[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

On Tue, Oct 25, 2016 at 10:38:04AM +0200, Hugo Lefeuvre wrote:
> > > However, more than 15 CVEs are still affecting libav in Debian wheezy.
> > > Would it be feasible to work on a new point release fixing some of
> > > them ?
> > 
> > Yes, I plan to and will after I'm back from a short trip to SF after the
> > 16th.
> New security issues potentially affecting libav 0.8 have been reported since
> the beginning of the month[0].
> Could you briefly summarize us the status of your work on the 0.8 branch ?

I looked into backporting the fixes for


that the Mozilla people complained about from the 9 release branch to the
0.8 release branch. It's entirely nontrivial since the commits that fix
the issue constitute a major refactoring. I'm about halfway into the
process and my intermediate result is failing many tests. It's unclear to
me at this point if the resulat is worth the trouble :-/

> Let me know if I can speed up the process by preparing patches. If yes, please,
> mention the issues you are currently working on, so we avoid duplicate work.
> [0] https://security-tracker.debian.org/tracker/source-package/libav


I cannot reproduce the crash with 0.8, so Wheezy should not have a problem.

CVE-2016-8675 / CVE-2016-8676

I can reproduce the crash with 0.8 and 11 so both Wheezy and Jessie are


Attachment: signature.asc
Description: Digital signature

Reply to: