[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

Hi Diego,

> I looked into backporting the fixes for
> https://lists.debian.org/debian-lts/2016/09/msg00211.html
> that the Mozilla people complained about from the 9 release branch to the
> 0.8 release branch. It's entirely nontrivial since the commits that fix
> the issue constitute a major refactoring. I'm about halfway into the
> process and my intermediate result is failing many tests. It's unclear to
> me at this point if the resulat is worth the trouble :-/

Well, the issue looks important, and I'd like to see it fixed, but if
you think it is not possible to do it without important risks of
regressions, then we should maybe consider dropping it.

However, I have to say I'm not very well informed about this issue; The
libav bug tracker is just mentionning a potentially exploitable attempt
to free a corrupted pointer. Does this issue has a CVE assigned yet ?

> > Let me know if I can speed up the process by preparing patches. If yes, please,
> > mention the issues you are currently working on, so we avoid duplicate work.
> > 
> > [0] https://security-tracker.debian.org/tracker/source-package/libav
> CVE-2016-7424:
> I cannot reproduce the crash with 0.8, so Wheezy should not have a problem.

I'd like to perform some tests before definitively marking libav 0.8 as
unaffected in the tracker; could you quickly explain me how you attempted
to reproduce it ?

The affected code in 11.x is almost the same as in 0.8.

> CVE-2016-8675 / CVE-2016-8676
> I can reproduce the crash with 0.8 and 11 so both Wheezy and Jessie are
> affected.

From what I've seen on the tracker, there are some patches that could
(almost) be directly imported from ffmpeg, involving some testing. I'll
have a look at them.


             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Attachment: signature.asc
Description: PGP signature

Reply to: