On Sa, Feb 20, 2010 at 22:02:51 (CET), Michael Gilbert wrote:

> package: ffmpeg
> version: 0.svn20080206-18
> severity: serious
> tags: security
> hi, i have just tested the latest ffmpeg update against the original
> proof of concepts [0] reported in bug #550442 [1].  many of them are
> still effective.  there is some good news though; i've found that
> upstream has addressed all of the problems in their latest svn version.
> attached are my findings.

can you please rerun your tests using this branch:

I'm working on getting an 0.5.1 point release released RSN which will
get into squeeze. Fixing these security bugs there is a higher priority
for me than fixing 0.svn20080206-18.

Unfortunately I'm very busy this week and cannot promise to work on that
until next weekend.

> reference [2] may be useful to track down the other needed patches; or
> it may be easier to just upgrade to a new svn (however, the patches
> still need to be determined for stable).

I don't think its really worth tracking dos-only fixes. FFmpeg is very
performance tuned, and AFAIUI upstream does consider dos-only fixes only
on a best efford basis as long as it doesn't impair performance.

crashers that allow remote code execution however are another issue that
need to be investigated.

Reinhard Tartler, KeyID 945348A4

pkg-multimedia-maintainers mailing list

Reply via email to