ffmpeg0 < 0.7.17 has vulnerabilities: http://vuxml.FreeBSD.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html gnome3 depends on gnome3 which depends on ekiga which depends on opal which depends on ffmpeg0 I updated to 0.7.17 on 6/11 and haven't noticed any problems (but __far__ from exhaustive testing).
Created attachment 157728 [details] update ffmpeg0 to 0.7.17
Assign correctly to maintainer. Original summary was not in "category/port" format, and thus was not assigned.
Created attachment 157844 [details] ffmpeg0-0.7.17,1.log poudriere testport log - 9/x32; also passes stage-qa, check-plist & check-sanity
ping. 0.7.16_10 (current rev of port) is still broken... =============== ffmpeg -- multiple vulnerabilities CVE: CVE-2015-1872 CVE: CVE-2014-9603 CVE: CVE-2014-9317 CVE: CVE-2014-9316 CVE: CVE-2014-8548 CVE: CVE-2014-8547 CVE: CVE-2014-8545 CVE: CVE-2014-8543 CVE: CVE-2014-8542 CVE: CVE-2014-8541 CVE: CVE-2014-4609 CVE: CVE-2012-5150 WWW: https://vuxml.FreeBSD.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html 1 problem(s) in the installed packages found. ... ===> ffmpeg0-0.7.16_10,1 has known vulnerabilities: ffmpeg0-0.7.16_10,1 is vulnerable: ffmpeg -- multiple vulnerabilities CVE: CVE-2015-1872 CVE: CVE-2014-9603 CVE: CVE-2014-9317 CVE: CVE-2014-9316 CVE: CVE-2014-8548 CVE: CVE-2014-8547 CVE: CVE-2014-8545 CVE: CVE-2014-8543 CVE: CVE-2014-8542 CVE: CVE-2014-8541 CVE: CVE-2014-4609 CVE: CVE-2012-5150 WWW: https://vuxml.FreeBSD.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html 1 problem(s) in the installed packages found. => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' *** [check-vulnerable] Error code 1 Stop in /usr/ports/multimedia/ffmpeg0. =============================
Sorry, can someone commit on my behalf? Tyvm
Add ports-secteam for approval and set merge-quarterly? Patch applied manually due to PORTREVISION changes since PR was opened and now. With that, Poudriere QA checks on the following support the good build from before. 9.3-RELEASE-p21 amd64 9.3-RELEASE-p21 i386 10.1-RELEASE-p17 amd64 10.1-RELEASE-p17 i386 10.2-RELEASE amd64 10.2-RELEASE i386 11.0-CURRENT r286886 amd64 11.0-CURRENT r286888 i386 Portlint has warnings but given the age of the PR it may be best to just get the security update in. Is there an approved by for commit + MFH?
(In reply to Jason Unovitch from comment #6) Approved, thanks for working on this!
A commit references this bug: Author: junovitch Date: Mon Aug 24 10:03:15 UTC 2015 New revision: 395164 URL: https://svnweb.freebsd.org/changeset/ports/395164 Log: multimedia/ffmpeg0: security update 0.7.16 -> 0.7.17 PR: 200852 Security: 65b14d39-d01f-419c-b0b8-5df60b929973 Submitted by: John Hein <z7dr6ut7gs@snkmail.com> Approved by: wg (maintainer), delphij (mentor) MFH: 2015Q3 Changes: head/multimedia/ffmpeg0/Makefile head/multimedia/ffmpeg0/distinfo
(In reply to Xin LI from comment #7) The current PORTREVISION is 8 in the quarterly branch. These are the other updates since the branch was made. https://svnweb.FreeBSD.org/ports?view=revision&revision=391217 https://svnweb.FreeBSD.org/ports?view=revision&revision=391234 https://svnweb.FreeBSD.org/ports?view=revision&revision=391292 Are any of these an issue? They are all for more extensive work so I'm fairly certain 'Tools/scripts/mfh 2015Q3 394265' and manually resolving the merge conflict to 0.7.17 is the correct thing to do.
Cause 0.7.17 has vulnerabilities https://www.vuxml.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html. A ffmpeg0 version 0.8 exists. And it fetches, compiles and installs fine after I removed AACPLUS option and made some changes in pkg-plist (genplist does not work exactly, there remains doubled entries). AACPLUS seems not to exist in this version anymore. Error Message: unknown option --enable-libaacplus or --disable-libaacplus. Checked with ./configure --help. No such configure option exists and I found no libaacplus directory in work/ffmpeg-0.8.
Created attachment 160337 [details] ffmpeg0.diff Don't changed the date in the files.
Walter (comment 10 & comment 11), (a) the vuxml entry doesn't show vulnerabilities for 0.7.17 (it's for < 0.7.17). (b) your patch looks malformed (extra files, parts of the patch that don't apply). (c) Looking at http://ffmpeg.org/releases/, ffmpeg-0.8 appears to be old (from 2011). (d) you should open a new PR instead of hijacking this one if you still want to continue with this.
Sorry was a big missunder with "<" . Could be closed.
(In reply to Jason Unovitch from comment #9) I don't think the other updates you mention (since PORTREVISION 8) are important to have on the quarterly branch. The 8->9 bump is just to chase the new version of *x264 ports. The 9->10 bump (over two commits) is mostly for OPTIONS cleanup - except for a CFLAGS fix for armv6 (which is not a security fix - I don't know how strictly we adhere to security fixes only on the quarterly branch). IMO, your plan to resolve the PORTREVISION conflict and merge the patch otherwise as is to the quarterly branch seems correct (although I'm not sure running mfh with 394265 is correct - seems to be an unrelated changeset).
A commit references this bug: Author: junovitch Date: Tue Aug 25 23:58:20 UTC 2015 New revision: 395326 URL: https://svnweb.freebsd.org/changeset/ports/395326 Log: MFH: r391234 multimedia/ffmpeg0: Use OPTIONS helpers, Honour CFLAGS - Use OPTIONS helpers for as many as conditional blocks as possible. Blocks with FFMPEG_* and other variables not supported by the helper framework are not modified. - Honour CFLAGS for armv6 (= -> ?=) While I'm here: - Sort and group common or related Makefile sections where it made sense to do so and improved readability. Put global things up the top and conditional blocks below. - Improve whitespace alignment for readability. Approved by: wg (maintainer) Differential Revision: https://reviews.freebsd.org/D2981 MFH: r391234 multimedia/ffmpeg0: Fix X11GRAB dependency typo Fix a typo (s/xent/xext) in the X11GRAB USE_XORG dependency assignment that was introduced in r391234. PR: 201321 Submitted by: Andrey Fesenko <andrey bsdnir info> Approved by: pointyhat (koobs) MFH: r395164 multimedia/ffmpeg0: security update 0.7.16 -> 0.7.17 PR: 200852 Security: 65b14d39-d01f-419c-b0b8-5df60b929973 Submitted by: John Hein <z7dr6ut7gs@snkmail.com> Approved by: wg (maintainer), delphij (mentor) Approved by: ports-secteam (delphij) Changes: _U branches/2015Q3/ branches/2015Q3/multimedia/ffmpeg0/Makefile branches/2015Q3/multimedia/ffmpeg0/distinfo
(In reply to Walter Schwarzenfeld from comment #10, comment #11, and comment #13) Walter, hopefully my explanation over in the forums at https://forums.FreeBSD.org/threads/updating-ffmpeg0.52887 clears up why the patch wasn't needed. If you have any questions on it we can discuss it on the Forums. (In reply to John Hein from comment #14) Security update plus build and runtime fixes. After discussing with ports-secteam the r391217 shlib bump would not have worked out but the cleanup and CFLAG handling for armv6 was worthwhile. It was merged with the security update.
Comment on attachment 160337 [details] ffmpeg0.diff Obsolete patch for ffmpeg0-0.8
Thank you! All updates have been committed and I am closing the PR.