Re: wheezy update for libav

Hi Diego, > > Thanks for your work. I'll have a look at it and upload tomorrow. > > Nice. Uploaded. > > Concerning the old CVEs (CVE-2015-6820, etc.), we could maybe ask the > > ffmpeg project for the reproducers ? Not sure they will still have them, > > but it doesn't hurt to try. > > I'll

Re: wheezy update for libav

On Mon, Jan 16, 2017 at 10:30:27PM +0100, Hugo Lefeuvre wrote: > > I just released libav 0.8.20 with some more fixes, changelog below. > > > > Diego > > > > version 0.8.20: > > > > - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id: > > 980, CVE-2016-9820) > > -

Re: wheezy update for libav

Hi Diego, > I just released libav 0.8.20 with some more fixes, changelog below. > > Diego > > version 0.8.20: > > - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id: > 980, CVE-2016-9820) > - mpegvideo: Fix undefined negative shifts in ff_init_block_index (Bug-Id: >

Re: wheezy update for libav

On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote: > > Could you summarize us the status of your work on the 0.8 branch ? > > I've had a look at the new CVEs reported for libav. I managed to > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but > cherry picking the

Re: wheezy update for libav

On Wed, Jan 11, 2017 at 09:14:52PM +0100, Hugo Lefeuvre wrote: > > > I've had a look at the new CVEs reported for libav. I managed to > > > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but > > > cherry picking the fix[0,1,2] for these issues doesn't seem to fix > > > the problem. >

Re: wheezy update for libav

Hi Diego, I've prepared the update, it should be uploaded soon. > > I've had a look at the new CVEs reported for libav. I managed to > > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but > > cherry picking the fix[0,1,2] for these issues doesn't seem to fix > > the problem. > >

Re: wheezy update for libav

On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote: > I've had a look at the new CVEs reported for libav. I managed to > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but > cherry picking the fix[0,1,2] for these issues doesn't seem to fix > the problem. It would help me

Re: wheezy update for libav

On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote: > > I've had a look at the new CVEs reported for libav. I managed to > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but > cherry picking the fix[0,1,2] for these issues doesn't seem to fix > the problem. You were

Re: wheezy update for libav

On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote: > > Could you summarize us the status of your work on the 0.8 branch ? I'm in the process of releasing 0.8.19 this morning. Once the automated tests finish and the build bot prepares the tarballs, I'll put out the release. > I've

Re: wheezy update for libav

Hi Diego, Could you summarize us the status of your work on the 0.8 branch ? I've had a look at the new CVEs reported for libav. I managed to reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but cherry picking the fix[0,1,2] for these issues doesn't seem to fix the problem. I'll try

Re: wheezy update for libav

On Fri, Dec 09, 2016 at 06:20:07PM +0100, Hugo Lefeuvre wrote: > > In the meantime I have had an epiphany and found a simpler fix for the > > issue after staring at the code during the refactoring backport. I'll > > do some final tests and push it tomorrow. This is pushed and available on the 0.8

Re: wheezy update for libav

Hi Diego, > I looked into backporting the fixes for > > https://lists.debian.org/debian-lts/2016/09/msg00211.html > > that the Mozilla people complained about from the 9 release branch to the > 0.8 release branch. It's entirely nontrivial since the commits that fix > the issue constitute a

Re: wheezy update for libav

On Tue, Oct 25, 2016 at 10:38:04AM +0200, Hugo Lefeuvre wrote: > > > However, more than 15 CVEs are still affecting libav in Debian wheezy. > > > Would it be feasible to work on a new point release fixing some of > > > them ? > > > > Yes, I plan to and will after I'm back from a short trip to SF

Re: wheezy update for libav

On Mon, Oct 03, 2016 at 06:05:51PM +0200, Hugo Lefeuvre wrote: > > No, I haven't, I just pushed a set to the 9 branch that fixed the > > problem. I tried the first patch in the series, it's very far from > > applying cleanly, so backporting the work looks like annoying and > > tedious work. I can

Re: wheezy update for libav

Hi Diego, > No, I haven't, I just pushed a set to the 9 branch that fixed the > problem. I tried the first patch in the series, it's very far from > applying cleanly, so backporting the work looks like annoying and > tedious work. I can add it to the ToDo list, but I cannot guarantee > success

Re: wheezy update for libav

On Tue, Sep 27, 2016 at 07:13:14PM +0200, Hugo Lefeuvre wrote: > > Could you summarize us the status of your work on the 0.8.x branch ? > > I'd like to know if it's still possible to have a point release before > the end of the month. I just did the 0.8.18 release (not announced on the website

Re: wheezy update for libav

Hi Diego, Could you summarize us the status of your work on the 0.8.x branch ? I'd like to know if it's still possible to have a point release before the end of the month. Thanks ! Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C

Re: wheezy update for libav

> If you look at the type of changes that go into libav release branches, > it is mostly leaf code, almost never changes to the core itself. Thus, > if there was a regression, there would only be 1-2 relevant changes and > very little source code change to investigate. OK, I'll wait for your

Re: wheezy update for libav

On Wed, Sep 14, 2016 at 12:09:05PM +0200, Hugo Lefeuvre wrote: > > This is not how libav security updates are handled in Debian; we've > > always shipped the 0.8.x and 11.x bugfix releases in -security. > > So, should we wait for the new upstream release to make a Debian LTS/Security > upload ? >

Re: wheezy update for libav

Hi, > This is not how libav security updates are handled in Debian; we've > always shipped the 0.8.x and 11.x bugfix releases in -security. So, should we wait for the new upstream release to make a Debian LTS/Security upload ? IMHO, directly packaging the new upstream release is a good idea but

Re: wheezy update for libav

On 13.09.2016 21:01, Diego Biurrun wrote: > On Tue, Sep 13, 2016 at 05:47:12PM +0200, Markus Koschany wrote: [...] > I think there is a misunderstanding here, so let me explain: > > 1) I've been using Debian for 15+ years now and I understand the policy > for package updates that go into stable:

Re: wheezy update for libav

On Tue, Sep 13, 2016 at 05:47:12PM +0200, Markus Koschany wrote: > On 13.09.2016 16:48, Diego Biurrun wrote: > > On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote: > [...] > >> In short we need: > >> > >> a) the single patches rebased against the current version in Wheezy or a > >>

Re: wheezy update for libav

On 13.09.2016 19:16, Moritz Muehlenhoff wrote: > Markus Koschany wrote: >> Just to be clear a new upstream libav doesn't need to coincide with a >> Debian security update. It wouldn't do any harm though. Important is >> that we only fix security related issues and leave possible features out >>

Re: wheezy update for libav

Markus Koschany wrote: > Just to be clear a new upstream libav doesn't need to coincide with a > Debian security update. It wouldn't do any harm though. Important is > that we only fix security related issues and leave possible features out > that are not strictly needed to fix the CVEs. This is

Re: wheezy update for libav

Hi Diego, > What's the problem with cooperating through the upstream repository? No problem for me as long as I can easily determine which commit fixes which CVE. I'll start preparing an LTS upload integrating your first patches. Cheers, Hugo -- Hugo Lefeuvre (hle)|

Re: wheezy update for libav

On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote: > On 13.09.2016 15:00, Diego Biurrun wrote: > > On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: > >>> I'm counting 22 open CVEs for libav at the moment. Which of them do you > >>> intend to address with your fixes? Do

Re: wheezy update for libav

On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: > > I'm counting 22 open CVEs for libav at the moment. Which of them do you > > intend to address with your fixes? Do you mind working together with > > Hugo Lefeuvre on some issues? I could imagine you both could pool your > >

Re: wheezy update for libav

Hopefully I collected all the right CCs, if just Debian LTS is enough please tell me, sorry for duplicate emails.. On Mon, Sep 12, 2016 at 10:22:29AM +0200, Markus Koschany wrote: > On 12.09.2016 00:46, Bálint Réczey wrote: > > 2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre : > >> I'd

Re: wheezy update for libav

Hi Moritz, > All of the issues marked don't have upstream fixes in the > sense that libav fixed them, only fixes in ffmpeg git. > > If you want to address them in oldstable/stable, you should get the libav > developers > to merge them first. Thanks for the advice. Indeed, it would be better

Re: wheezy update for libav

On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote: > Hi, > > > I'm counting 22 open CVEs for libav at the moment. Which of them do you > > intend to address with your fixes? Do you mind working together with > > Hugo Lefeuvre on some issues? I could imagine you both could pool your >

Re: wheezy update for libav

Hi, > I'm counting 22 open CVEs for libav at the moment. Which of them do you > intend to address with your fixes? Do you mind working together with > Hugo Lefeuvre on some issues? I could imagine you both could pool your > resources together. (24 if we count the two issues marked no-dsa by the

Re: wheezy update for libav

On 12.09.2016 00:46, Bálint Réczey wrote: > Hi Hugo, > > 2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre : >> Hi, >> >> I'd like to prepare an LTS upload for libav[0]. The upstream patch for >> CVE-2016-7393 is very simple and could be grouped with patches from older >> analogous CVEs

Re: wheezy update for libav

Hi Hugo, 2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre : > Hi, > > I'd like to prepare an LTS upload for libav[0]. The upstream patch for > CVE-2016-7393 is very simple and could be grouped with patches from older > analogous CVEs like CVE-2015-8662 in a broad LTS upload. > > Does

wheezy update for libav

Hi, I'd like to prepare an LTS upload for libav[0]. The upstream patch for CVE-2016-7393 is very simple and could be grouped with patches from older analogous CVEs like CVE-2015-8662 in a broad LTS upload. Does anybody think it's a bad idea ? These CVEs are minor security issues, so we could