As discovered in bug #444262, media-video/avidemux-2.5.6-r2 bundles ffmpeg-0.9 which has a number of known security issues. As discussed in the Qt team meeting, we intend to mask but still keep the vulnerable version, so this bug is just for tracking purposes.
Package is now masked: # Ben de Groot <yngwin@gentoo.org> (20 Jan 2013) # 2.5* has known security and other issues due to bundled ffmpeg, # see (bugs #446468 and #444262) # 2.6* is masked for testing, and may have unknown issues due to bundled ffmpeg # This package needs a new, dedicated maintainer. We voted for keeping it in # the tree for now, so users who are willing to accept the known issues can # still easily install it by unmasking this. media-video/avidemux
The problem seems to be that ffmpeg was bundled with avidemux because it was patched for avidemux (apparently to get frame accuracy for cutting). And in the 2.5 series FFmpeg was patched much more heavily (but for me resulted in much better handling of the videos, that's why I'm still sticking to that old version). However, for avidemux-2.6 the Debian guys seem to have a patch that unbundles ffmpeg and uses the system library, see <http://anonscm.debian.org/gitweb/?p=pkg-multimedia/avidemux.git;a=blob;f=debian/patches/system-libav.patch;h=066c8ed832acc50ecc61a487ccbf00a4db4c8b0a;hb=HEAD>. There's more discussion at <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203211>.
Nothing to do for qt here.
is there any reason for keeping the old 2.5.x series in the tree and not drop it completely?
commit 974cf73f140789a1ca0537b5ed8185bb612ce3f5 Author: Michał Górny <mgorny@gentoo.org> Date: Thu May 5 21:44:25 2016 package.mask: Remove stale mask for media-video/avidemux commit 8bede8f34e19c76fbfdc0e56558d9f706cffb36b Author: Michał Górny <mgorny@gentoo.org> Date: Thu May 5 21:43:30 2016 media-video/avidemux, media-libs/avidemux*: remove old versions
So... this can be closed?
