Re: Security support for libav in Debian Wheezy

[Diego Biurrun <diego@biurrun.de>]

Sorry, I'm afraid I maintained too much radio silence..

On 2016-07-23 19:08, Markus Koschany wrote:
> I am contacting you on behalf of the Debian LTS team. Two months ago you
> voiced your interest in helping us to fix open security issues in libav.
>
> https://security-tracker.debian.org/tracker/source-package/libav
>
> Can you tell us more about the latest developments? If you have any
> questions regarding Debian LTS work, please send them to the debian-lts
> list and I will try to answer them in a timely manner.

I got sidetracked by other work and by trying to get access to the 
Google ClusterFuzz samples[1].  I have access to a bunch of them now, 
but not the whole lot and it turns out that I don't necessarily need 
them in each and every case to port fixes.  So yeah, that was a bit of a 
wild goose chase :-/

In any case I have the first set of three patches[2] queued up for 
pushing to the 0.8 branch. I've sent them to the libav-devel mailing 
list to give other devs a chance to react. I expect nobody to care about 
stale branches, however. Thus the ETA for the patches to hit the 0.8 
branch is tomorrow evening CET or the next morning at the latest.

I hope and expect to churn out a steady trickle of 1-3 backports per 
week going forward while not on vacation now that I have all the pieces 
for working with those old branches back in place.

best regards, Diego

[1] Things with names like 
"0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov" 
that go along references to Mateusz "j00ru" Jurczyk and Gynvael Coldwind.

[2] One backport from the Debian package, CVE-2015-1872, CVE-2015-5479.