:openssl:${SSL_VERSION}:*:*:*:*:*:*:*")

build_files/build_environment/patches/oiio_3832.diff

@@ -1,13 +0,0 @@
-diff --git a/src/python/py_oiio.cpp b/src/python/py_oiio.cpp
-index 6031d2c23..e71105da5 100644
---- a/src/python/py_oiio.cpp
-+++ b/src/python/py_oiio.cpp
-@@ -153,7 +153,7 @@ oiio_bufinfo::oiio_bufinfo(const py::buffer_info& pybuf, int nchans, int width,
-             format = TypeUnknown;  // No idea what's going on -- error
-             error  = Strutil::fmt::format(
-                 "Python array shape is [{:,}] but expecting h={}, w={}, ch={}",
--                cspan<ssize_t>(pybuf.shape), height, width, nchans);
-+                cspan<py::ssize_t>(pybuf.shape), height, width, nchans);
-         }
-     } else if (pixeldims == 1) {
-         // Reading a 1D scanline span

build_files/build_environment/patches/oiio_3984.diff

@@ -0,0 +1,13 @@
+diff --git a/src/libOpenImageIO/exif.cpp b/src/libOpenImageIO/exif.cpp
+index 90eaaec6e9..1fbf04140e 100644
+--- a/src/libOpenImageIO/exif.cpp
++++ b/src/libOpenImageIO/exif.cpp
+@@ -1302,6 +1302,8 @@ encode_exif(const ImageSpec& spec, std::vector<char>& blob,
+     TIFFHeader head;
+     head.tiff_magic   = (endianreq == endian::little) ? 0x4949 : 0x4d4d;
+     head.tiff_version = 42;
++    if (endianreq != endian::native)
++        swap_endian(&head.tiff_version);
+     // N.B. need to swap_endian head.tiff_diroff  below, once we know the sizes
+     append(blob, head);
+ 

build_files/build_environment/patches/oiio_psd_8da473e254.diff

@@ -1,34 +0,0 @@
-diff --git a/src/psd.imageio/psdinput.cpp b/src/psd.imageio/psdinput.cpp
-index 9dc240281..05b008e0a 100644
---- a/src/psd.imageio/psdinput.cpp
-+++ b/src/psd.imageio/psdinput.cpp
-@@ -1344,9 +1344,27 @@ PSDInput::load_resource_thumbnail(uint32_t length, bool isBGR)
-     if (!ioread(&jpeg_data[0], jpeg_length))
-         return false;
- 
-+    // Create an IOMemReader that references the thumbnail JPEG blob and read
-+    // it with an ImageInput, into the memory owned by an ImageBuf.
-     Filesystem::IOMemReader thumbblob(jpeg_data.data(), jpeg_length);
--    m_thumbnail = ImageBuf("thumbnail.jpg", 0, 0, nullptr, nullptr, &thumbblob);
--    m_thumbnail.read(0, 0, true);
-+    m_thumbnail.clear();
-+    auto imgin = ImageInput::open("thumbnail.jpg", nullptr, &thumbblob);
-+    if (imgin) {
-+        ImageSpec spec = imgin->spec(0);
-+        m_thumbnail.reset(spec, InitializePixels::No);
-+        ok = imgin->read_image(0, 0, 0, m_thumbnail.spec().nchannels,
-+                               m_thumbnail.spec().format,
-+                               m_thumbnail.localpixels());
-+        imgin.reset();
-+    } else {
-+        errorfmt("Failed to open thumbnail");
-+        return false;
-+    }
-+    if (!ok) {
-+        errorfmt("Failed to read thumbnail: {}", m_thumbnail.geterror());
-+        m_thumbnail.clear();
-+        return false;
-+    }
- 
-     // Set these attributes for the merged composite only (subimage 0)
-     composite_attribute("thumbnail_width", (int)m_thumbnail.spec().width);

build_files/build_environment/patches/oiio_webp.diff

@@ -0,0 +1,59 @@
+diff --git a/src/cmake/modules/FindWebP.cmake b/src/cmake/modules/FindWebP.cmake
+index 87b880a..0e9850f 100644
+--- a/src/cmake/modules/FindWebP.cmake
++++ b/src/cmake/modules/FindWebP.cmake
+@@ -29,6 +29,12 @@ find_library (WEBPDEMUX_LIBRARY webpdemux
+               HINTS
+                   ${WEBP_LIBRARY_PATH}
+                   ENV WEBP_LIBRARY_PATH)
++# New in WebP 1.3
++find_library (WEBP_SHARPYUV_LIBRARY sharpyuv
++              HINTS
++                  ${WEBP_LIBRARY_PATH}
++                  ENV WEBP_LIBRARY_PATH)
++
+ 
+ include (FindPackageHandleStandardArgs)
+ find_package_handle_standard_args (WebP
+@@ -38,7 +44,7 @@ find_package_handle_standard_args (WebP
+ 
+ if (WebP_FOUND)
+     set (WEBP_INCLUDES "${WEBP_INCLUDE_DIR}")
+-    set (WEBP_LIBRARIES ${WEBP_LIBRARY} ${WEBPDEMUX_LIBRARY})
++    set (WEBP_LIBRARIES ${WEBP_LIBRARY} ${WEBPDEMUX_LIBRARY} ${WEBP_SHARPYUV_LIBRARY})
+ 
+     if (NOT TARGET WebP::WebP)
+         add_library(WebP::WebP UNKNOWN IMPORTED)
+@@ -54,10 +60,18 @@ if (WebP_FOUND)
+         set_property(TARGET WebP::WebPDemux APPEND PROPERTY
+             IMPORTED_LOCATION ${WEBPDEMUX_LIBRARY})
+     endif ()
++    if (WEBP_SHARPYUV_LIBRARY AND NOT TARGET WebP::sharpyuv)
++        add_library(WebP::sharpyuv UNKNOWN IMPORTED)
++        set_target_properties(WebP::sharpyuv PROPERTIES
++            INTERFACE_INCLUDE_DIRECTORIES ${WEBP_INCLUDES})
++        set_property(TARGET WebP::sharpyuv APPEND PROPERTY
++            IMPORTED_LOCATION ${WEBP_SHARPYUV_LIBRARY})
++    endif ()
+ endif ()
+ 
+ mark_as_advanced (
+     WEBP_INCLUDE_DIR
+     WEBP_LIBRARY
+     WEBPDEMUX_LIBRARY
++    WEBP_SHARPYUV_LIBRARY
+     )
+
+diff --git a/src/webp.imageio/CMakeLists.txt b/src/webp.imageio/CMakeLists.txt
+index ccf1146..c646e99 100644
+--- a/src/webp.imageio/CMakeLists.txt
++++ b/src/webp.imageio/CMakeLists.txt
+@@ -4,7 +4,7 @@
+
+ if (WebP_FOUND)
+     add_oiio_plugin (webpinput.cpp webpoutput.cpp
+-                     LINK_LIBRARIES WebP::webp WebP::webpdemux
++                     LINK_LIBRARIES WebP::webp WebP::webpdemux WebP::sharpyuv
+                      DEFINITIONS "-DUSE_WEBP=1")
+ else ()
+     message (STATUS "WebP plugin will not be built")

build_files/cmake/Modules/FindWebP.cmake

@@ -41,6 +41,7 @@ set(_webp_FIND_COMPONENTS
   webp
   webpmux
   webpdemux
+  sharpyuv # New in 1.3
 )
 
 set(_webp_LIBRARIES)
@@ -56,7 +57,9 @@ foreach(COMPONENT ${_webp_FIND_COMPONENTS})
     PATH_SUFFIXES
       lib64 lib lib/static
     )
-  list(APPEND _webp_LIBRARIES "${WEBP_${UPPERCOMPONENT}_LIBRARY}")
+  if (WEBP_${UPPERCOMPONENT}_LIBRARY)
+    list(APPEND _webp_LIBRARIES "${WEBP_${UPPERCOMPONENT}_LIBRARY}")
+  endif()
 endforeach()
 
 if(NOT WEBP_WEBP_LIBRARY)
@@ -84,4 +87,5 @@ mark_as_advanced(
   WEBP_WEBPDEMUX_LIBRARY
   WEBP_WEBPMUX_LIBRARY
   WEBP_WEBP_LIBRARY
+  WEBP_SHARPYUV_LIBRARY
 )