[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security support for libav in Debian Wheezy

Sorry, I'm afraid I maintained too much radio silence..

On 2016-07-23 19:08, Markus Koschany wrote:
I am contacting you on behalf of the Debian LTS team. Two months ago you
voiced your interest in helping us to fix open security issues in libav.


Can you tell us more about the latest developments? If you have any
questions regarding Debian LTS work, please send them to the debian-lts
list and I will try to answer them in a timely manner.

I got sidetracked by other work and by trying to get access to the Google ClusterFuzz samples[1]. I have access to a bunch of them now, but not the whole lot and it turns out that I don't necessarily need them in each and every case to port fixes. So yeah, that was a bit of a wild goose chase :-/

In any case I have the first set of three patches[2] queued up for pushing to the 0.8 branch. I've sent them to the libav-devel mailing list to give other devs a chance to react. I expect nobody to care about stale branches, however. Thus the ETA for the patches to hit the 0.8 branch is tomorrow evening CET or the next morning at the latest.

I hope and expect to churn out a steady trickle of 1-3 backports per week going forward while not on vacation now that I have all the pieces for working with those old branches back in place.

best regards, Diego

[1] Things with names like "0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov" that go along references to Mateusz "j00ru" Jurczyk and Gynvael Coldwind.

[2] One backport from the Debian package, CVE-2015-1872, CVE-2015-5479.

Reply to: