Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 394809 - <media-video/mplayer-1.1-r1: multiple vulnerabilities in bundled ffmpeg
Summary: <media-video/mplayer-1.1-r1: multiple vulnerabilities in bundled ffmpeg
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 392269 394805 ffmpeg-0.10
Blocks:
  Show dependency tree
 
Reported: 2011-12-15 12:45 UTC by Alexis Ballier
Modified: 2013-10-25 19:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis Ballier gentoo-dev 2011-12-15 12:45:09 UTC
snapshot is from 20110322 and bundles a ffmpeg copy.

from ffmpeg.org:



July 28, 2011

We have made 2 new point releases that fix several security issues, amongth them MSVR-11-0080. 


September 7, 2011

We have made 2 new point releases that fix several security issues, amongth them MSVR-11-0088.

September 22, 2011

We have made 2 new point releases that fix more security issues.

October 2, 2011

We have made 2 new point releases (0.7.6 and 0.8.5) that fix security issues in 
[long list]

November 4, 2011

We have made 2 new point releases (0.7.7 and 0.8.6) that fix around 90 bugs, several of which are security relevant.


November 21, 2011

We have made 2 new point releases (0.7.8 and 0.8.7) that fix many bugs, several of which are security relevant. Amongth them NGS00144, NGS00145 and NGS00148.


(all the ffmpeg sec. bugs we have should be relevant to this mplayer snapshot).

restricting because i've not seen any report about this. feel free to unrestrict.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-12-20 04:25:31 UTC
Thanks, Alexis. I am going to open the bug as I don't believe it is a secret mplayer includes ffmpeg. Please let us know when you're able to add an updated mplayer ebuild that resolves these issues. Tnx.
Comment 2 Alexis Ballier gentoo-dev 2011-12-20 11:42:03 UTC
(In reply to comment #1)
> Thanks, Alexis. I am going to open the bug as I don't believe it is a secret
> mplayer includes ffmpeg. Please let us know when you're able to add an updated
> mplayer ebuild that resolves these issues. Tnx.

1.0_rc4_p20111215 ''fixes'' the issues by using system ffmpeg
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-12-20 14:17:13 UTC
(In reply to comment #2)
> 
> 1.0_rc4_p20111215 ''fixes'' the issues by using system ffmpeg

Thanks, can we move to stabilize this?
Comment 4 Alexis Ballier gentoo-dev 2011-12-20 14:32:13 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > 
> > 1.0_rc4_p20111215 ''fixes'' the issues by using system ffmpeg
> 
> Thanks, can we move to stabilize this?

we can but:
- it is not even keyworded everywhere
- thus it lacks wider testing
- this implies we will stabilise ffmpeg 0.9, which i've nothing against but the api changed; i've tried to fix bugs as i saw them but it really needs a tinderbox run for its stable rev. deps.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-12-20 16:41:09 UTC
Ok, thanks. Depending on bug 392269 and bug 394805 for ffmpeg-0.9 and mplayer-1.0_rc4_p20111215 keywording, respectively.

Diego, would it be possible to have a tinderbox run on =media-video/ffmpeg-0.9? Tnx!
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-12-20 17:21:25 UTC
After talking with Samuli is sounds like a tracker for ffmpeg-0.9 is unavoidable. Opened and depending on 395379.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-10 23:43:21 UTC
ffmpeg-0.10 has been stable for a while now and mplayer-1.0_rc4_p20111215 is no longer in the tree. Are we good to stabilize a newer ebuild?
Comment 8 Alexis Ballier gentoo-dev 2012-10-16 11:24:01 UTC
(In reply to comment #7)
> ffmpeg-0.10 has been stable for a while now and mplayer-1.0_rc4_p20111215 is
> no longer in the tree. Are we good to stabilize a newer ebuild?

go with mplayer-1.1-r1 i'd say
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-16 22:54:50 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > ffmpeg-0.10 has been stable for a while now and mplayer-1.0_rc4_p20111215 is
> > no longer in the tree. Are we good to stabilize a newer ebuild?
> 
> go with mplayer-1.1-r1 i'd say

Excellent. Arches, please test and mark stable. Also waiting on ppc/ppc64 to keyword (bug 394805).
Comment 10 Agostino Sarubbo gentoo-dev 2012-10-17 11:06:36 UTC
amd64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-17 14:01:35 UTC
Stable for HPPA.
Comment 12 Markus Meier gentoo-dev 2012-10-17 19:16:37 UTC
arm stable
Comment 13 Anthony Basile gentoo-dev 2012-10-18 09:41:18 UTC
mplayer-1.1-r1 wasn't keyworded for ~ppc ~ppc64.  I tested and it is fine on those arches.  I've keyworded and since this is a security issue, I will stabilize in a few days.
Comment 14 Andreas Schürch gentoo-dev 2012-10-18 11:59:16 UTC
x86 done.
Comment 15 Anthony Basile gentoo-dev 2012-10-21 19:54:22 UTC
stable ppc ppc64
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2012-11-25 19:05:24 UTC
alpha/ia64/sparc stable
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-26 01:11:57 UTC
Thanks, everyone.

Added bug to existing GLSA draft.
Comment 18 Alexis Ballier gentoo-dev 2013-08-14 21:15:03 UTC
nothing left to do for media-video@
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:17:12 UTC
This issue was resolved and addressed in
 GLSA 201310-13 at http://security.gentoo.org/glsa/glsa-201310-13.xml
by GLSA coordinator Sean Amoss (ackle).