[Buildroot] [git commit branch/2025.02.x] package/libvips: security bump to v8.17.2

Arnout Vandecappelle arnout at rnout.be
Thu Oct 30 07:56:12 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=b60cdb1c76ec535ac4f099f8daca384806c80c90
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.02.x

See the many release notes: https://github.com/libvips/libvips/releases

Along that version bump:
- Change source code archive compression from .gz to .xz as this the
  new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
  https://github.com/libvips/libvips/commit/538aa2a8415e10e5c30e4e8671ab5387ca4869fb)
- Update the LICENSE file (see upstream commit
  https://github.com/libvips/libvips/commit/057703938e76083f78760d64ece983dcf7be65ff)

This fixes the following vulnerabilities:
- CVE-2025-29769:
    libvips is a demand-driven, horizontally threaded image processing
    library.  The heifsave operation could incorrectly determine the
    presence of an alpha channel in an input when it was not possible to
    determine the colour interpretation, known internally within libvips
    as "multiband". There aren't many ways to create a "multiband" input,
    but it is possible with a well-crafted TIFF image. If a "multiband"
    TIFF input image had 4 channels and HEIF-based output was requested,
    this led to libvips creating a 3 channel HEIF image without an alpha
    channel but then attempting to write 4 channels of data. This caused a
    heap buffer overflow, which could crash the process. This
    vulnerability is fixed in 8.16.1.
    https://www.cve.org/CVERecord?id=CVE-2025-29769

- CVE-2025-59933:
    libvips is a demand-driven, horizontally threaded image processing
    library. For versions 8.17.1 and below, when libvips is compiled with
    support for PDF input via poppler, the pdfload operation is affected
    by a buffer read overflow when parsing the header of a crafted PDF
    with a page that defines a width but not a height. Those using libvips
    compiled without support for PDF input are unaffected as well as
    thosewith support for PDF input via PDFium. This issue is fixed in
    version 8.17.2. A workaround for those affected is to block the
    VipsForeignLoadPdf operation via vips_operation_block_set, which is
    available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
    environment variable at runtime, which will block all untrusted
    loaders including PDF input via poppler.
    https://www.cve.org/CVERecord?id=CVE-2025-59933

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 72c7d99e22eb7706e413992cf7084438fea657bb)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 package/libvips/libvips.hash |  6 +--
 package/libvips/libvips.mk   | 92 ++++++++++++++++++++------------------------
 2 files changed, 44 insertions(+), 54 deletions(-)

diff --git a/package/libvips/libvips.hash b/package/libvips/libvips.hash
index 1ba242d1cf..dd7510ecb2 100644
--- a/package/libvips/libvips.hash
+++ b/package/libvips/libvips.hash
@@ -1,3 +1,3 @@
-# Locally calculated
-sha256  2468088d958e0e2de1be2991ff8940bf45664a826c0dad12342e1804e2805a6e  vips-8.10.6.tar.gz
-sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING
+# From https://github.com/libvips/libvips/releases/download/v8.17.2/vips-8.17.2.tar.xz.sha256sum
+sha256  57ea0ec4f30ea04748c9e8eec5415e7c9ac7cafe6822e4788fc110376a1d224a  vips-8.17.2.tar.xz
+sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  LICENSE
diff --git a/package/libvips/libvips.mk b/package/libvips/libvips.mk
index 8eb1f0964e..e7641fa8cd 100644
--- a/package/libvips/libvips.mk
+++ b/package/libvips/libvips.mk
@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-LIBVIPS_VERSION = 8.10.6
-LIBVIPS_SOURCE = vips-$(LIBVIPS_VERSION).tar.gz
+LIBVIPS_VERSION = 8.17.2
+LIBVIPS_SOURCE = vips-$(LIBVIPS_VERSION).tar.xz
 LIBVIPS_SITE = https://github.com/libvips/libvips/releases/download/v$(LIBVIPS_VERSION)
 LIBVIPS_LICENSE = LGPL-2.1+
-LIBVIPS_LICENSE_FILES = COPYING
+LIBVIPS_LICENSE_FILES = LICENSE
 LIBVIPS_CPE_ID_VENDOR = libvips
 
 # Sparc64 compile fails, for all optimization levels except -O0. To
@@ -22,135 +22,125 @@ LIBVIPS_CONF_ENV += CXXFLAGS="$(TARGET_CXXFLAGS) $(LIBVIPS_CXXFLAGS)" \
 	LIBS=$(TARGET_NLS_LIBS)
 
 LIBVIPS_CONF_OPTS = \
-	--without-dmalloc \
-	--without-gsf \
-	--without-OpenEXR \
-	--without-openslide \
-	--without-cfitsio \
-	--without-pangoft2 \
-	--without-x
+	-Dopenexr=disabled \
+	-Dopenslide=disabled \
+	-Dcfitsio=disabled \
+	-Dpangocairo=disabled
 LIBVIPS_INSTALL_STAGING = YES
 LIBVIPS_DEPENDENCIES = \
 	host-pkgconf expat libglib2 \
 	$(TARGET_NLS_DEPENDENCIES)
 
-ifeq ($(BR2_PACKAGE_GIFLIB),y)
-LIBVIPS_CONF_OPTS += --with-giflib
-LIBVIPS_DEPENDENCIES += giflib
-else
-LIBVIPS_CONF_OPTS += --without-giflib
-endif
-
 ifeq ($(BR2_PACKAGE_GOBJECT_INTROSPECTION),y)
-LIBVIPS_CONF_OPTS += --enable-introspection
+LIBVIPS_CONF_OPTS += -Dintrospection=enabled
 LIBVIPS_DEPENDENCIES += gobject-introspection
 else
-LIBVIPS_CONF_OPTS += --disable-introspection
+LIBVIPS_CONF_OPTS += -Dintrospection=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_IMAGEMAGICK),y)
 LIBVIPS_CONF_OPTS += \
-	--with-magick \
-	--with-magickpackage=MagickCore
+	-Dmagick=enabled \
+	-Dmagick-package=MagickCore
 LIBVIPS_DEPENDENCIES += imagemagick
 else ifeq ($(BR2_PACKAGE_GRAPHICSMAGICK),y)
 LIBVIPS_CONF_OPTS += \
-	--with-magick \
-	--with-magickpackage=GraphicsMagick
+	-Dmagick=enabled \
+	-Dmagick-package=GraphicsMagick
 LIBVIPS_DEPENDENCIES += graphicsmagick
 else
-LIBVIPS_CONF_OPTS += --without-magick
+LIBVIPS_CONF_OPTS += -Dmagick=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_JPEG),y)
-LIBVIPS_CONF_OPTS += --with-jpeg
+LIBVIPS_CONF_OPTS += -Djpeg=enabled
 LIBVIPS_DEPENDENCIES += jpeg
 else
-LIBVIPS_CONF_OPTS += --without-jpeg
+LIBVIPS_CONF_OPTS += -Djpeg=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LCMS2),y)
-LIBVIPS_CONF_OPTS += --with-lcms
+LIBVIPS_CONF_OPTS += -Dlcms=enabled
 LIBVIPS_DEPENDENCIES += lcms2
 else
-LIBVIPS_CONF_OPTS += --without-lcms
+LIBVIPS_CONF_OPTS += -Dlcms=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBPNG),y)
-LIBVIPS_CONF_OPTS += --with-png
+LIBVIPS_CONF_OPTS += -Dpng=enabled
 LIBVIPS_DEPENDENCIES += libpng
 else
-LIBVIPS_CONF_OPTS += --without-png
+LIBVIPS_CONF_OPTS += -Dpng=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBRSVG),y)
-LIBVIPS_CONF_OPTS += --with-rsvg
+LIBVIPS_CONF_OPTS += -Drsvg=enabled
 LIBVIPS_DEPENDENCIES += librsvg
 else
-LIBVIPS_CONF_OPTS += --without-rsvg
+LIBVIPS_CONF_OPTS += -Drsvg=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_MATIO),y)
-LIBVIPS_CONF_OPTS += --with-matio
+LIBVIPS_CONF_OPTS += -Dmatio=enabled
 LIBVIPS_DEPENDENCIES += matio
 else
-LIBVIPS_CONF_OPTS += --without-matio
+LIBVIPS_CONF_OPTS += -Dmatio=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_ORC),y)
-LIBVIPS_CONF_OPTS += --with-orc
+LIBVIPS_CONF_OPTS += -Dorc=enabled
 LIBVIPS_DEPENDENCIES += orc
 else
-LIBVIPS_CONF_OPTS += --without-orc
+LIBVIPS_CONF_OPTS += -Dorc=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_POPPLER),y)
-LIBVIPS_CONF_OPTS += --with-poppler
+LIBVIPS_CONF_OPTS += -Dpoppler=enabled
 LIBVIPS_DEPENDENCIES += poppler
 else
-LIBVIPS_CONF_OPTS += --without-poppler
+LIBVIPS_CONF_OPTS += -Dpoppler=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_TIFF),y)
-LIBVIPS_CONF_OPTS += --with-tiff
+LIBVIPS_CONF_OPTS += -Dtiff=enabled
 LIBVIPS_DEPENDENCIES += tiff
 else
-LIBVIPS_CONF_OPTS += --without-tiff
+LIBVIPS_CONF_OPTS += -Dtiff=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_FFTW_DOUBLE),y)
-LIBVIPS_CONF_OPTS += --with-fftw
+LIBVIPS_CONF_OPTS += -Dfftw=enabled
 LIBVIPS_DEPENDENCIES += fftw-double
 else
-LIBVIPS_CONF_OPTS += --without-fftw
+LIBVIPS_CONF_OPTS += -Dfftw=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBEXIF),y)
-LIBVIPS_CONF_OPTS += --with-libexif
+LIBVIPS_CONF_OPTS += -Dexif=enabled
 LIBVIPS_DEPENDENCIES += libexif
 else
-LIBVIPS_CONF_OPTS += --without-libexif
+LIBVIPS_CONF_OPTS += -Dexif=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_LIBHEIF),y)
-LIBVIPS_CONF_OPTS += --with-heif
+LIBVIPS_CONF_OPTS += -Dheif=enabled
 LIBVIPS_DEPENDENCIES += libheif
 else
-LIBVIPS_CONF_OPTS += --without-heif
+LIBVIPS_CONF_OPTS += -Dheif=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_WEBP_DEMUX)$(BR2_PACKAGE_WEBP_MUX),yy)
-LIBVIPS_CONF_OPTS += --with-libwebp
+LIBVIPS_CONF_OPTS += -Dwebp=enabled
 LIBVIPS_DEPENDENCIES += webp
 else
-LIBVIPS_CONF_OPTS += --without-libwebp
+LIBVIPS_CONF_OPTS += -Dwebp=disabled
 endif
 
 ifeq ($(BR2_PACKAGE_ZLIB),y)
-LIBVIPS_CONF_OPTS += --with-zlib
+LIBVIPS_CONF_OPTS += -Dzlib=enabled
 LIBVIPS_DEPENDENCIES += zlib
 else
-LIBVIPS_CONF_OPTS += --without-zlib
+LIBVIPS_CONF_OPTS += -Dzlib=disabled
 endif
 
-$(eval $(autotools-package))
+$(eval $(meson-package))

More information about the buildroot mailing list