Bug 249484

Poudriere logs attached as theyre 2.4 and 2.2m respectively
https://p-o.co.uk/downloads/mythtv-31.0,1.log
https://p-o.co.uk/downloads/mythtv-frontend-31.0,1.log

Comment 2 Kubilay Kocak 2020-09-21 07:22:05 UTC

@Alan Does this update resolve security vulnerabilities by way of switching the dependency from a bundled ffmpeg to ports?

CVE-2016-10191 only lists before 3.2.2 as vulnerable,
the version of ffmpeg included in 31.0 is 4.2.1,
there isn't an option to use ffmpeg from ports.

I've checked the source file
work/mythtv-31.0/mythtv/external/FFmpeg/libavformat/rtmppkt.c
and it contains the check for "RTMP packet size mismatch" from patch-CVE-2016-10191.

head -n 4 work/mythtv-31.0/mythtv/external/FFmpeg/Changelog
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.

version 4.2.1:

https://nvd.nist.gov/vuln/detail/CVE-2016-10191

Created attachment 218213 [details]
Patch to upgrade www/mythplugin-mythweb

poudriere testport log
https://p-o.co.uk/downloads/mythplugin-mythweb-31.0.log

Comment 5 Kubilay Kocak 2020-09-24 00:49:29 UTC

@Alan So just to be explicit, the current port version is affected by at least one vulnerability, and the patches here, resolve them (include changes to mitigate/resolve them) ?

@Koobs For clarity:
There are no vulnerabilities in the current version 30.0.
This update removes dependency on python 2.7 in favour of 3.5+.
The patch for www/mythplugin-mythweb keeps it in sync with MythTV.

MythTV version 30.0 used a non vulnerable ffmpeg (4.0.2), the CVE patch was superfluous and benign.

I'd like to add that I've tested the multimedia/mythtv & multimedia/mythtv-frontend patches and deployed the packages to a couple of my test systems and everything appears to be working as expected. The new version also addresses a bug where after you play one video a white box remains on the screen. 

I'm just wanting to add my input as the package in ports is marked as broken and this will address the broken port as well as fix a bug in the previous version.

Would it help to expedite this if I took maintainership of the three ports?

Comment 9 Kyle Evans 2020-12-12 14:07:34 UTC

(In reply to Alan Hicks from comment #8)

I'd tend to recommend it if for the sake of longevity, but I do not insist.

Based on the patch split, is it safe to assume that mythplugin-mythweb can be upgraded after the fact in a separate commit?

(In reply to Kyle Evans from comment #9)

Yes it's safe to upgrade mythplugin-mythweb in a separate commit, let me know if I should open one and re-sumbit patch.

I've used MythTV for a while so happy to look after it, let me know if there's anything I should do to accept maintainership.

Thanks

Comment 11 Kyle Evans 2020-12-12 21:03:45 UTC

(In reply to Alan Hicks from comment #10)

Perfect, thanks! I'll do one more Q/A pass tonight then commit.

No further action required; you've acknowledged that you're interested in MAINTAINERship coinciding with this here patch to save it from the grim reaper at the end of the month, I will pass MAINTAINER to your Bugzilla e-mail address when I commit it.

Comment 12 Kyle Evans 2020-12-13 17:25:52 UTC

(In reply to Kyle Evans from comment #11)

Sorry, Q/A took a little longer than I thought because it has a large number of deps that I hadn't built yet -- I've got this staged for commit when I get some time (maybe ~8 hours?) along with an update to audio/mythplugin-mythmusic to mitigate the breakage that would occur for it.

Comment 13 commit-hook 2020-12-16 02:48:49 UTC

A commit references this bug:

Author: kevans
Date: Wed Dec 16 02:48:06 UTC 2020
New revision: 558199
URL: https://svnweb.freebsd.org/changeset/ports/558199

Log:
  multimedia/mythtv: update to 31.0

  - Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0
  - Bumps python to 3.5+
  - Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies
  - Configuration options changed to reflect update

  Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31

  audio/mythplugin-mythmusic also bumped as a reverse dep.

  Pass maintainership of multimedia/mythtv* to submitter.

  PR:		249484
  Submitted by:	Alan Hicks <ahicks p-o co uk>

Changes:
  head/audio/mythplugin-mythmusic/Makefile
  head/audio/mythplugin-mythmusic/distinfo
  head/audio/mythplugin-mythmusic/pkg-plist
  head/multimedia/mythtv/Makefile
  head/multimedia/mythtv/distinfo
  head/multimedia/mythtv/files/audio.h
  head/multimedia/mythtv/files/ca.h
  head/multimedia/mythtv/files/dmx.h
  head/multimedia/mythtv/files/frontend.h
  head/multimedia/mythtv/files/net.h
  head/multimedia/mythtv/files/osd.h
  head/multimedia/mythtv/files/patch-CVE-2016-10191
  head/multimedia/mythtv/files/patch-configure
  head/multimedia/mythtv/files/patch-external_FFmpeg_libavformat_rtsp.c
  head/multimedia/mythtv/files/patch-external_libmythdvdnav_dvdnav_dvdnav_dvdnav.h
  head/multimedia/mythtv/files/patch-libs_libmythmetadata_imagemetadata.cpp
  head/multimedia/mythtv/files/patch-libs_libmythtv_DVD_dvdringbuffer.h
  head/multimedia/mythtv/files/patch-libs_libmythtv_videodev2.h
  head/multimedia/mythtv/files/version.h
  head/multimedia/mythtv/files/video.h
  head/multimedia/mythtv/pkg-plist
  head/multimedia/mythtv-frontend/Makefile
  head/multimedia/mythtv-frontend/pkg-plist

Comment 14 commit-hook 2020-12-16 02:49:50 UTC

A commit references this bug:

Author: kevans
Date: Wed Dec 16 02:49:14 UTC 2020
New revision: 558200
URL: https://svnweb.freebsd.org/changeset/ports/558200

Log:
  www/mythplugin-mythweb: update to 31.0

  Pass MAINTAINER to submitter.

  PR:		249484
  Submitted by:	Alan Hicks <ahicks p-o co uk>

Changes:
  head/www/mythplugin-mythweb/Makefile
  head/www/mythplugin-mythweb/distinfo
  head/www/mythplugin-mythweb/pkg-plist

Comment 15 Kyle Evans 2020-12-16 02:51:12 UTC

Committed, thanks!