|Summary:||multimedia/mythtv: Update to 31.0|
|Product:||Ports & Packages||Reporter:||Alan Hicks <ahicks>|
|Component:||Individual Port(s)||Assignee:||Kyle Evans <kevans>|
|Severity:||Affects Only Me||CC:||ahicks, freebsdports, kevans, koobs, ports-bugs|
|Bug Depends on:|
Description Alan Hicks 2020-09-20 16:39:08 UTC
Created attachment 218110 [details] patch for multimedia/mythtv and multimedia/mythtv-frontend Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0 Bumps python to 3.5+ Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies Configuration options changed to reflect update Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31 Poudriere testports attached
Comment 1 Alan Hicks 2020-09-20 16:49:25 UTC
Poudriere logs attached as theyre 2.4 and 2.2m respectively https://p-o.co.uk/downloads/mythtv-31.0,1.log https://p-o.co.uk/downloads/mythtv-frontend-31.0,1.log
Comment 2 Kubilay Kocak 2020-09-21 07:22:05 UTC
@Alan Does this update resolve security vulnerabilities by way of switching the dependency from a bundled ffmpeg to ports?
Comment 3 Alan Hicks 2020-09-21 10:26:11 UTC
CVE-2016-10191 only lists before 3.2.2 as vulnerable, the version of ffmpeg included in 31.0 is 4.2.1, there isn't an option to use ffmpeg from ports. I've checked the source file work/mythtv-31.0/mythtv/external/FFmpeg/libavformat/rtmppkt.c and it contains the check for "RTMP packet size mismatch" from patch-CVE-2016-10191. head -n 4 work/mythtv-31.0/mythtv/external/FFmpeg/Changelog Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.2.1: https://nvd.nist.gov/vuln/detail/CVE-2016-10191
Comment 4 Alan Hicks 2020-09-23 15:45:12 UTC
Created attachment 218213 [details] Patch to upgrade www/mythplugin-mythweb poudriere testport log https://p-o.co.uk/downloads/mythplugin-mythweb-31.0.log
Comment 5 Kubilay Kocak 2020-09-24 00:49:29 UTC
@Alan So just to be explicit, the current port version is affected by at least one vulnerability, and the patches here, resolve them (include changes to mitigate/resolve them) ?
Comment 6 Alan Hicks 2020-09-24 03:50:53 UTC
@Koobs For clarity: There are no vulnerabilities in the current version 30.0. This update removes dependency on python 2.7 in favour of 3.5+. The patch for www/mythplugin-mythweb keeps it in sync with MythTV. MythTV version 30.0 used a non vulnerable ffmpeg (4.0.2), the CVE patch was superfluous and benign.
Comment 7 Bryan Erickson 2020-10-08 18:20:34 UTC
I'd like to add that I've tested the multimedia/mythtv & multimedia/mythtv-frontend patches and deployed the packages to a couple of my test systems and everything appears to be working as expected. The new version also addresses a bug where after you play one video a white box remains on the screen. I'm just wanting to add my input as the package in ports is marked as broken and this will address the broken port as well as fix a bug in the previous version.
Comment 8 Alan Hicks 2020-10-22 11:38:09 UTC
Would it help to expedite this if I took maintainership of the three ports?
Comment 9 Kyle Evans 2020-12-12 14:07:34 UTC
(In reply to Alan Hicks from comment #8) I'd tend to recommend it if for the sake of longevity, but I do not insist. Based on the patch split, is it safe to assume that mythplugin-mythweb can be upgraded after the fact in a separate commit?
Comment 10 Alan Hicks 2020-12-12 20:33:56 UTC
(In reply to Kyle Evans from comment #9) Yes it's safe to upgrade mythplugin-mythweb in a separate commit, let me know if I should open one and re-sumbit patch. I've used MythTV for a while so happy to look after it, let me know if there's anything I should do to accept maintainership. Thanks
Comment 11 Kyle Evans 2020-12-12 21:03:45 UTC
(In reply to Alan Hicks from comment #10) Perfect, thanks! I'll do one more Q/A pass tonight then commit. No further action required; you've acknowledged that you're interested in MAINTAINERship coinciding with this here patch to save it from the grim reaper at the end of the month, I will pass MAINTAINER to your Bugzilla e-mail address when I commit it.
Comment 12 Kyle Evans 2020-12-13 17:25:52 UTC
(In reply to Kyle Evans from comment #11) Sorry, Q/A took a little longer than I thought because it has a large number of deps that I hadn't built yet -- I've got this staged for commit when I get some time (maybe ~8 hours?) along with an update to audio/mythplugin-mythmusic to mitigate the breakage that would occur for it.
Comment 13 commit-hook 2020-12-16 02:48:49 UTC
A commit references this bug: Author: kevans Date: Wed Dec 16 02:48:06 UTC 2020 New revision: 558199 URL: https://svnweb.freebsd.org/changeset/ports/558199 Log: multimedia/mythtv: update to 31.0 - Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0 - Bumps python to 3.5+ - Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies - Configuration options changed to reflect update Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31 audio/mythplugin-mythmusic also bumped as a reverse dep. Pass maintainership of multimedia/mythtv* to submitter. PR: 249484 Submitted by: Alan Hicks <ahicks p-o co uk> Changes: head/audio/mythplugin-mythmusic/Makefile head/audio/mythplugin-mythmusic/distinfo head/audio/mythplugin-mythmusic/pkg-plist head/multimedia/mythtv/Makefile head/multimedia/mythtv/distinfo head/multimedia/mythtv/files/audio.h head/multimedia/mythtv/files/ca.h head/multimedia/mythtv/files/dmx.h head/multimedia/mythtv/files/frontend.h head/multimedia/mythtv/files/net.h head/multimedia/mythtv/files/osd.h head/multimedia/mythtv/files/patch-CVE-2016-10191 head/multimedia/mythtv/files/patch-configure head/multimedia/mythtv/files/patch-external_FFmpeg_libavformat_rtsp.c head/multimedia/mythtv/files/patch-external_libmythdvdnav_dvdnav_dvdnav_dvdnav.h head/multimedia/mythtv/files/patch-libs_libmythmetadata_imagemetadata.cpp head/multimedia/mythtv/files/patch-libs_libmythtv_DVD_dvdringbuffer.h head/multimedia/mythtv/files/patch-libs_libmythtv_videodev2.h head/multimedia/mythtv/files/version.h head/multimedia/mythtv/files/video.h head/multimedia/mythtv/pkg-plist head/multimedia/mythtv-frontend/Makefile head/multimedia/mythtv-frontend/pkg-plist
Comment 14 commit-hook 2020-12-16 02:49:50 UTC
A commit references this bug: Author: kevans Date: Wed Dec 16 02:49:14 UTC 2020 New revision: 558200 URL: https://svnweb.freebsd.org/changeset/ports/558200 Log: www/mythplugin-mythweb: update to 31.0 Pass MAINTAINER to submitter. PR: 249484 Submitted by: Alan Hicks <ahicks p-o co uk> Changes: head/www/mythplugin-mythweb/Makefile head/www/mythplugin-mythweb/distinfo head/www/mythplugin-mythweb/pkg-plist
Comment 15 Kyle Evans 2020-12-16 02:51:12 UTC