On Wed, Feb 26, 2014 at 04:49:09PM +0100, Moritz Mühlenhoff wrote: > On Wed, Feb 26, 2014 at 02:30:47AM +0100, Michael Niedermayer wrote: > > > Yes, it's the latter: I didn't badmouth ffmpeg in any way: it was said that libav > > > fixed less Google fuzzer samples than libav; for which I added my observation that when > > > I looked at several CVE assignments for ffmpeg fixes the affected code > > > didn't exist in libav releases and that explains the difference in numbers. > > > That doesn't mean that ffmpeg is worse than libav, it simply means that the > > > code has diverged and different code is affected. > > > > I belive maybe some things are a bit mixed up here > > The "less fixes in libav" stuff was AFAIK a comparission between the > > libav and ffmpeg git master branches > > I'm referring to issues listed on ffmpeg.org/security for which I checked > the applicability to libav as in Debian. One thing I remember was the > g2meet codec which wasn't in any libav branch in Debian. > > Anyway, I don't have time to discuss this in depth. g2meet was added to libav Mon Jun 3 09:24:55 2013 +0200 commit 2d66a58ccde05e764594bd7e5f0f9244634d0b2c and to ffmpeg on Mon Jun 3 12:47:26 2013 +0200 commit e5cdf9c03b1ef0913dad117b0e5d343a525f6d10 the added code was identical, except the project name in the header On the FFmpeg side the 3 security issues from the security page where fixed in the code in e07ac72 Michael Niedermayer 2013-09-21 2013-09-22 avcodec/g2meet: Fix framebuf size 821a593 Michael Niedermayer 2013-09-15 2013-09-15 avcodec/g2meet: Fix order of align and pixel size multiplication. 2960576 Michael Niedermayer 2013-08-07 2013-08-07 avcodec/g2meet: fix src pointer checks in kempf_decode_tile() These where also all backported to the only FFmpeg release that contained g2meet at that time None of these 3 commits is in libav master AFAIK or their latest alpha or beta. Are they affected by these bugs, i dont know, i did not investigate. And as you picked this example If you would compare FFmpeg vs. Libav with it For FFmpeg none of the latest releases from any release branch are affected by it you can saftely ship/use any with no work testing or backporting any security issues. also had debian taken FFmpeg instead of Libav for Wheezy or any prior debian release, it also would not have affected debian any bit more as no FFmpeg release at that time contained the affected code. Thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you think the mosad wants you dead since a long time then you are either wrong or dead since a long time.
Attachment:
signature.asc
Description: Digital signature