On Sat, Aug 12, 2017 at 09:37:12PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote: > > Hi, > > > > we are already using: > > > > --size-limit=16384x16384 > > Yupp, I know that, I added that comment to the tracker. It's not clear > to me if we need to limit it quite further. The android approach is to > limit it to 4k frames. Mabe inded we shoult mark it as fixed for that > version where the size-limit was added (which should be 1.4.0-4. But > the size-limit to 16384x16384 was back in 2015 added to > mitigate/workaround CVE-2015-1258. So I suspect we will need to limit > it further.
I think our build is perfectly fine in stretch. It's probably a bigger issue for libvpx as used by smart phones, but for a desktop build I don't think we shoudl modify the current defaults in stable (it might break existing setups even). I think we can mark this as unimportant and for buster follow upstream defaults. > cc'ing Moritz, who added libvpx to our DSA needed list on that > purpose. That was only for oldstable, sorry for the confusion. Cheers, Moritz