Hi Reinhard, 2015-05-18 12:16 GMT+02:00 Reinhard Tartler <[email protected]>: ... >> >> > These days, FFmpeg for >> > sure asks for most (if not all) CVE numbers recently assigned, and >> > claims >> > to provide patches for them. >> >> FFmpeg not only claims to provide patches, but actually does provide them: >> most CVEs link to the corresponding patch. > > In many many cases, the descriptions of the patches and the issues are > sub-standard, in many cases even misleading. In no case that I looked at, > the issue was immediately reproducible, because all of the referenced > samples are held back and it is not easy at all the get access to them. And > even if you do contact people via email and eventually are provided the > samples, reproducing the issue remains very challenging. > > I stopped looking actively at them when I repeatedly came to the conclusion > that the issue can only be seen when seen when used in the test harnish that > Google uses for testing libavcodec within chrome. Thank you for for sharing this. This matches my perception as well and if it is true Libav project should have stopped claiming being able to provide security support for Libav long time ago. They can blame others for not giving them full info about the issues, but that does not close the CVE-s. The situation made me remove libav from almost all systems I use.
Thanks, Balint _______________________________________________ pkg-multimedia-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
