Hi Diego,
> > Thanks for your work. I'll have a look at it and upload tomorrow.
>
> Nice.
Uploaded.
> > Concerning the old CVEs (CVE-2015-6820, etc.), we could maybe ask the
> > ffmpeg project for the reproducers ? Not sure they will still have them,
> > but it doesn't hurt to try.
>
> I'll tr
On Mon, Jan 16, 2017 at 10:30:27PM +0100, Hugo Lefeuvre wrote:
> > I just released libav 0.8.20 with some more fixes, changelog below.
> >
> > Diego
> >
> > version 0.8.20:
> >
> > - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id:
> > 980, CVE-2016-9820)
> > - mpegvide
Hi Diego,
> I just released libav 0.8.20 with some more fixes, changelog below.
>
> Diego
>
> version 0.8.20:
>
> - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id:
> 980, CVE-2016-9820)
> - mpegvideo: Fix undefined negative shifts in ff_init_block_index (Bug-Id:
> 98
On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote:
>
> Could you summarize us the status of your work on the 0.8 branch ?
>
> I've had a look at the new CVEs reported for libav. I managed to
> reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but
> cherry picking the fix[0,
On Wed, Jan 11, 2017 at 09:14:52PM +0100, Hugo Lefeuvre wrote:
> > > I've had a look at the new CVEs reported for libav. I managed to
> > > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but
> > > cherry picking the fix[0,1,2] for these issues doesn't seem to fix
> > > the problem.
>
Hi Diego,
I've prepared the update, it should be uploaded soon.
> > I've had a look at the new CVEs reported for libav. I managed to
> > reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but
> > cherry picking the fix[0,1,2] for these issues doesn't seem to fix
> > the problem.
>
> It
On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote:
> I've had a look at the new CVEs reported for libav. I managed to
> reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but
> cherry picking the fix[0,1,2] for these issues doesn't seem to fix
> the problem.
It would help me
On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote:
>
> I've had a look at the new CVEs reported for libav. I managed to
> reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but
> cherry picking the fix[0,1,2] for these issues doesn't seem to fix
> the problem.
You were missi
On Fri, Jan 06, 2017 at 11:32:49AM +0100, Hugo Lefeuvre wrote:
>
> Could you summarize us the status of your work on the 0.8 branch ?
I'm in the process of releasing 0.8.19 this morning. Once the automated
tests finish and the build bot prepares the tarballs, I'll put out the
release.
> I've had
Hi Diego,
Could you summarize us the status of your work on the 0.8 branch ?
I've had a look at the new CVEs reported for libav. I managed to
reproduce CVE-2016-98{21,22} (avconv crashes with segfault), but
cherry picking the fix[0,1,2] for these issues doesn't seem to fix
the problem.
I'll try
On Fri, Dec 09, 2016 at 06:20:07PM +0100, Hugo Lefeuvre wrote:
> > In the meantime I have had an epiphany and found a simpler fix for the
> > issue after staring at the code during the refactoring backport. I'll
> > do some final tests and push it tomorrow.
This is pushed and available on the 0.8
Hi Diego,
> In the meantime I have had an epiphany and found a simpler fix for the
> issue after staring at the code during the refactoring backport. I'll
> do some final tests and push it tomorrow.
>
> (...)
>
> The reporter claims that it's specific to one clang version (3.8.1).
> I have install
On Thu, Nov 03, 2016 at 10:29:59AM +0100, Hugo Lefeuvre wrote:
> > I looked into backporting the fixes for
> >
> > https://lists.debian.org/debian-lts/2016/09/msg00211.html
> >
> > that the Mozilla people complained about from the 9 release branch to the
> > 0.8 release branch. It's entirely nont
Hi Diego,
> I looked into backporting the fixes for
>
> https://lists.debian.org/debian-lts/2016/09/msg00211.html
>
> that the Mozilla people complained about from the 9 release branch to the
> 0.8 release branch. It's entirely nontrivial since the commits that fix
> the issue constitute a major
On Tue, Oct 25, 2016 at 10:38:04AM +0200, Hugo Lefeuvre wrote:
> > > However, more than 15 CVEs are still affecting libav in Debian wheezy.
> > > Would it be feasible to work on a new point release fixing some of
> > > them ?
> >
> > Yes, I plan to and will after I'm back from a short trip to SF a
Hi Diego,
> > However, more than 15 CVEs are still affecting libav in Debian wheezy.
> > Would it be feasible to work on a new point release fixing some of
> > them ?
>
> Yes, I plan to and will after I'm back from a short trip to SF after the
> 16th.
New security issues potentially affecting li
Hi Diego,
> Nice, let me know when it's available.
Uploaded last week.
> > However, more than 15 CVEs are still affecting libav in Debian wheezy.
> > Would it be feasible to work on a new point release fixing some of
> > them ?
>
> Yes, I plan to and will after I'm back from a short trip to SF
On Mon, Oct 03, 2016 at 06:05:51PM +0200, Hugo Lefeuvre wrote:
> > No, I haven't, I just pushed a set to the 9 branch that fixed the
> > problem. I tried the first patch in the series, it's very far from
> > applying cleanly, so backporting the work looks like annoying and
> > tedious work. I can a
Hi Diego,
> No, I haven't, I just pushed a set to the 9 branch that fixed the
> problem. I tried the first patch in the series, it's very far from
> applying cleanly, so backporting the work looks like annoying and
> tedious work. I can add it to the ToDo list, but I cannot guarantee
> success bef
On Fri, Sep 30, 2016 at 10:25:31AM +0200, Hugo Lefeuvre wrote:
> Hi Diego,
>
> > I just did the 0.8.18 release (not announced on the website yet). You
> > can grab tarballs etc. from
> >
> > https://www.libav.org/releases/
> >
> > Compared to the previous release from the 0.8 branch, this contain
Hi Diego,
> I just did the 0.8.18 release (not announced on the website yet). You
> can grab tarballs etc. from
>
> https://www.libav.org/releases/
>
> Compared to the previous release from the 0.8 branch, this contains some
> bug fixes and I integrated some local patches from your Debian package
On Tue, Sep 27, 2016 at 07:13:14PM +0200, Hugo Lefeuvre wrote:
>
> Could you summarize us the status of your work on the 0.8.x branch ?
>
> I'd like to know if it's still possible to have a point release before
> the end of the month.
I just did the 0.8.18 release (not announced on the website y
Hi Diego,
Could you summarize us the status of your work on the 0.8.x branch ?
I'd like to know if it's still possible to have a point release before
the end of the month.
Thanks !
Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC
> If you look at the type of changes that go into libav release branches,
> it is mostly leaf code, almost never changes to the core itself. Thus,
> if there was a regression, there would only be 1-2 relevant changes and
> very little source code change to investigate.
OK, I'll wait for your relea
On Wed, Sep 14, 2016 at 12:09:05PM +0200, Hugo Lefeuvre wrote:
> > This is not how libav security updates are handled in Debian; we've
> > always shipped the 0.8.x and 11.x bugfix releases in -security.
>
> So, should we wait for the new upstream release to make a Debian LTS/Security
> upload ?
>
Hi,
> This is not how libav security updates are handled in Debian; we've
> always shipped the 0.8.x and 11.x bugfix releases in -security.
So, should we wait for the new upstream release to make a Debian LTS/Security
upload ?
IMHO, directly packaging the new upstream release is a good idea but
On 13.09.2016 21:01, Diego Biurrun wrote:
> On Tue, Sep 13, 2016 at 05:47:12PM +0200, Markus Koschany wrote:
[...]
> I think there is a misunderstanding here, so let me explain:
>
> 1) I've been using Debian for 15+ years now and I understand the policy
> for package updates that go into stable: o
On Tue, Sep 13, 2016 at 05:47:12PM +0200, Markus Koschany wrote:
> On 13.09.2016 16:48, Diego Biurrun wrote:
> > On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote:
> [...]
> >> In short we need:
> >>
> >> a) the single patches rebased against the current version in Wheezy or a
> >> Gi
On 13.09.2016 19:16, Moritz Muehlenhoff wrote:
> Markus Koschany wrote:
>> Just to be clear a new upstream libav doesn't need to coincide with a
>> Debian security update. It wouldn't do any harm though. Important is
>> that we only fix security related issues and leave possible features out
>> tha
Markus Koschany wrote:
> Just to be clear a new upstream libav doesn't need to coincide with a
> Debian security update. It wouldn't do any harm though. Important is
> that we only fix security related issues and leave possible features out
> that are not strictly needed to fix the CVEs.
This is n
On 13.09.2016 16:48, Diego Biurrun wrote:
> On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote:
[...]
>> In short we need:
>>
>> a) the single patches rebased against the current version in Wheezy or a
>> Git repository for the same purpose
>
> https://git.libav.org/?p=libav.git;a=sho
Hi Diego,
> What's the problem with cooperating through the upstream repository?
No problem for me as long as I can easily determine which commit fixes
which CVE.
I'll start preparing an LTS upload integrating your first patches.
Cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.o
On Tue, Sep 13, 2016 at 03:14:41PM +0200, Markus Koschany wrote:
> On 13.09.2016 15:00, Diego Biurrun wrote:
> > On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
> >>> I'm counting 22 open CVEs for libav at the moment. Which of them do you
> >>> intend to address with your fixes? Do y
On 13.09.2016 15:00, Diego Biurrun wrote:
> On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
>>> I'm counting 22 open CVEs for libav at the moment. Which of them do you
>>> intend to address with your fixes? Do you mind working together with
>>> Hugo Lefeuvre on some issues? I could i
On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
> > I'm counting 22 open CVEs for libav at the moment. Which of them do you
> > intend to address with your fixes? Do you mind working together with
> > Hugo Lefeuvre on some issues? I could imagine you both could pool your
> > resource
Hopefully I collected all the right CCs, if just Debian LTS is enough
please tell me, sorry for duplicate emails..
On Mon, Sep 12, 2016 at 10:22:29AM +0200, Markus Koschany wrote:
> On 12.09.2016 00:46, Bálint Réczey wrote:
> > 2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre :
> >> I'd like to prepare an
Hi Moritz,
> All of the issues marked don't have upstream fixes in the
> sense that libav fixed them, only fixes in ffmpeg git.
>
> If you want to address them in oldstable/stable, you should get the libav
> developers
> to merge them first.
Thanks for the advice. Indeed, it would be better
On Mon, Sep 12, 2016 at 12:52:32PM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> > I'm counting 22 open CVEs for libav at the moment. Which of them do you
> > intend to address with your fixes? Do you mind working together with
> > Hugo Lefeuvre on some issues? I could imagine you both could pool your
> >
Hi,
> I'm counting 22 open CVEs for libav at the moment. Which of them do you
> intend to address with your fixes? Do you mind working together with
> Hugo Lefeuvre on some issues? I could imagine you both could pool your
> resources together.
(24 if we count the two issues marked no-dsa by the s
On 12.09.2016 00:46, Bálint Réczey wrote:
> Hi Hugo,
>
> 2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre :
>> Hi,
>>
>> I'd like to prepare an LTS upload for libav[0]. The upstream patch for
>> CVE-2016-7393 is very simple and could be grouped with patches from older
>> analogous CVEs like CVE-2015-8662 i
Hi Hugo,
2016-09-12 0:18 GMT+02:00 Hugo Lefeuvre :
> Hi,
>
> I'd like to prepare an LTS upload for libav[0]. The upstream patch for
> CVE-2016-7393 is very simple and could be grouped with patches from older
> analogous CVEs like CVE-2015-8662 in a broad LTS upload.
>
> Does anybody think it's a b
Hi,
I'd like to prepare an LTS upload for libav[0]. The upstream patch for
CVE-2016-7393 is very simple and could be grouped with patches from older
analogous CVEs like CVE-2015-8662 in a broad LTS upload.
Does anybody think it's a bad idea ? These CVEs are minor security
issues, so we could also
42 matches
Mail list logo
