Re: Libavcodec being blacklisted with Firefox
- To: email@example.com
- Cc: Jean-Yves Avenard <firstname.lastname@example.org>, James Cowgill <email@example.com>, Mike Hommey <firstname.lastname@example.org>, Gerald Squelart <email@example.com>, firstname.lastname@example.org, security-group Mozilla <email@example.com>, Anthony Jones <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, Debian LTS <email@example.com>
- Subject: Re: Libavcodec being blacklisted with Firefox
- From: Jean-Yves Avenard <firstname.lastname@example.org>
- Date: Wed, 28 Sep 2016 20:29:22 +1000
- Message-id: <[🔎] CA+phgpFcPP22CxHG4_TKPvoz2X_uTzptQNvvj2mOs1R56MtNDQ@mail.gmail.com>
- In-reply-to: <[🔎] CAK0Odpzjm4vzA50mCpsULhC08igGD_feChE7a182Jh2KqCgWDQ@mail.gmail.com>
- References: <C8BC3AEA-5AE9-4D10-9877-DCB7BE1BCF0C@mozilla.com> <email@example.com> <CA+phgpFb-aYehc0qmiY7C+SSEwUvJdKUgL3ETcgD-LWYDeHNcw@mail.gmail.com> <[🔎] CAK0Odpzjm4vzA50mCpsULhC08igGD_feChE7a182Jh2KqCgWDQ@mail.gmail.com>
On Wed, Sep 28, 2016 at 8:12 PM, Bálint Réczey <firstname.lastname@example.org> wrote:
> Hi Jean-Yves Avenard,
> Please do so. Many minor issues get CVE id and it would be surprising
> if one with such big consequences would be left without an id.
The issue was raised at https://bugzilla.libav.org/show_bug.cgi?id=939
The issue was first raised on April 10th.
It was closed as UPSTREAM on April 11th with
"If enough people are willing to work on stale branches it is fine,
but seems that nobody is really using anything but release/11 and my
list on tasks regarding release/12 is still quite big to devote my
spare time on this
As stated on IRC, given the amount or no-cooperation, no-contribution
and demands with Debian there is really not much priority to debug
again a bug solved in the generally supported branches."
The advice I've been getting is that it's should be up to LibAV to
assign the CVE. The issue is on their end, and so is the fix.
If we don't get anywhere from that angle, I guess we could initiate it
on our end.
> Which commit fixed the issue?
the 7 commits with a date of July 27th 2016 showing up there:
> >> > We have submitted fixes for libavcodec 54 to the LibAV team which have
> >> > been accepted. They have also agreed to bump the micro version making the
> >> > first version with no vulnerability version 54.35.1
> >> > https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/9
> >> >
> >> > libavcodec 53 is also impacted, however we have no solution for this.
> >> This is a problem as Debian does not ship libavcodec 54. The versions
> >> from version.h we currently have are:
> >> Wheezy: libavcodec 53.35.0
> >> Jessie: libavcodec 56.1.0 (not affected)
> >> Stretch: libavcodec 57.48.101 (not affected, from ffmpeg)
> >> > As a result, we have blacklisted libavcodec with a version earlier than
> >> > 54.35.1.
> >> We can't upgrade libavcodec 53 in Wheezy to libavcodec 54 because that
> >> would break everything (ABI bump). Hypothetically, would it be possible
> >> to allow a version like "53.35.1" which also fixes the vulnerability?
> >> This would require some coordination with upstream.
> Wheezy is handled by the LTS team (CC-d) and we are working with Diego
> from Libav:
> I guess bumping the version would be OK.
Blacklisting 54 and 53 separately would be fine... So long there's a
fix for 53 of course.
> Libav is supported in Wheezy LTS and we plan fixing this vulnerability if
> we get the details.
the details are in the LibAV bug.
You can contact me directly if you need additional information on how
to exhibit the problem.