Bug 200507

Summary: [security] multimedia/avidemux26 - Multiple vulnerabilities
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Thomas Zander <riggs>
Status: Closed FIXED    
Severity: Affects Only Me CC: nox, ports-secteam, riggs
Priority: --- Keywords: needs-patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (multimedia)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Update to 2.6.9 none

Description Sevan Janiyan 2015-05-29 00:10:05 UTC
http://advisories.mageia.org/MGASA-2015-0233.html
Comment 1 Juergen Lock freebsd_committer 2015-05-30 14:16:57 UTC
The linked advisory mentions updates to 2.6.6 while our avidemux26 ports are at 2.6.8 - so this is most likely not relevant to them.
Comment 2 Juergen Lock freebsd_committer 2015-05-30 14:28:45 UTC
Hmm correction:  2.6.8 is from 2014 while the CVEs are from up to 2015...  And I see 2.6.9 is out so we should probably update to that.
Comment 3 Juergen Lock freebsd_committer 2015-05-31 11:59:00 UTC
I tried updating to 2.6.9 yesterday but got stuck at strange cmake errors, if someone wants to pick up from there...

Patch:
https://people.freebsd.org/~nox/tmp/avidemux-2.6.9-incomplete-001.patch
(some plists probably still need fixing too)

(partial) poudriere testport log including the cmake errors:
https://people.freebsd.org/~nox/tmp/avidemux26-plugins-testport-001.log.txt

CMakeError.log and CMakeOutput.log out of the jail:
https://people.freebsd.org/~nox/tmp/avidemux26-plugins-CMakeError.log.txt
https://people.freebsd.org/~nox/tmp/avidemux26-plugins-CMakeOutput.log.txt

This was attempting to build multimedia/avideumux26-plugins, it is needed and depends on the other avidemux26 ports.

Thanx! :)
Juergen
Comment 4 Thomas Zander freebsd_committer 2015-06-01 05:38:07 UTC
(In reply to Juergen Lock from comment #3)

On it...
Comment 5 Thomas Zander freebsd_committer 2015-06-01 13:39:00 UTC
Created attachment 157344 [details]
Update to 2.6.9

Merge of nox's patch with my own modifications.
svn diff relative to ${PORTSDIR}/multimedia
Comment 6 Thomas Zander freebsd_committer 2015-06-01 13:40:22 UTC
(In reply to Thomas Zander from comment #5)

Build tested with poudriere in various OPTIONS permutations on 10-stable/amd64 and 9.3/i386.
Using the resulting binary for actual editing jobs not yet tested :-)
Comment 7 commit-hook freebsd_committer 2015-06-01 18:59:37 UTC
A commit references this bug:

Author: riggs
Date: Mon Jun  1 18:58:38 UTC 2015
New revision: 388254
URL: https://svnweb.freebsd.org/changeset/ports/388254

Log:
  Update to upstream version 2.6.9

  While on it:
  Pet portlint

  PR:		200507
  Reported by:	venture37@geeklan.co.uk

Changes:
  head/multimedia/avidemux26/Makefile
  head/multimedia/avidemux26/Makefile.common
  head/multimedia/avidemux26/distinfo
  head/multimedia/avidemux26/files/patch-avidemux__core_ADM__core_src_ADM__memsupport.cpp
  head/multimedia/avidemux26/files/patch-avidemux__core_ffmpeg__package_patches_config.mak.diff
  head/multimedia/avidemux26/files/patch-avidemux__plugins_CMakeLists.txt
  head/multimedia/avidemux26/files/patch-avidemux_core-ffmpeg_package-patches-Makefile.patch
  head/multimedia/avidemux26/files/patch-avidemux_core-ffmpeg_package-patches-configure.patch
  head/multimedia/avidemux26/files/patch-avidemux_core-ffmpeg_package-patches-libavcodec-Makefile.patch
  head/multimedia/avidemux26/files/patch-avidemux_core_ADM_core_src_ADM_memsupport.cpp
  head/multimedia/avidemux26/files/patch-cmake_admCheckMiscLibs.cmake
  head/multimedia/avidemux26/files/patch-config.mak.diff
  head/multimedia/avidemux26/files/patch-libexecinfo
  head/multimedia/avidemux26/files/patch-po__CMakeLists.txt
  head/multimedia/avidemux26/pkg-plist
  head/multimedia/avidemux26-cli/Makefile
  head/multimedia/avidemux26-plugins/Makefile
  head/multimedia/avidemux26-plugins/pkg-plist
  head/multimedia/avidemux26-qt4/Makefile
  head/multimedia/avidemux26-qt4/pkg-plist
Comment 8 Thomas Zander freebsd_committer 2015-06-01 19:26:35 UTC
Actually, from reading the security advisory it does look like pre-2.6.8 versions were vulnerable as nox pointed out. I'll update vuxml accordingly.
Comment 9 commit-hook freebsd_committer 2015-06-01 19:38:46 UTC
A commit references this bug:

Author: riggs
Date: Mon Jun  1 19:37:58 UTC 2015
New revision: 388266
URL: https://svnweb.freebsd.org/changeset/ports/388266

Log:
  Add entry for vulnerable versions of avidemux2 and avidemux26

  PR:		200507
  Submitted by:	venture37@geeklan.co.uk

Changes:
  head/security/vuxml/vuln.xml