Created attachment 239963 [details] Patch for libde265 Also include PRs submitted by Debian maintainer: https://github.com/strukturag/libde265/pull/365 https://github.com/strukturag/libde265/pull/366 https://github.com/strukturag/libde265/pull/372 Previous version (1.0.10) fixes a bunch of CVEs: CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2020-21599 CVE-2020-21600 CVE-2020-21601 CVE-2020-21602 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606 CVE-2022-1253 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655 Compile tested on FreeBSD 13.1-STABLE (amd64) (make, make check-plist) Poudriere testport OK 12.3-RELEASE (amd64) Poudriere testport OK 13.1-RELEASE (i386) Compile tested with following users on FreeBSD 12.3-RELEASE (amd64) using Poudriere: graphics/libheif multimedia/gstreamer1-plugins-libde265
Hello thank you for the update. I just have a question about the extra patches, since I'm not 100% sure that we need to include them. As the author mentioned in https://github.com/strukturag/libde265/pull/372 that the CVE's been fixed in another way. And it seems that these 3 pull requests won't be included I think. Could you explain why you want to include these anyway?
Hi, I just mirrored Debian's packaged version of this library which (to me) seems to have a good approach. https://salsa.debian.org/multimedia-team/libde265/-/tree/master/debian/patches Best regards, Daniel
Thanks for the feedback. This looks good, please go ahead.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4b6ef035f3ed9b1abfe6152296d5b711ee6146e7 commit 4b6ef035f3ed9b1abfe6152296d5b711ee6146e7 Author: Koop Mast <kwm@FreeBSD.org> AuthorDate: 2023-02-21 20:56:44 +0000 Commit: Koop Mast <kwm@FreeBSD.org> CommitDate: 2023-02-21 20:57:38 +0000 security/vuxml: Document libde265 vulnabilities. PR: 269382 Reported by: diizzy@ security/vuxml/vuln/2023.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4b2680edc58a1a65ff022ec7455957a4d2d864c1 commit 4b2680edc58a1a65ff022ec7455957a4d2d864c1 Author: Koop Mast <kwm@FreeBSD.org> AuthorDate: 2023-02-21 20:58:55 +0000 Commit: Koop Mast <kwm@FreeBSD.org> CommitDate: 2023-02-21 20:58:55 +0000 multimedia/libde265: Update to 1.0.11 Also include some additional patches from debian. PR: 269382 Submitted by: diizzy@ Security: CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2020-21599 CVE-2020-21600 CVE-2020-21601 CVE-2020-21602 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606 CVE-2022-1253 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655 MFH: 2023Q1 multimedia/libde265/Makefile | 9 +++++++-- multimedia/libde265/distinfo | 12 +++++++++--- multimedia/libde265/pkg-plist | 2 +- 3 files changed, 17 insertions(+), 6 deletions(-)
Any plans to merge that update to the quarterly tree ? https://lists.freebsd.org/archives/freebsd-ports/2023-February/003473.html seems to suggest some action ?
I forgot to mention in commit message, - Adjust port to follow Porters Handbook more closely
err, wrong bug report... sorry :/
Now indirectly in quarterly since new branch so I'll close this one.