On Fri, Dec 09, 2016 at 06:20:07PM +0100, Hugo Lefeuvre wrote: > > In the meantime I have had an epiphany and found a simpler fix for the > > issue after staring at the code during the refactoring backport. I'll > > do some final tests and push it tomorrow.
This is pushed and available on the 0.8 branch, along with another fix, libav bugs 939 and 959. > > The reporter claims that it's specific to one clang version (3.8.1). > > I have installed that clang version and will retry to reproduce the > > issue. > > Any update on it ? Are you going to issue a new point release ? Unfortunately I'm drowning in work for a project that's already past its deadline. I hope to finally finish it over the weekend and get to some 0.8 work during the week. > There are now 32 open CVEs potentially affecting libav in wheezy. > > I have reviewed some ffmpeg patches, and they seem to be fine. Could you > have a look at them, and maybe merge them for the next point release ? > > * check-element-type-before-applying-sbr.patch: > Imported from ffmpeg[0], should fix CVE-2015-6820. > > * clear-pointers-allocate_buffers.patch: > Imported from ffmpeg[1], adapted, should fix CVE-2015-6823. > > * clear-pix-buffers.patch: > Imported from ffmpeg[2], should fix CVE-2015-6824. > > By the way, I have not tested whether libav was affected or not, but the > code is very similar, so it is very likely that libav is also affected. I'll review them and possibly merge them during the week. Diego
signature.asc
Description: Digital signature