Add Orc 0.4.39 release

Part-of: <https://gitlab.freedesktop.org/gstreamer/www/-/merge_requests/119>

5 files changed, 92 insertions, 1 deletions

diff --git a/src/htdocs/entities.gst b/src/htdocs/entities.gst
index d5424b87..329a97d3 100644
--- a/src/htdocs/entities.gst
+++ b/src/htdocs/entities.gst
@@ -2,7 +2,7 @@
 <!ENTITY gst-version-stable "1.24.5">
 <!ENTITY gst-version-devel "git main">
 
-<!ENTITY orc-version-stable "0.4.38">
+<!ENTITY orc-version-stable "0.4.39">
 <!ENTITY orc-version-devel "git main">
 
 <!ENTITY gst-repo-http "https://gitlab.freedesktop.org/gstreamer/">
diff --git a/src/htdocs/news/news.xml b/src/htdocs/news/news.xml
index 5a3d3255..9709d6a7 100644
--- a/src/htdocs/news/news.xml
+++ b/src/htdocs/news/news.xml
@@ -15296,4 +15296,43 @@ Binaries for Android, iOS, Mac OS X and Windows will be available shortly.
     </content>
 </item>
 
+
+  <item>
+      <date>2024-07-19 12:30</date>
+        <title>Orc 0.4.39 bug-fix release</title>
+        <content>
+        <p>
+The GStreamer team is pleased to announce another release of liborc,
+the Optimized Inner Loop Runtime Compiler, which is used for SIMD acceleration
+in GStreamer plugins such as audioconvert, audiomixer, compositor, videoscale,
+and videoconvert, to name just a few.
+        </p>
+        <p>
+This is a minor bug-fix release, and also includes a security fix.
+        </p>
+        <p>
+          <b>Highlights:</b>
+          <ul>
+            <li>Security: Fix error message printing buffer overflow leading to possible code execution in orcc with specific input files (CVE-2024-40897). This only affects developers and CI environments using orcc, not users of liborc.</li>
+            <li>div255w: fix off-by-one error in the implementations</li>
+            <li>x86: only run AVX detection if xgetbv is available</li>
+            <li>x86: fix AVX detection by implementing the check recommended by Intel</li>
+            <li>Only enable JIT compilation on Apple arm64 if running on macOS, fixes crashes on iOS</li>
+            <li>Fix potential crash in emulation mode if logging is enabled</li>
+            <li>Handle undefined TARGET_OS_OSX correctly</li>
+            <li>orconce: Fix typo in GCC __sync-based implementation</li>
+            <li>orconce: Fix usage of __STDC_NO_ATOMICS__</li>
+            <li>Fix build with MSVC 17.10 + C11</li>
+            <li>Support stack unwinding on Windows</li>
+            <li>Major opcode and instruction set code clean-ups and refactoring</li>
+            <li>Refactor allocation and chunk initialization of code regions</li>
+            <li>Fall back to emulation on Linux if JIT support is not available, e.g. because of SELinux sandboxing or noexec mounting)</li>
+          </ul>
+        </p>
+        <p>
+Direct tarball download: <a href="&site;/src/orc/orc-0.4.39.tar.xz">orc-0.4.39.tar.xz</a>.
+        </p>
+        </content>
+  </item>
+
 </news>
diff --git a/src/htdocs/security/Makefile.am b/src/htdocs/security/Makefile.am
index 36477ba5..47447113 100644
--- a/src/htdocs/security/Makefile.am
+++ b/src/htdocs/security/Makefile.am
@@ -26,6 +26,7 @@ ALERTS = \
 	sa-2023-0011.md \
 	sa-2024-0001.md \
 	sa-2024-0002.md \
+	sa-2024-0003.md \
 	$(NULL)
 
 security_pages = $(patsubst %.md,%.html,$(ALERTS))
diff --git a/src/htdocs/security/sa-2024-0003.md b/src/htdocs/security/sa-2024-0003.md
new file mode 100644
index 00000000..bdf04a67
--- /dev/null
+++ b/src/htdocs/security/sa-2024-0003.md
@@ -0,0 +1,50 @@
+# Security Advisory 2024-0003 (JVN#02030803, JPCERT#92912620, CVE-2024-40897)
+
+<div class="vertical-table">
+
+|                   |     |
+| ----------------- | --- |
+| Summary           | Orc compiler stack-based buffer overflow |
+| Date              | 2024-07-19 12:30 |
+| Affected Versions | orc < 0.4.39 |
+| IDs               | GStreamer-SA-2024-0003<br/>JVN#02030803 / JPCERT#92912620<br/>CVE-2024-40897 |
+
+</div>
+
+## Details
+
+Stack-based buffer overflow in the Orc compiler when formatting error messages for certain input files.
+
+## Impact
+
+It is possible for a malicious third party to trigger a buffer overflow and
+effect code execution with the same privileges as the orc compiler is called
+with by feeding it with malformed orc source files.
+
+This only affects developers and CI environments using orcc, not users of liborc.
+
+## Solution
+
+The Orc 0.4.39 release address the issue.
+People using older branches of Orc should apply the patches and recompile.
+
+## References
+
+### The GStreamer project
+
+- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
+
+### CVE Database Entries
+
+- [CVE-2024-40897](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40897)
+
+### GStreamer Orc releases
+
+#### 0.4.39
+
+- [Orc 0.4.39 release notes](https://discourse.gstreamer.org/t/orc-0-4-39-release/1969)
+- [Orc 0.4.39 tarball (.tar.xz)](/src/orc/orc-0.4.39.tar.xz)
+
+### Patches
+
+- [Patch](https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191.patch)
diff --git a/src/htdocs/security/security.md b/src/htdocs/security/security.md
index d4e61b47..7a31a9e3 100644
--- a/src/htdocs/security/security.md
+++ b/src/htdocs/security/security.md
@@ -13,6 +13,7 @@ The GStreamer project encourages [responsible disclosure](https://en.wikipedia.o
 
 | ID  | Summary | Date   |     |
 | --- | ------- | :----: | --- |
+| **GStreamer-SA-2024-0003**<br/>JVN#02030803 / JPCERT#92912620<br/>CVE-2024-40897 | Orc compiler stack-based buffer overflow | 2024-07-19 12:30 | [Details](sa-2024-0003.html) |
 | **GStreamer-SA-2024-0002**<br/>ZDI-CAN-23896<br/>CVE-2024-4453  | Integer overflow in EXIF metadata parser leading to potential heap overwrite | 2024-04-29 20:00 | [Details](sa-2024-0002.html) |
 | **GStreamer-SA-2024-0001**<br/>ZDI-CAN-22873<br/>CVE-2024-0444  | AV1 codec parser potential buffer overflow during tile list parsing | 2024-01-24 20:00 | [Details](sa-2024-0001.html) |
 | **GStreamer-SA-2023-0011**<br/>ZDI-CAN-22300<br/>CVE-2023-50186 | AV1 codec parser buffer overflow | 2023-12-18 14:00 | [Details](sa-2023-0011.html) |