On Sa, Feb 20, 2010 at 22:02:51 (CET), Michael Gilbert wrote:
> package: ffmpeg
> version: 0.svn20080206-18
> severity: serious
> tags: security
> hi, i have just tested the latest ffmpeg update against the original
> proof of concepts  reported in bug #550442 . many of them are
> still effective. there is some good news though; i've found that
> upstream has addressed all of the problems in their latest svn version.
> attached are my findings.
can you please rerun your tests using this branch:
I'm working on getting an 0.5.1 point release released RSN which will
get into squeeze. Fixing these security bugs there is a higher priority
for me than fixing 0.svn20080206-18.
Unfortunately I'm very busy this week and cannot promise to work on that
until next weekend.
> reference  may be useful to track down the other needed patches; or
> it may be easier to just upgrade to a new svn (however, the patches
> still need to be determined for stable).
I don't think its really worth tracking dos-only fixes. FFmpeg is very
performance tuned, and AFAIUI upstream does consider dos-only fixes only
on a best efford basis as long as it doesn't impair performance.
crashers that allow remote code execution however are another issue that
need to be investigated.
Reinhard Tartler, KeyID 945348A4
pkg-multimedia-maintainers mailing list