Build: library security updates for Blender 3.3.4

Various things found by make cve_check.

Differential Revision: https://developer.blender.org/D16956

build_files/build_environment/cmake/cve_check.csv.in

@@ -1,5 +1,10 @@
 vendor,product,version,cve_number,remarks,comment
+@FMT_ID@,OSV-2021-991,Ignored,CVE marked as invalid but OSV not updated
+@FREETYPE_ID@,CVE-2022-27404,Ignored,does not affect blender usage of freetype
+@FREETYPE_ID@,CVE-2022-27405,Ignored,does not affect blender usage of freetype
+@FREETYPE_ID@,CVE-2022-27406,Ignored,does not affect blender usage of freetype
 @OPENJPEG_ID@,CVE-2016-9675,Ignored,issue in convert command line tool not used by blender
+@OPENJPEG_ID@,OSV-2022-416,Mitigated,using newer git revision with fix included
 @PYTHON_ID@,CVE-2009-2940,Ignored,issue in pygresql not used by blender
 @PYTHON_ID@,CVE-2020-29396,Ignored,issue in odoo not used by blender
 @PYTHON_ID@,CVE-2021-32052,Ignored,issue in django not used by blender
@@ -23,7 +28,13 @@ vendor,product,version,cve_number,remarks,comment
 @TIFF_ID@,CVE-2022-3599,Ignored,issue in tiff command line tool not used by blender
 @TIFF_ID@,CVE-2022-3626,Ignored,issue in tiff command line tool not used by blender
 @TIFF_ID@,CVE-2022-3627,Ignored,issue in tiff command line tool not used by blender
+@TIFF_ID@,CVE-2022-48281,Ignored,issue in tiff command line tool not used by blender
 @XML2_ID@,CVE-2016-3709,Ignored,not affecting blender and not considered a security issue upstream
+@XML2_ID@,OSV-2021-777,Ignored,already fixed in version used so OSV invalid
+@XML2_ID@,CVE-2022-40303,Ignored,fixed and cve_check version comparison is wrong
+@XML2_ID@,CVE-2022-40304,Ignored,fixed and cve_check version comparison is wrong
 @GMP_ID@,CVE-2021-43618,Mitigated,patched using upstream commit 561a9c25298e
 @SQLITE_ID@,CVE-2022-35737,Ignored,only affects SQLITE_ENABLE_STAT4 compile option not used by blender or python
+@SQLITE_ID@,CVE-2022-46908,Ignored,only affects CLI tools not used by blender or python
+@BROTLI_ID@,CVE-2020-8927,Ignored,fixed and cve_check version comparison is wrong
 @SBOMCONTENTS@

build_files/build_environment/cmake/python_site_packages.cmake

@@ -15,7 +15,21 @@ ExternalProject_Add(external_python_site_packages
   CONFIGURE_COMMAND ${PIP_CONFIGURE_COMMAND}
   BUILD_COMMAND ""
   PREFIX ${BUILD_DIR}/site_packages
-  INSTALL_COMMAND ${PYTHON_BINARY} -m pip install --no-cache-dir ${SITE_PACKAGES_EXTRA} cython==${CYTHON_VERSION} idna==${IDNA_VERSION} charset-normalizer==${CHARSET_NORMALIZER_VERSION} urllib3==${URLLIB3_VERSION} certifi==${CERTIFI_VERSION} requests==${REQUESTS_VERSION} zstandard==${ZSTANDARD_VERSION} autopep8==${AUTOPEP8_VERSION} pycodestyle==${PYCODESTYLE_VERSION} toml==${TOML_VERSION} --no-binary :all:
+  # setuptools is downgraded to 63.2.0 (same as python 3.10.8) since numpy 1.23.x seemingly has
+  # issues building on windows with the newer versions that ships with python 3.10.9+
+  INSTALL_COMMAND ${PYTHON_BINARY} -m pip install --no-cache-dir ${SITE_PACKAGES_EXTRA}
+  setuptools==63.2.0
+  cython==${CYTHON_VERSION}
+  idna==${IDNA_VERSION}
+  charset-normalizer==${CHARSET_NORMALIZER_VERSION}
+  urllib3==${URLLIB3_VERSION}
+  certifi==${CERTIFI_VERSION}
+  requests==${REQUESTS_VERSION}
+  zstandard==${ZSTANDARD_VERSION}
+  autopep8==${AUTOPEP8_VERSION}
+  pycodestyle==${PYCODESTYLE_VERSION}
+  toml==${TOML_VERSION}
+  --no-binary :all:
 )
 
 if(USE_PIP_NUMPY)

build_files/build_environment/cmake/versions.cmake

@@ -182,9 +182,9 @@ set(ROBINMAP_HASH c08ec4b1bf1c85eb0d6432244a6a89862229da1cb834f3f90fba8dc35d8c8e
 set(ROBINMAP_HASH_TYPE SHA256)
 set(ROBINMAP_FILE robinmap-${ROBINMAP_VERSION}.tar.gz)
 
-set(TIFF_VERSION 4.4.0)
+set(TIFF_VERSION 4.5.0)
 set(TIFF_URI http://download.osgeo.org/libtiff/tiff-${TIFF_VERSION}.tar.gz)
-set(TIFF_HASH 376f17f189e9d02280dfe709b2b2bbea)
+set(TIFF_HASH db9e220a1971acc64487f1d51a20dcaa)
 set(TIFF_HASH_TYPE MD5)
 set(TIFF_FILE tiff-${TIFF_VERSION}.tar.gz)
 set(TIFF_CPE "cpe:2.3:a:libtiff:libtiff:${TIFF_VERSION}:*:*:*:*:*:*:*")
@@ -195,11 +195,11 @@ set(OSL_HASH 63265472ce14548839ace2e21e401544)
 set(OSL_HASH_TYPE MD5)
 set(OSL_FILE OpenShadingLanguage-${OSL_VERSION}.tar.gz)
 
-set(PYTHON_VERSION 3.10.8)
+set(PYTHON_VERSION 3.10.9)
 set(PYTHON_SHORT_VERSION 3.10)
 set(PYTHON_SHORT_VERSION_NO_DOTS 310)
 set(PYTHON_URI https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz)
-set(PYTHON_HASH e92356b012ed4d0e09675131d39b1bde)
+set(PYTHON_HASH dc8c0f274b28ee9e95923d20cfc364c9)
 set(PYTHON_HASH_TYPE MD5)
 set(PYTHON_FILE Python-${PYTHON_VERSION}.tar.xz)
 set(PYTHON_CPE "cpe:2.3:a:python:python:${PYTHON_VERSION}:-:*:*:*:*:*:*")
@@ -266,9 +266,9 @@ set(THEORA_HASH b6ae1ee2fa3d42ac489287d3ec34c5885730b1296f0801ae577a35193d3affbc
 set(THEORA_HASH_TYPE SHA256)
 set(THEORA_FILE libtheora-${THEORA_VERSION}.tar.bz2)
 
-set(FLAC_VERSION 1.3.4)
+set(FLAC_VERSION 1.4.2)
 set(FLAC_URI http://downloads.xiph.org/releases/flac/flac-${FLAC_VERSION}.tar.xz)
-set(FLAC_HASH 8ff0607e75a322dd7cd6ec48f4f225471404ae2730d0ea945127b1355155e737 )
+set(FLAC_HASH e322d58a1f48d23d9dd38f432672865f6f79e73a6f9cc5a5f57fcaa83eb5a8e4 )
 set(FLAC_HASH_TYPE SHA256)
 set(FLAC_FILE flac-${FLAC_VERSION}.tar.xz)
 set(FLAC_CPE "cpe:2.3:a:flac_project:flac:${FLAC_VERSION}:*:*:*:*:*:*:*")
@@ -300,10 +300,11 @@ set(XVIDCORE_FILE xvidcore-${XVIDCORE_VERSION}.tar.gz)
 
 set(OPENJPEG_VERSION 2.5.0)
 set(OPENJPEG_SHORT_VERSION 2.5)
-set(OPENJPEG_URI https://github.com/uclouvain/openjpeg/archive/v${OPENJPEG_VERSION}.tar.gz)
-set(OPENJPEG_HASH 0333806d6adecc6f7a91243b2b839ff4d2053823634d4f6ed7a59bc87409122a)
+set(OPENJPEG_GIT_HASH 2d606701e8b7aa83f657d113c3367508e99bd12b)
+set(OPENJPEG_URI https://github.com/uclouvain/openjpeg/archive/${OPENJPEG_GIT_HASH}.tar.gz)
+set(OPENJPEG_HASH f90941955eb66a81762df5e989f13ade48d753d3182e7f9a82d2bfce3fb5cef2)
 set(OPENJPEG_HASH_TYPE SHA256)
-set(OPENJPEG_FILE openjpeg-v${OPENJPEG_VERSION}.tar.gz)
+set(OPENJPEG_FILE openjpeg-v${OPENJPEG_GIT_HASH}.tar.gz)
 set(OPENJPEG_CPE "cpe:2.3:a:uclouvain:openjpeg:${OPENJPEG_VERSION}:*:*:*:*:*:*:*")
 
 set(FFMPEG_VERSION 5.1.2)