Hi, > I'm counting 22 open CVEs for libav at the moment. Which of them do you > intend to address with your fixes? Do you mind working together with > Hugo Lefeuvre on some issues? I could imagine you both could pool your > resources together.
(24 if we count the two issues marked no-dsa by the security team)
Some CVE triage:
Upstream patch applies directly, or almost:
CVE-2016-7393
CVE-2015-6820
CVE-2015-6823
CVE-2015-6824
CVE-2015-6825
CVE-2015-6826
CVE-2015-8364
CVE-2015-8365
CVE-2015-5479
Upstream patch needs some (heavy) adaptations:
CVE-2015-6818
CVE-2015-6821
CVE-2016-2330
CVE-2015-1872
Upstream patch does no apply, or it's unsure that libav is vulnerable in wheezy:
CVE-2015-6819
CVE-2015-6822 (vulnerable code not present, seems to appear in changelog since
version 11[0].
CVE-2015-8216
CVE-2015-8218
CVE-2015-8219
CVE-2015-8661
CVE-2015-8662
CVE-2015-8663
CVE-2016-2329
No upstream patch for the moment:
CVE-2016-6920
CVE-2015-6761
It will be easy to prepare an update for the first category of security
issues. It will be harder for the second category, but it seems to be
feasible.
For third category, I'm not sure it's worth doing an upload; it will be a
lot of work, while the risks are high and most concerned issues aren't critical.
If Diego agrees, I propose two uploads: A first one fixing all easy
issues that are unlikely to bring regressions, and a second one fixing
all issues from the second (third if possible?) category that we can reasonably
fix without risks.
Cheers,
Hugo
[O] https://libav.org/changelog.html
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
