Bug#770918: Two CVEs against FLAC
Am Mittwoch, den 26.11.2014, 19:58 -0800 schrieb Erik de Castro Lopo: One more patch to cherry pick: Thank you very much! I hope to be able to prepare updated packages by next week. - Fabian ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#711007: audacity: plays back at high speed and then hangs
Package: audacity Version: 2.0.6-2 Followup-For: Bug #711007 Dear Maintainer, When audacity plays a sound file, it plays at 4 or 5 times normal speed, sounding garbled, and then hangs. It has to be killed manually with system monitor. If audacity is launched from a terminal, and the sound played, the line: ALSA lib pcm.c:7843:(snd_pcm_recover) underrun occurred occurs repeatedly until the program is killed. If audacity is launched from a terminal using the command: env PULSE_LATENCY_MSEC=30 audacity then audacity seems to do everything it's supposed to do. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages audacity depends on: ii audacity-data 2.0.6-2 ii libasound21.0.28-1 ii libavcodec56 6:11-2 ii libavformat56 6:11-2 ii libavutil54 6:11-2 ii libc6 2.19-13 ii libexpat1 2.1.0-6+b3 ii libflac++61.3.0-2+b1 ii libflac8 1.3.0-2+b1 ii libgcc1 1:4.9.1-19 ii libglib2.0-0 2.42.0-2 ii libid3tag00.15.1b-11 ii libmad0 0.15.1b-8 ii libmp3lame0 3.99.5+repack1-5 ii libogg0 1.3.2-1 ii libportaudio2 19+svn20140130-1 ii libportsmf0 0.1~svn20101010-4 ii libsbsms102.0.2-1 ii libsndfile1 1.0.25-9+b1 ii libsoundtouch01.8.0-1 ii libsoxr0 0.1.1-1 ii libstdc++64.9.1-19 ii libtwolame0 0.3.13-1.1 ii libvamp-hostsdk3 2.5+repack0-2 ii libvorbis0a 1.3.4-2 ii libvorbisenc2 1.3.4-2 ii libvorbisfile31.3.4-2 ii libwxbase3.0-03.0.2-1+b1 ii libwxgtk3.0-0 3.0.2-1+b1 audacity recommends no packages. Versions of packages audacity suggests: pn ladspa-plugin none -- no debconf information ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: libav/tests/lena.pnm: also not mentioned in debian/copyright
Processing control commands: tags -1 + wheezy-ignore Bug #771126 [src:libav] libav: contains non-DFSG image file tests/lena.pnm Added tag(s) wheezy-ignore. retitle -1 libav/lena.pnm: non-DFSG free + not mentioned in copyright Bug #771126 [src:libav] libav: contains non-DFSG image file tests/lena.pnm Changed Bug title to 'libav/lena.pnm: non-DFSG free + not mentioned in copyright' from 'libav: contains non-DFSG image file tests/lena.pnm' -- 771126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771126 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
control: tags -1 + wheezy-ignore control: retitle -1 libav/lena.pnm: non-DFSG free + not mentioned in copyright first of all, the file in question is libav-11/tests/lena.pnm second, as referred in the mail referred to by the original bugreport, please read https://en.wikipedia.org/wiki/File:Lenna.png#Licensing According to that and also to https://en.wikipedia.org/wiki/Wikipedia:Files_for_deletion/2011_November_4#File:Lenna.png it seems to me that this file is distributable under fair use policy, especially since it's a low-res thumbnail as well. (the wikipedia low-res image is 512x512, the image in libav is 256x245). Yet while it's distributable, it's also clearly not DFSG free and btw it's also not mentioned in debian/copyright at all. So for sid+jessie I recommend to drop this file. Also not least because Suggestive pictures used in lectures on image processing ... convey the message that the lecturer caters to the males only. For example, it is amazing that the Lena pin-up image is still used as an example in courses and published as a test image in journals today. as explained in https://en.wikipedia.org/wiki/Lenna (btw, regarding usage in test cases: I have to admit I don't understand how/if usage of this file as a test case is relevant in the Debian context. Explainations welcome...) signature.asc Description: This is a digitally signed message part. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#765969: Bug#771133: xserver-xorg-video-intel: colored line on right side / bottom of video
On Thu, Nov 27, 2014 at 02:03:14AM +0100, Dirk Griesbach wrote: With vlc 2.2.x I'm getting a color distorted pixel row at the bottom and/or a column at the right side of a video if using hardware accelerated overlay xvideo output. This was reported as #765969 [1] against vlc but for now is considered a driver bug: ,[ Rémi Denis-Courmont ]- | troubleshooting it on an affected system and so far it does seem like a | driver bug: the driver is blending the last line of visible pixels with | the first line of pixels outside the visible area. All zeroes | corresponds to dark green in YUV colours space. ` So here I am. This happens in fullscreen and windowed mode and the color pattern of the line is changing if, e.g. I move a second window around. Test case: Big Buck Bunny[2] is a nice example: I tried the video in 854x480 and both mp4 and ogg give me a color-distorted column at the right side. If I try the 1920x1080-version the bottom row is affected. Screenshots from the other bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=bottom.png;att=1;bug=765969 https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=rightside.png;att=2;bug=765969 On another occasion I saw two rows affected where the bottom row is a more solid color and the row above it is only slightly tainted with the actual content shining through. xf86-video-intel upstream says: it's a bug in vlc. they are supplying an image larger than the surface they wish to scale and then complain when the extra pixels are sampled during scaling. the issue is that they are not initialising those extra pixels correctly - it should be padded. -ickle Hence keep bugging vlc guys, will close xorg driver bug report. best, -- maks ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
Quoting Holger Levsen (2014-11-27 11:25:05) control: tags -1 + wheezy-ignore Are you part of the release team? first of all, the file in question is libav-11/tests/lena.pnm No, path (inside the source) is tests/lena.pnm. second, as referred in the mail referred to by the original bugreport, please read https://en.wikipedia.org/wiki/File:Lenna.png#Licensing Why read it again (sure you do not imply that I didn't read already)? [irrelevant details snipped] Yet while it's distributable, it's also clearly not DFSG free So your conclusion is same as mine. Why did you retitle? What was the purpose of your mail? Seems the only actual sensible action was ignoring for the next release. Please elaborate on your reasoning for that. - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
Quoting Jonas Smedegaard (2014-11-27 12:15:13) Quoting Holger Levsen (2014-11-27 11:25:05) control: tags -1 + wheezy-ignore [...] Why did you retitle? What was the purpose of your mail? Seems the only actual sensible action was ignoring for the next release. Please elaborate on your reasoning for that. Correction: current stable release. Questions still stand: Why? - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771179: Please support mpv
Package: ogmrip Severity: wishlist Tags: upstream Hi, This is just a cross reference to keep track of the progress of the development of this feature. Seems upstream is working on it. Cheers. -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable'), (500, 'oldstable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/12 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
On Donnerstag, 27. November 2014, Jonas Smedegaard wrote: control: tags -1 + wheezy-ignore Are you part of the release team? No, but the release team is explicitly happy with *me* tagging stuff wheezy- ignore following guidelines discussed on debian-release. the conclusion there has been: (in stable) distributable stuff which is non- free or wrongly mentioned in debian/copyrights are serious bugs - but serious bugs which *can* be ignored. (and yeah, usually I cc: debian-release@l.d.o explicitly on such taggings, because it's the proper thing to do. as I also know that most if not all of the release team are subscribed to all RC bugs anyway, I sometimes forget this...) first of all, the file in question is libav-11/tests/lena.pnm No, path (inside the source) is tests/lena.pnm. you're so right, amazing! Questions still stand: Why? to save people from useless^w work. signature.asc Description: This is a digitally signed message part. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: bug 771179 is forwarded to https://sourceforge.net/p/ogmrip/feature-requests/56/
Processing commands for cont...@bugs.debian.org: forwarded 771179 https://sourceforge.net/p/ogmrip/feature-requests/56/ Bug #771179 [ogmrip] Please support mpv Set Bug forwarded-to-address to 'https://sourceforge.net/p/ogmrip/feature-requests/56/'. thanks Stopping processing here. Please contact me if you need assistance. -- 771179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771179 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771187: primesense-nite-nonfree: Package broken because openni.org is gone
Package: primesense-nite-nonfree Severity: important Hi, primesense-nite-nonfree is trying to download the Nite binaries from openni.org, which is no longer available [1]. This makes this package unusable. I've found copies of the .tar.bz2 here: http://www.mira-project.org/downloads/3rdparty/bin-linux/, but I can't verify that they are correct. Still it would be great to have Nite in Debian. Cheers Jochen [1] http://lists.ros.org/lurker/message/20140226.220235.dd108524.en.html ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771189: primesense-nite-nonfree: Nite needs license key file
Package: primesense-nite-nonfree Severity: important Hi, till now Openni serves a /var/lib/ni/licenses.xml with a Nite license¹. Given that this is only needed for Nite and we got asked in #771053 why it's included, I would propose to move the license (or rather the niReg call) into primesense-nite-nonfree. Also, I would like to do this rather soon, to get a new Openni package into testing. Depending on #771187, I would propose to either simply drop the licenses.xml or wait for a new nite package version with conflicts to the openni package. Cheers Jochen ¹: As said in #771187, the openni.org website is no longer available, you can still find the license key here: http://web.archive.org/web/20110930162520/http://www.openni.org/downloadfiles/opennimodules/12-openni-compliant-middleware-binaries ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#770930: mpv memory leak
Control: affects -1 mpv Control: tags -1 fixed-upstream On mar, nov 25, 2014 at 11:12:17 +0100, Moritz Fiedler wrote: Package: mpv Version: 0.6.2-2 Severity: important Hello, when you use mpv with bigger files it happens that mpv consumes all RAM and swap and the system gets unusable. The mpv team investigated the issue: https://github.com/mpv-player/mpv/issues/1204 It looks like there is a problem with libav. But there is a patch. The patch has now been merged in libav upstream [0]. Cheers [0] http://git.libav.org/?p=libav.git;a=commit;h=fbd6c97f9ca858140df16dd07200ea0d4bdc1a83 signature.asc Description: Digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: Re: Bug#770930: mpv memory leak
Processing control commands: affects -1 mpv Bug #770930 [libavutil54] libavutil54: lavu memory leak Added indication that 770930 affects mpv tags -1 fixed-upstream Bug #770930 [libavutil54] libavutil54: lavu memory leak Added tag(s) fixed-upstream. -- 770930: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770930 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: handbrake_0.10.0+dfsg1-1_amd64.changes ACCEPTED into experimental
Am Mittwoch, den 26.11.2014, 15:19 + schrieb Debian FTP Masters: handbrake (0.10.0+dfsg1-1) experimental; urgency=medium . * New upstream release. Cool, thank you, Sebastian! I wast just going to start on this myself. :) - Fabian ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processing of flac_1.3.0-3_amd64.changes
flac_1.3.0-3_amd64.changes uploaded successfully to localhost along with the files: flac_1.3.0-3.dsc flac_1.3.0-3.debian.tar.xz flac_1.3.0-3_amd64.deb libflac8_1.3.0-3_amd64.deb libflac-doc_1.3.0-3_all.deb libflac-dev_1.3.0-3_amd64.deb libflac++6_1.3.0-3_amd64.deb libflac++-dev_1.3.0-3_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
flac_1.3.0-3_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 27 Nov 2014 16:52:51 +0100 Source: flac Binary: flac libflac8 libflac-doc libflac-dev libflac++6 libflac++-dev Architecture: source amd64 all Version: 1.3.0-3 Distribution: unstable Urgency: high Maintainer: Debian Multimedia Maintainers pkg-multimedia-maintainers@lists.alioth.debian.org Changed-By: Fabian Greffrath fabian+deb...@greffrath.com Description: flac - Free Lossless Audio Codec - command line tools libflac++-dev - Free Lossless Audio Codec - C++ development library libflac++6 - Free Lossless Audio Codec - C++ runtime library libflac-dev - Free Lossless Audio Codec - C development library libflac-doc - Free Lossless Audio Codec - library documentation libflac8 - Free Lossless Audio Codec - runtime C library Closes: 770918 Changes: flac (1.3.0-3) unstable; urgency=high . * Fixes for CVE-2014-8962 and CVE-2014-9028: + Backport three patches from upstream GIT repository: - CVE-2014-8962.patch: Fix a buffer read overflow. - CVE-2014-9028.patch: Avoid a heap overflow. - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to the former fix, but strictly speaking not the same vulnerability. + Closes: #770918. + Thanks Erik de Castro Lopo for the bug report and the upstream fixes! Checksums-Sha1: afd9218d22316717874fa8819c1903bb9882f6c8 2259 flac_1.3.0-3.dsc d5cf793e8d010dab3b30280ef24f52c5f485186d 14772 flac_1.3.0-3.debian.tar.xz a52ffa2d39a70a51686ac063f925d802938b1206 121872 flac_1.3.0-3_amd64.deb 648e0ed79e5c48af542caa7fc07b207704609150 89338 libflac8_1.3.0-3_amd64.deb ac9628c3a1e31196162695438f2a0eb4fe9b26ba 697574 libflac-doc_1.3.0-3_all.deb 1eb6f20fd201494f46793233bc4b03c2949cc26d 137580 libflac-dev_1.3.0-3_amd64.deb 434afd33215a55b788d3c120aec9c64166e86d86 32474 libflac++6_1.3.0-3_amd64.deb b9d4a248c2f7a49b2c3638d872892cdb83133351 39006 libflac++-dev_1.3.0-3_amd64.deb Checksums-Sha256: 9dafbe2aa5bfd1aff558b6d0c50598a54ec66c89346648f3e51ccea153dbc8ce 2259 flac_1.3.0-3.dsc 4be6690850e4646764a740bdfa14688cd16c8913af5c9f26f539c30c69c879f2 14772 flac_1.3.0-3.debian.tar.xz 20b03f83c29fb2c3a7f1671bf9cbd7a34ee567200438e32287545aa9aed21d1e 121872 flac_1.3.0-3_amd64.deb a896332bb1d649b0ff8997d9f17a5c40275451d084de6227a3a4ef0269f5e4b0 89338 libflac8_1.3.0-3_amd64.deb 07600d12edbb7628798474700fdd7b2175c462a28fdf0158dc94082bb4c33390 697574 libflac-doc_1.3.0-3_all.deb 8f3296ae2473723378fbc02be96816b079653afce3585fd62e66b2a80c720cb7 137580 libflac-dev_1.3.0-3_amd64.deb cef3041c045728a950a39871e75a1758f40a0f1fc738ced8b42391bbb38df360 32474 libflac++6_1.3.0-3_amd64.deb 1da6536fa2dc94d69c16b067dd8d69569669c95684cb4b41096a18b73f7d6dc9 39006 libflac++-dev_1.3.0-3_amd64.deb Files: b9a7fa51da3a01ca56d9a8a296730c82 2259 sound optional flac_1.3.0-3.dsc ad82e54da7f973053bcbc6eee97b8fb1 14772 sound optional flac_1.3.0-3.debian.tar.xz c89bbc50c12d202a53b888e6a26e5809 121872 sound optional flac_1.3.0-3_amd64.deb e14e552f7d7684b5ca96fc53d800080a 89338 libs optional libflac8_1.3.0-3_amd64.deb d12909596e06c5add1f2df22297275a2 697574 doc optional libflac-doc_1.3.0-3_all.deb 25460a9c959b61924fb77133388d9b1a 137580 libdevel optional libflac-dev_1.3.0-3_amd64.deb 61f59471887fbcc58d01ee171c1c6085 32474 libs optional libflac++6_1.3.0-3_amd64.deb d9d4e01c870c06e6dfc9bf477e029e6d 39006 libdevel optional libflac++-dev_1.3.0-3_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUd0nTAAoJEMvqjpcMzVnf5mkQAKKJ+pqpt22JPJdoSdq94FaN o3TT7NuYd57KijxEQWYGyzuNtWcm9s7SeuNyAnz3OXfnE/4LEcCSZshXxPPO0cEm waR28TFZlkYzgxhmWEZc6Gr7W39HF0GyViKr6ngFKyzHCQx5RAMc2wLLCxrvCjkH ZKmG2vh5RTCvTfuZw/tSUkGHUW0RYeE5n882D7VIya1JR6pLnzr35pGLkT2Ydgb/ XrSnxlyoElsgWu/eAeK70mUpStiJU9YRnEr92MdbHH0nnm9c7fNf9j5FY3i5Ncla I901oq5ucMLqS3Ece6PdPFOmcDoOGrqX+mqX+2L7sQqRVdyQvzsfKHrcXvp9JF8F T1/1IusI718Pk/jM9BUNgPjzJOTExXLrSoj8XSQ8giXip0VPHSrLKN9q/ky8f3s0 QryLybmJ7jyZK19RyPtFR+e39asNMtjyDCxqISico+3x3+KdDdZ9V3RofhFkccGk QAlymE4amlqa3/lkwBveb3cha351MbNt/BcUXwWM+0l+x8ePdZ6ljO/GB+fgPjJ9 aGKhf+4gTzMCA9UXAnu9CQLKTXv17vVYttbKOZ5N+zLotcNbejc2ifQxYiYv8Oxp 0IRW9HWQXriRh4LfGJAVoLhkKONch5ZGIg5EjPB5KtZ5/3XcWqK143FlwVLPRk+d pAgwkLCyF0Y+1tuc5rTc =fF/D -END PGP SIGNATURE- Thank you for your contribution to Debian. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#770918: marked as done (flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows)
Your message dated Thu, 27 Nov 2014 16:04:11 + with message-id e1xu1yb-0005p4...@franck.debian.org and subject line Bug#770918: fixed in flac 1.3.0-3 has caused the Debian Bug report #770918, regarding flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 770918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770918 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: flac Version: 1.3.0-2+b1 Severity: serious Tags: security From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html Google Security Team member, Michele Spagnuolo, recently found two potential problems in the FLAC code base. They are : CVE-2014-9028 : Heap buffer write overflow CVE-2014-8962 : Heap buffer read overflow For Linux distributions, the specific fixes for these two CVEs are available from Git here: https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e and are simple enough that they should apply cleanly to the last official release 1.3.0 and possibly even the previous one, 1.2.1. A pre-release (version 1.3.1pre1) for the next version which includes these fixes and more is available here: http://downloads.xiph.org/releases/flac/beta/ A full release (version 1.3.1) will be available in the next couple of days. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (500, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages flac depends on: ii libc6 2.19-13 ii libflac8 1.3.0-2+b1 flac recommends no packages. flac suggests no packages. -- no debconf information ---End Message--- ---BeginMessage--- Source: flac Source-Version: 1.3.0-3 We believe that the bug you reported is fixed in the latest version of flac, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 770...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Fabian Greffrath fabian+deb...@greffrath.com (supplier of updated flac package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 27 Nov 2014 16:52:51 +0100 Source: flac Binary: flac libflac8 libflac-doc libflac-dev libflac++6 libflac++-dev Architecture: source amd64 all Version: 1.3.0-3 Distribution: unstable Urgency: high Maintainer: Debian Multimedia Maintainers pkg-multimedia-maintainers@lists.alioth.debian.org Changed-By: Fabian Greffrath fabian+deb...@greffrath.com Description: flac - Free Lossless Audio Codec - command line tools libflac++-dev - Free Lossless Audio Codec - C++ development library libflac++6 - Free Lossless Audio Codec - C++ runtime library libflac-dev - Free Lossless Audio Codec - C development library libflac-doc - Free Lossless Audio Codec - library documentation libflac8 - Free Lossless Audio Codec - runtime C library Closes: 770918 Changes: flac (1.3.0-3) unstable; urgency=high . * Fixes for CVE-2014-8962 and CVE-2014-9028: + Backport three patches from upstream GIT repository: - CVE-2014-8962.patch: Fix a buffer read overflow. - CVE-2014-9028.patch: Avoid a heap overflow. - CVE-2014-9028-2.patch: Avoid a heap overflow. Closely related to the former fix, but strictly speaking not the same vulnerability. + Closes: #770918. + Thanks Erik de Castro Lopo for the bug report and the upstream fixes! Checksums-Sha1: afd9218d22316717874fa8819c1903bb9882f6c8 2259 flac_1.3.0-3.dsc d5cf793e8d010dab3b30280ef24f52c5f485186d 14772 flac_1.3.0-3.debian.tar.xz a52ffa2d39a70a51686ac063f925d802938b1206 121872 flac_1.3.0-3_amd64.deb 648e0ed79e5c48af542caa7fc07b207704609150 89338 libflac8_1.3.0-3_amd64.deb ac9628c3a1e31196162695438f2a0eb4fe9b26ba 697574 libflac-doc_1.3.0-3_all.deb
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
In order to address this, I've proposed to replace lena.pnm with a new image, taken by me, at https://github.com/libav/libav/pull/17 I don't really care about the licensing. Is the declaration in the commit message OK? How to declare that in debian/copyright? -- regards, Reinhard ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
Hi Reinhard, Quoting Reinhard Tartler (2014-11-27 18:35:05) In order to address this, I've proposed to replace lena.pnm with a new image, taken by me, at https://github.com/libav/libav/pull/17 Fun idea :-) I don't really care about the licensing. Is the declaration in the commit message OK? How to declare that in debian/copyright? I might get away with such custom set of licensing terms, but to ease processing (if not by lawyers in a later dispute then at least by fellow distro maintainers wanting to categorize, identify, verify etc.) it is recommended that you instead pick a common license. Preferrably one of those tracked by SPDX as listed at https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-specification. Seems what you want is as liberal and as briefly expressed license as possible. A popular common license of that kind is Expat. ideally you refer to that license by its canonical URL http://www.jclark.com/xml/copying.txt but since you seem to seek as brief as possible expression, you could simply state e.g. Licensed under the Expat license. I am not a lawyer, just interested in licensing and pay attention to licensing patterns commonly expressed by upstreams of Debian and approved in Debian. YMMV. - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
On Thu, Nov 27, 2014 at 1:08 PM, Jonas Smedegaard d...@jones.dk wrote: Hi Reinhard, Quoting Reinhard Tartler (2014-11-27 18:35:05) In order to address this, I've proposed to replace lena.pnm with a new image, taken by me, at https://github.com/libav/libav/pull/17 Fun idea :-) I don't really care about the licensing. Is the declaration in the commit message OK? How to declare that in debian/copyright? I might get away with such custom set of licensing terms, but to ease processing (if not by lawyers in a later dispute then at least by fellow distro maintainers wanting to categorize, identify, verify etc.) it is recommended that you instead pick a common license. Preferrably one of those tracked by SPDX as listed at https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-specification. Seems what you want is as liberal and as briefly expressed license as possible. A popular common license of that kind is Expat. ideally you refer to that license by its canonical URL http://www.jclark.com/xml/copying.txt but since you seem to seek as brief as possible expression, you could simply state e.g. Licensed under the Expat license. I am not a lawyer, just interested in licensing and pay attention to licensing patterns commonly expressed by upstreams of Debian and approved in Debian. YMMV. Sure, if you believe that the expat license is appropriate, I'd license it that way. Thanks for the feedback. Reinhard ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
【聘达】每周职位精选 - New Job Listings in China on pinda360.com
Click here for the web version of this message 在3百万中外高校校友网络中,迅速招聘到有实际工作经验的专业人士 China's First Recruiting Platform for Experienced Hires with Top University Alumni Networks EMBA Recruiting Manager 招生经理 北京 月薪 Department Description: The CEIBS Beijing Campus is located in Zhongguancun Software Park, west to the Shangdi Information Industry Base. The admissions team in Beijing is responsible for the marketing and admission of the Beijing class of the Schools renowned EMBA programme, one of the ... ¥2-3万 查看详情 Solution Architect 北京 月薪 · Identifying, executing and delivering collateral on SAS Storage and I/O framework; · Providing domain expert input to support SAS field staff worldwide; · Highlighting the key considerations of the primary storage architectures in relation to the SAS platform and workload characteristics. Qualifications: · Bachelor's degree or above in Computer Science ... ¥1-2万 查看详情 市场分析员 上海 月薪 职位描述: 企业并购部及市场分析员会协助部门直属领导进行市场调研并评估收购对象的财务和运营情况。 任职要求: 1大学本科学历以上,财务专业优先 2有2-4年工作经验,气体公司经验优先 3具有较强的市场收集能力和数据分析能力 4团队合作能力 岗位职责: 1在erp系统录入和分析收购对象的数据。 2录入和分析收购对象的财务数... ¥1-2万 查看详情
Bug#770741: vlc: FTBFS on hppa: borked plugin files
On 11/23/2014 6:38 PM, Sebastian Ramacher wrote: ldd -r on my machine for these plugins gives me /usr/lib/vlc/plugins/demux/libavformat_plugin.so: linux-vdso.so.1 (0x7fff4e396000) libvlccore.so.8 = /usr/lib/libvlccore.so.8 (0x7f98c97f3000) libavformat.so.56 = /usr/lib/x86_64-linux-gnu/libavformat.so.56 (0x7f98c94b3000) libavcodec.so.56 = /usr/lib/x86_64-linux-gnu/libavcodec.so.56 (0x7f98c856) libavutil.so.54 = /usr/lib/x86_64-linux-gnu/libavutil.so.54 (0x7f98c8334000) It looks to me like the dependence on libX11 or libxcb arises because x11grab is enabled for the libav package. This introduces a dependence on xfixes which in turn depends on libX11 and libxcb. Enabling x11grab causes linking against libxfixes3 but why this introduces a dependency on xfixes in packages like libavformat56 is not clear. It didn't help to rebuild libav and libxfixes. Dave -- John David Anglindave.ang...@bell.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
On 2014-11-27 12:46, Holger Levsen wrote: On Donnerstag, 27. November 2014, Jonas Smedegaard wrote: control: tags -1 + wheezy-ignore Are you part of the release team? No, but the release team is explicitly happy with *me* tagging stuff wheezy- ignore following guidelines discussed on debian-release. the conclusion there has been: (in stable) distributable stuff which is non- free or wrongly mentioned in debian/copyrights are serious bugs - but serious bugs which *can* be ignored. (and yeah, usually I cc: debian-release@l.d.o explicitly on such taggings, because it's the proper thing to do. as I also know that most if not all of the release team are subscribed to all RC bugs anyway, I sometimes forget this...) [...] Hi, FTR, I believe Holger is referring to [1]. At first glance, it seems to mostly apply to this particular case. I say mostly because it is not immediately clear to me that we got an exact license (combined with ... and there is *no doubt about the license* of the files [...] from [1], emphasis mine). That said, provided that we *are permitted* to distributable, I see no issue with the -ignore tag for Wheezy. Should it turn out that the files are in fact non-distributable, the -ignore tag will have to go and we would need a stable-update to fix it. ~Niels [1] https://lists.debian.org/debian-release/2014/03/msg00409.html signature.asc Description: OpenPGP digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
Quoting Niels Thykier (2014-11-27 22:14:25) FTR, I believe Holger is referring to [1]. At first glance, it seems to mostly apply to this particular case. I say mostly because it is not immediately clear to me that we got an exact license (combined with ... and there is *no doubt about the license* of the files [...] from [1], emphasis mine). That said, provided that we *are permitted* to distributable, I see no issue with the -ignore tag for Wheezy. In prior similar bugreport https://bugs.debian.org/760171#10 - referenced from https://bugs.debian.org/771191#10 - distribution is documented as permitted only for research and education which I interpret as unacceptable for Debian. You might also want to read Holger's conclusion which contradicts the other stuff he extracted from the material I referenced. Sigh... - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
/me sings happy birthday to you and sighs. and q.e.d. too, FWIW, which is nothing. signature.asc Description: This is a digitally signed message part. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#750817: ITP: x265 -- x265 HEVC Encoder
On 2014-06-09 20:06:53, Reinhard Tartler wrote: On Sun, Jun 8, 2014 at 4:25 AM, Andrei POPESCU andreimpope...@gmail.com wrote: Control: reassign -1 wnpp On Sb, 07 iun 14, 08:47:41, Rico Tzschichholz wrote: Package: x265 Severity: wishlist Package: wnpp Severity: wishlist Package name: x265 URL : https://bitbucket.org/multicoreware/x265/wiki/Home License : GPL2, BSD Description : free library for encoding H265/HEVC video streams. This package is going to be maintained under the pkg-multimedia umbrella. Since this package is probably going to be similar to x264, I guess it's easiest to track the github mirror of the upstream mercurial repo. It seems that there is no upstream mailing list, nor other way to contact the upstream devs at this point. Luca, can you confirm or correct this? I took a first look at the package, and it builds a shared library by default (good). Unfortunately, it doesn't provide a proper SONAME: $ objdump -p libx265.so | grep SONAME SONAME libx265.so This makes me wonder if it's worth building it as shared library in debian as this point, or if we wouldn't be better of with a static library only. I wonder what is upstream's take on this? I've started to work on x265. The upstream build systems is a lot saner now. The shared library has a proper SONAME and it's no longer necessary to patch the build system. The inital packaging can be found at http://anonscm.debian.org/cgit/pkg-multimedia/x265.git. I'm going to play with it a day or two and then I'll probably upload it. Cheers -- Sebastian Ramacher signature.asc Description: Digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
pinda360.com Beijing User Seminar, Friday December 5th 9:30 am, Park Hyatt Beijing
Click here for the web version of this message About Pinda360.com pinda360.com is the first and largest recruiting platform in China for hiring experienced talents from top university alumni networks. 3 million users are from top alumni networks of Chinese and international universities, including Tsinghua University, Beijing University, CEIBS, CKGSB, Fudan University, Renmin University, Harvard, MIT, Yale, Stanford, etc. Users on average 5 years working experience. User Seminar Pinda360.com will hold its first user seminar in Beijing to introduce the recruiting platforms functions and services. The invited attendees are company hiring managers, HR directors, senior headhunting professionals, and media. Time: Friday December 5th, 2014, 9:30 am Location: Park Hyatt Beijing, 61F Park Hyatt Room, Beijing Yintai Centre Presenter: Tong Li, Founder and CEO Attendees: Hiring managers, HR directors, senior headhunting professionals and media Schedule 09:30 - 10:00 Registration 10:00 - 10:30 1) Big Data driven recruiting functions and services 2) How to post jobs to alumni networks 3) How to promote job postings on WeChat mobile and social meida 10:30 - 11:00 Case Study 11:00 - 12:00 QA
【聘达 pinda360.com 北京用户见面会】 12月5日,星期五 9:30, 北京柏悦酒店
Click here for the web version of this message 关于聘达 聘达是中国最大的高端职位招聘平台。 3百万个人用户,来自中外各大高校校友网络。平均年龄31岁,5年工作经验。企业用户来自世界500强公司,中国 500 强公司,中外合资企业、外商独资企业、创业企业。 聘达凭借其独特的大数据算法,帮助企业用户更有效的招聘到有实际工作经验的专业人士,同时也帮助个人用户更有效的了解到行业的最新发展和职位动态。 用户见面会 聘达将于在北京举行首届用户见面会,诚邀公司招聘主管、人力资源主管、资深猎头顾问、和媒体参加,向用户介绍聘达的功能和服务,并听取用户意见和建议。 时间:2014年12月5日,星期五,9:30 am 地点:柏悦酒店 61层柏悦厅|北京银泰中心 北京朝阳区建国门外大街2号 介绍者: 聘达创始人CEO, 李童 参加者:公司招聘主管、人力资源主管、资深猎头顾问、媒体 会议议程 09:30 - 10:00 签到 10:00 - 10:30 聘达介绍 1) 大数据驱动的新型网络招聘平台的各项功能 2) 如何把职位精准发布到各大高校校友网络 3) 如何在微信移动端和社交媒体推广职位信息 10:30 - 11:00 案例分析 11:00 - 12:00 问答及用户交流
Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
Control: tags -1 -wheezy-ignore On 2014-11-27 23:23, Jonas Smedegaard wrote: Quoting Niels Thykier (2014-11-27 22:14:25) [...] In prior similar bugreport https://bugs.debian.org/760171#10 - referenced from https://bugs.debian.org/771191#10 - distribution is documented as permitted only for research and education which I interpret as unacceptable for Debian. [...] - Jonas Ack, removing the -ignore tag then. That does not sound like something we can distribute as we also distribute to other uses. Once this have been resolved in unstable, please file both an unblock request for it and a p-u request for getting it fixed in stable. Please also be advised that snapshots.d.o may also be distributing copies of this file unknowingly. Please inform them of the affected versions, so they can remove them. ~Niels ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: Re: Bug#771126: libav/tests/lena.pnm: also not mentioned in debian/copyright
Processing control commands: tags -1 -wheezy-ignore Bug #771126 [src:libav] libav/lena.pnm: non-DFSG free + not mentioned in copyright Removed tag(s) wheezy-ignore. -- 771126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771126 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers