media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that statically. Is it generally possible to have it link to a system-provided version? +++ This bug was initially created as a clone of Bug #231831 +++ CVE-2008-3162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162): Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted STR file that interleaves audio and video sectors.
Created attachment 160413 [details, diff] gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch
(In reply to comment #0) > media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that > statically. Is it generally possible to have it link to a system-provided > version? That is not supported by upstream.
(In reply to comment #2) > (In reply to comment #0) > > media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that > > statically. Is it generally possible to have it link to a system-provided > > version? > > That is not supported by upstream. In this case we need to rebase their ffmpeg or patch this issue (you can find a patch in comment 1).
Why not just use a more recent version of gst-ffmpeg ? 0.10.6 ships with r15750 0.10.5 ships with r15004 Any version above (and including) 0.10.5 has this issue fixed.
Please CC archteams and fix status whiteboard as needed.. not sure if I got it right. Archteams don't seem to realize they are not handling several bugs..
ppc stable
Sparc stable --- forgot to note it on the bug.
Security: All archteams are done, and old versions have been removed from tree.
GLSA 200903-33