Re: DSA 992-1 affecting other packages?

To: debian-security@lists.debian.org
Subject: Re: DSA 992-1 affecting other packages?
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 15 Mar 2006 11:16:44 +0100
Message-id: <[🔎] slrne1fqcc.gje.jmm@inutil.org>
References: <[🔎] 20060315104115.5ad37ea6.dr@jones.dk>

Jonas Smedegaard wrote:
> Are you aware that ffmpeg in Debian ships static libraries? If I
> understand correctly, this means other packages building against FFMpeg
> (Xine, GStreamer and VLC comes to my mind) actually contain a copy of
> the libavcodec library rather than linking to it dynamically - and must
> then also all of them be rebuilt, pulling in the security-fixed library.

Yes, updates for xine-lib, gst-ffmpeg and vlc are in preparation.

motion and kino link statically against libavcodec as well, but don't
use the vulnerable code.

> The reason for the static linking, I believe, is that FFMpeg upstream
> has recommended to use static linking due to the ABI (or is it API) not
> yet stable. I suspect, however, that this could be dealt with
> differently for Debian (and I suspect this to be against policy, but
> is incapable technically to take up an argument about that).

Indeed, it would be very desirable if that could be fixed for Etch, it's
not unlikely that further libavcodec issues will be found during Etch
lifetime.

Cheers,
        Moritz

Reply to:

References:
- DSA 992-1 affecting other packages?
  - From: Jonas Smedegaard <dr@jones.dk>

Prev by Date: DSA 992-1 affecting other packages?
Next by Date: Re: [gna-private] [SECURITY] [DSA 987-1] New tar packages fix arbitrary code execution
Previous by thread: DSA 992-1 affecting other packages?
Next by thread: Re: [SECURITY] [DSA 1007-1] New drupal packages fix several vulnerabilities
Index(es):
- Date
- Thread