GNU bug report logs -
#72799
[PATCH 0/3] ffmpeg updates [fixes CVE-2024-7055, CVE-2024-7272]
Previous Next
Reported by: ashish.is <at> lostca.se
Date: Sun, 25 Aug 2024 00:39:01 UTC
Severity: important
Tags: patch, security
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 72799 in the body.
You can then email your comments to 72799 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#72799; Package
guix-patches.
(Sun, 25 Aug 2024 00:39:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
ashish.is <at> lostca.se:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 25 Aug 2024 00:39:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ashish SHUKLA <ashish.is <at> lostca.se>
Hi,
Attached series of patches updates ffmpeg to latest versions which fixes
following vulnerabilities:
CVE-2024-7055
CVE-2024-7272
Thanks!
Ashish SHUKLA (3):
gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055].
gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055, CVE-2024-7272].
gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055].
gnu/packages/video.scm | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
base-commit: f25ea6847fa4eb1bc0a6bfb965e145b94f20a6f8
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#72799; Package
guix-patches.
(Sun, 25 Aug 2024 00:42:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 72799 <at> debbugs.gnu.org (full text, mbox):
From: Ashish SHUKLA <ashish.is <at> lostca.se>
* gnu/packages/video.scm (ffmpeg-4): Update to 4.4.5.
Change-Id: Ie35066988c26af338120b2ce002c767ff4c7aaec
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 1089e0b6ba..0c56a43ecb 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1885,14 +1885,14 @@ (define-public ffmpeg-5
(define-public ffmpeg-4
(package
(inherit ffmpeg-5)
- (version "4.4.2")
+ (version "4.4.5")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "14xadxm1yaamp216nq09xwasxg5g133v86dbb33mdg5di1zrlhdg"))))
+ "01xb2vj4n52fv2y56n5ifirgzlg16qbgfg98f6ifbbhm6l6lwlgr"))))
(inputs (modify-inputs (package-inputs ffmpeg)
(replace "sdl2" sdl2-2.0)))
(arguments
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#72799; Package
guix-patches.
(Sun, 25 Aug 2024 00:42:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 72799 <at> debbugs.gnu.org (full text, mbox):
From: Ashish SHUKLA <ashish.is <at> lostca.se>
* gnu/packages/video.scm (ffmpeg-5): Update to 5.1.6.
Change-Id: If86cbff17d63528b42a9c5ce2c062014251b8fcb
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index d8276b331e..1089e0b6ba 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1873,14 +1873,14 @@ (define-public ffmpeg
(define-public ffmpeg-5
(package
(inherit ffmpeg)
- (version "5.1.4")
+ (version "5.1.6")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "0qwhyhil805hns7yksdxagnrcc90h60al7lz1rc65kd1j2w3nf2l"))))))
+ "1g8116rp4fgq82br8lclb2dmw3fvyh2zkzhnngm7z97pg1i0dypl"))))))
(define-public ffmpeg-4
(package
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#72799; Package
guix-patches.
(Sun, 25 Aug 2024 00:42:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 72799 <at> debbugs.gnu.org (full text, mbox):
From: Ashish SHUKLA <ashish.is <at> lostca.se>
* gnu/packages/video.scm (ffmpeg): Update to 6.1.2.
Change-Id: I4f15c4619da8b1dba474237cd839e2c79f651346
---
gnu/packages/video.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7d22d2f8f7..d8276b331e 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -69,6 +69,7 @@
;;; Copyright © 2023 Jaeme Sifat <jaeme <at> runbox.com>
;;; Copyright © 2023 Zheng Junjie <873216071 <at> qq.com>
;;; Copyright © 2024 Artyom V. Poptsov <poptsov.artyom <at> gmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1670,14 +1671,14 @@ (define-public libva-utils
(define-public ffmpeg
(package
(name "ffmpeg")
- (version "6.1.1")
+ (version "6.1.2")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "0s7r2qv8gh2a3w568n9xxgcz0q8j5ww1jdsci1hm9f4l1yqg9146"))))
+ "0f2fr8ywchhlkdff88lr4d4vscqzsi1ndjh3r5jwbkayf94lcqiv"))))
(outputs '("out" "debug"))
(build-system gnu-build-system)
(inputs
--
2.46.0
Added tag(s) security.
Request was from
"Ashish SHUKLA" <ashish.is <at> lostca.se>
to
control <at> debbugs.gnu.org.
(Sun, 25 Aug 2024 00:44:02 GMT)
Full text and
rfc822 format available.
Severity set to 'important' from 'normal'
Request was from
"Ashish SHUKLA" <ashish.is <at> lostca.se>
to
control <at> debbugs.gnu.org.
(Sun, 25 Aug 2024 00:44:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#72799; Package
guix-patches.
(Fri, 30 Aug 2024 21:33:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 72799 <at> debbugs.gnu.org (full text, mbox):
Hi!
Patches apply and build fine.
However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
ffmpeg-5 is fine, only 12 packages to be rebuild.
Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
in the separate branch?
Need some experienced maintainers to understand how it should be resolved.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Tue, 12 Nov 2024 12:11:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
ashish.is <at> lostca.se:
bug acknowledged by developer.
(Tue, 12 Nov 2024 12:11:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 72799-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Rodion Goritskov <rodion.goritskov <at> gmail.com> writes:
> Hi!
>
> Patches apply and build fine.
>
> However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
> ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
> ffmpeg-5 is fine, only 12 packages to be rebuild.
>
> Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
> in the separate branch?
>
> Need some experienced maintainers to understand how it should be resolved.
It would have been better to build on a topic branch, but I've opted to
take a shortcut here and push directly to master for this time.
Closing!
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 10 Dec 2024 12:24:19 GMT)
Full text and
rfc822 format available.
This bug report was last modified 247 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.