Sorry, I'm afraid I maintained too much radio silence..
On 2016-07-23 19:08, Markus Koschany wrote:
I am contacting you on behalf of the Debian LTS team. Two months ago you
voiced your interest in helping us to fix open security issues in libav.
https://security-tracker.debian.org/tracker/source-package/libav
Can you tell us more about the latest developments? If you have any
questions regarding Debian LTS work, please send them to the debian-lts
list and I will try to answer them in a timely manner.
I got sidetracked by other work and by trying to get access to the
Google ClusterFuzz samples[1]. I have access to a bunch of them now,
but not the whole lot and it turns out that I don't necessarily need
them in each and every case to port fixes. So yeah, that was a bit of a
wild goose chase :-/
In any case I have the first set of three patches[2] queued up for
pushing to the 0.8 branch. I've sent them to the libav-devel mailing
list to give other devs a chance to react. I expect nobody to care about
stale branches, however. Thus the ETA for the patches to hit the 0.8
branch is tomorrow evening CET or the next morning at the latest.
I hope and expect to churn out a steady trickle of 1-3 backports per
week going forward while not on vacation now that I have all the pieces
for working with those old branches back in place.
best regards, Diego
[1] Things with names like
"0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov"
that go along references to Mateusz "j00ru" Jurczyk and Gynvael Coldwind.
[2] One backport from the Debian package, CVE-2015-1872, CVE-2015-5479.
