Bug 269382

Summary: multimedia/libde265: Update to 1.0.11
Product: Ports & Packages Reporter: Daniel Engberg <diizzy>
Component: Individual Port(s)Assignee: Koop Mast <kwm>
Status: Closed FIXED    
Severity: Affects Only Me CC: pi
Priority: --- Flags: kwm: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/strukturag/libde265/releases/tag/v1.0.11
Attachments:
Description Flags
Patch for libde265 none

Description Daniel Engberg freebsd_committer freebsd_triage 2023-02-07 08:09:02 UTC 
Created attachment 239963 [details]
Patch for libde265

Also include PRs submitted by Debian maintainer:
https://github.com/strukturag/libde265/pull/365
https://github.com/strukturag/libde265/pull/366
https://github.com/strukturag/libde265/pull/372

Previous version (1.0.10) fixes a bunch of CVEs:
CVE-2020-21594
CVE-2020-21595
CVE-2020-21596
CVE-2020-21597
CVE-2020-21598
CVE-2020-21599
CVE-2020-21600
CVE-2020-21601
CVE-2020-21602
CVE-2020-21603
CVE-2020-21604
CVE-2020-21605
CVE-2020-21606
CVE-2022-1253
CVE-2022-43236
CVE-2022-43237
CVE-2022-43238
CVE-2022-43239
CVE-2022-43240
CVE-2022-43241
CVE-2022-43242
CVE-2022-43243
CVE-2022-43244
CVE-2022-43245
CVE-2022-43248
CVE-2022-43249
CVE-2022-43250
CVE-2022-43252
CVE-2022-43253
CVE-2022-47655

Compile tested on FreeBSD 13.1-STABLE (amd64) (make, make check-plist)
Poudriere testport OK 12.3-RELEASE (amd64)
Poudriere testport OK 13.1-RELEASE (i386)

Compile tested with following users on FreeBSD 12.3-RELEASE (amd64) using Poudriere:
graphics/libheif
multimedia/gstreamer1-plugins-libde265
Comment 1 Koop Mast freebsd_committer freebsd_triage 2023-02-13 09:47:31 UTC 
Hello thank you for the update. I just have a question about the extra patches, since I'm not 100% sure that we need to include them. As the author mentioned in https://github.com/strukturag/libde265/pull/372 that the CVE's been fixed in another way. And it seems that these 3 pull requests won't be included I think. Could you explain why you want to include these anyway?
Comment 2 Daniel Engberg freebsd_committer freebsd_triage 2023-02-13 09:51:03 UTC 
Hi,

I just mirrored Debian's packaged version of this library which (to me) seems to have a good approach.
https://salsa.debian.org/multimedia-team/libde265/-/tree/master/debian/patches

Best regards,
Daniel
Comment 3 Koop Mast freebsd_committer freebsd_triage 2023-02-13 12:00:26 UTC 
Thanks for the feedback.

This looks good, please go ahead.
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-02-21 20:58:36 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4b6ef035f3ed9b1abfe6152296d5b711ee6146e7

commit 4b6ef035f3ed9b1abfe6152296d5b711ee6146e7
Author:     Koop Mast <kwm@FreeBSD.org>
AuthorDate: 2023-02-21 20:56:44 +0000
Commit:     Koop Mast <kwm@FreeBSD.org>
CommitDate: 2023-02-21 20:57:38 +0000

    security/vuxml: Document libde265 vulnabilities.

    PR:             269382
    Reported by:    diizzy@

 security/vuxml/vuln/2023.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-02-21 20:59:37 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4b2680edc58a1a65ff022ec7455957a4d2d864c1

commit 4b2680edc58a1a65ff022ec7455957a4d2d864c1
Author:     Koop Mast <kwm@FreeBSD.org>
AuthorDate: 2023-02-21 20:58:55 +0000
Commit:     Koop Mast <kwm@FreeBSD.org>
CommitDate: 2023-02-21 20:58:55 +0000

    multimedia/libde265: Update to 1.0.11

    Also include some additional patches from debian.

    PR:             269382
    Submitted by:   diizzy@
    Security:       CVE-2020-21594
                    CVE-2020-21595
                    CVE-2020-21596
                    CVE-2020-21597
                    CVE-2020-21598
                    CVE-2020-21599
                    CVE-2020-21600
                    CVE-2020-21601
                    CVE-2020-21602
                    CVE-2020-21603
                    CVE-2020-21604
                    CVE-2020-21605
                    CVE-2020-21606
                    CVE-2022-1253
                    CVE-2022-43236
                    CVE-2022-43237
                    CVE-2022-43238
                    CVE-2022-43239
                    CVE-2022-43240
                    CVE-2022-43241
                    CVE-2022-43242
                    CVE-2022-43243
                    CVE-2022-43244
                    CVE-2022-43245
                    CVE-2022-43248
                    CVE-2022-43249
                    CVE-2022-43250
                    CVE-2022-43252
                    CVE-2022-43253
                    CVE-2022-47655
    MFH:            2023Q1

 multimedia/libde265/Makefile  |  9 +++++++--
 multimedia/libde265/distinfo  | 12 +++++++++---
 multimedia/libde265/pkg-plist |  2 +-
 3 files changed, 17 insertions(+), 6 deletions(-)
Comment 6 Kurt Jaeger freebsd_committer freebsd_triage 2023-02-25 17:40:10 UTC 
Any plans to merge that update to the quarterly tree ?

https://lists.freebsd.org/archives/freebsd-ports/2023-February/003473.html

seems to suggest some action ?
Comment 7 Daniel Engberg freebsd_committer freebsd_triage 2023-03-21 06:13:19 UTC 
I forgot to mention in commit message,

- Adjust port to follow Porters Handbook more closely
Comment 8 Daniel Engberg freebsd_committer freebsd_triage 2023-03-21 06:13:47 UTC 
err, wrong bug report... sorry :/
Comment 9 Daniel Engberg freebsd_committer freebsd_triage 2023-04-12 08:26:42 UTC 
Now indirectly in quarterly since new branch so I'll close this one.