Hi,

> I'm counting 22 open CVEs for libav at the moment. Which of them do you
> intend to address with your fixes? Do you mind working together with
> Hugo Lefeuvre on some issues? I could imagine you both could pool your
> resources together.

(24 if we count the two issues marked no-dsa by the security team)

Some CVE triage:

Upstream patch applies directly, or almost:
 CVE-2016-7393
 CVE-2015-6820
 CVE-2015-6823
 CVE-2015-6824
 CVE-2015-6825
 CVE-2015-6826
 CVE-2015-8364
 CVE-2015-8365
 CVE-2015-5479

Upstream patch needs some (heavy) adaptations:
 CVE-2015-6818
 CVE-2015-6821
 CVE-2016-2330
 CVE-2015-1872 

Upstream patch does no apply, or it's unsure that libav is vulnerable in wheezy:
 CVE-2015-6819
 CVE-2015-6822 (vulnerable code not present, seems to appear in changelog since
                  version 11[0].
 CVE-2015-8216
 CVE-2015-8218
 CVE-2015-8219
 CVE-2015-8661
 CVE-2015-8662
 CVE-2015-8663
 CVE-2016-2329
 
No upstream patch for the moment:
 CVE-2016-6920
 CVE-2015-6761

It will be easy to prepare an update for the first category of security
issues. It will be harder for the second category, but it seems to be
feasible.

For third category, I'm not sure it's worth doing an upload; it will be a
lot of work, while the risks are high and most concerned issues aren't critical.

If Diego agrees, I propose two uploads: A first one fixing all easy
issues that are unlikely to bring regressions, and a second one fixing
all issues from the second (third if possible?) category that we can reasonably
fix without risks.

Cheers,
 Hugo

[O] https://libav.org/changelog.html

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Attachment: signature.asc
Description: PGP signature

Reply via email to