Bug 200852 - multimedia/ffmpeg0: Update to 0.7.17
Summary: multimedia/ffmpeg0: Update to 0.7.17
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: William Grzybowski
URL:
Keywords: easy, needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2015-06-14 15:29 UTC by John Hein
Modified: 2015-08-26 00:27 UTC (History)
5 users (show)

See Also:
wg: maintainer-feedback+
delphij: merge-quarterly+


Attachments
update ffmpeg0 to 0.7.17 (784 bytes, patch)
2015-06-14 15:32 UTC, John Hein
koobs: maintainer-approval? (wg)
Details | Diff
ffmpeg0-0.7.17,1.log (175.80 KB, text/plain)
2015-06-17 21:55 UTC, John Hein
no flags Details
ffmpeg0.diff (100.37 KB, patch)
2015-08-25 09:17 UTC, Walter Schwarzenfeld
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Hein 2015-06-14 15:29:25 UTC
ffmpeg0 < 0.7.17 has vulnerabilities:

http://vuxml.FreeBSD.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html

gnome3 depends on gnome3 which depends on ekiga which depends on opal which depends on ffmpeg0

I updated to 0.7.17 on 6/11 and haven't noticed any problems (but __far__ from exhaustive testing).
Comment 1 John Hein 2015-06-14 15:32:35 UTC
Created attachment 157728 [details]
update ffmpeg0 to 0.7.17
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-15 06:55:37 UTC
Assign correctly to maintainer. Original summary was not in "category/port" format, and thus was not assigned.
Comment 3 John Hein 2015-06-17 21:55:56 UTC
Created attachment 157844 [details]
ffmpeg0-0.7.17,1.log

poudriere testport log - 9/x32; also passes stage-qa, check-plist & check-sanity
Comment 4 John Hein 2015-08-22 13:23:16 UTC
ping.

0.7.16_10 (current rev of port) is still broken...

===============
ffmpeg -- multiple vulnerabilities
CVE: CVE-2015-1872
CVE: CVE-2014-9603
CVE: CVE-2014-9317
CVE: CVE-2014-9316
CVE: CVE-2014-8548
CVE: CVE-2014-8547
CVE: CVE-2014-8545
CVE: CVE-2014-8543
CVE: CVE-2014-8542
CVE: CVE-2014-8541
CVE: CVE-2014-4609
CVE: CVE-2012-5150
WWW: https://vuxml.FreeBSD.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html

1 problem(s) in the installed packages found. ...
===>  ffmpeg0-0.7.16_10,1 has known vulnerabilities:
ffmpeg0-0.7.16_10,1 is vulnerable:
ffmpeg -- multiple vulnerabilities
CVE: CVE-2015-1872
CVE: CVE-2014-9603
CVE: CVE-2014-9317
CVE: CVE-2014-9316
CVE: CVE-2014-8548
CVE: CVE-2014-8547
CVE: CVE-2014-8545
CVE: CVE-2014-8543
CVE: CVE-2014-8542
CVE: CVE-2014-8541
CVE: CVE-2014-4609
CVE: CVE-2012-5150
WWW: https://vuxml.FreeBSD.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html

1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** [check-vulnerable] Error code 1

Stop in /usr/ports/multimedia/ffmpeg0.
=============================
Comment 5 William Grzybowski freebsd_committer 2015-08-22 15:59:42 UTC
Sorry, can someone commit on my behalf?

Tyvm
Comment 6 Jason Unovitch freebsd_committer 2015-08-24 02:44:40 UTC
Add ports-secteam for approval and set merge-quarterly?

Patch applied manually due to PORTREVISION changes since PR was opened and now.  With that, Poudriere QA checks on the following support the good build from before.
9.3-RELEASE-p21      amd64
9.3-RELEASE-p21      i386
10.1-RELEASE-p17     amd64
10.1-RELEASE-p17     i386
10.2-RELEASE         amd64
10.2-RELEASE         i386
11.0-CURRENT r286886 amd64
11.0-CURRENT r286888 i386

Portlint has warnings but given the age of the PR it may be best to just get the security update in.

Is there an approved by for commit + MFH?
Comment 7 Xin LI freebsd_committer 2015-08-24 04:02:40 UTC
(In reply to Jason Unovitch from comment #6)
Approved, thanks for working on this!
Comment 8 commit-hook freebsd_committer 2015-08-24 10:03:47 UTC
A commit references this bug:

Author: junovitch
Date: Mon Aug 24 10:03:15 UTC 2015
New revision: 395164
URL: https://svnweb.freebsd.org/changeset/ports/395164

Log:
  multimedia/ffmpeg0: security update 0.7.16 -> 0.7.17

  PR:		200852
  Security:	65b14d39-d01f-419c-b0b8-5df60b929973
  Submitted by:	John Hein <z7dr6ut7gs@snkmail.com>
  Approved by:	wg (maintainer), delphij (mentor)
  MFH:		2015Q3

Changes:
  head/multimedia/ffmpeg0/Makefile
  head/multimedia/ffmpeg0/distinfo
Comment 9 Jason Unovitch freebsd_committer 2015-08-24 10:19:15 UTC
(In reply to Xin LI from comment #7)

The current PORTREVISION is 8 in the quarterly branch.  These are the other updates since the branch was made.

https://svnweb.FreeBSD.org/ports?view=revision&revision=391217
https://svnweb.FreeBSD.org/ports?view=revision&revision=391234
https://svnweb.FreeBSD.org/ports?view=revision&revision=391292

Are any of these an issue?  They are all for more extensive work so I'm fairly certain 'Tools/scripts/mfh 2015Q3 394265' and manually resolving the merge conflict to 0.7.17 is the correct thing to do.
Comment 10 Walter Schwarzenfeld 2015-08-25 07:09:20 UTC
Cause 0.7.17 has vulnerabilities https://www.vuxml.org/freebsd/65b14d39-d01f-419c-b0b8-5df60b929973.html.

A ffmpeg0 version 0.8 exists. And it fetches, compiles and installs fine after I removed AACPLUS option and made some changes in pkg-plist (genplist does not work exactly, there remains doubled entries).
AACPLUS seems not to exist in this version anymore. Error Message: unknown option --enable-libaacplus or --disable-libaacplus.
Checked with ./configure --help. No such configure option exists and I found no libaacplus directory in work/ffmpeg-0.8.
Comment 11 Walter Schwarzenfeld 2015-08-25 09:17:43 UTC
Created attachment 160337 [details]
ffmpeg0.diff

Don't changed the date in the files.
Comment 12 John Hein 2015-08-25 19:40:37 UTC
Walter (comment 10 & comment 11),

(a) the vuxml entry doesn't show vulnerabilities for 0.7.17 (it's for < 0.7.17).

(b) your patch looks malformed (extra files, parts of the patch that don't apply).

(c) Looking at http://ffmpeg.org/releases/, ffmpeg-0.8 appears to be old (from 2011).

(d) you should open a new PR instead of hijacking this one if you still want to continue with this.
Comment 13 Walter Schwarzenfeld 2015-08-25 19:51:13 UTC
Sorry was a big missunder with "<" . Could be closed.
Comment 14 John Hein 2015-08-25 20:13:48 UTC
(In reply to Jason Unovitch from comment #9)

I don't think the other updates you mention (since PORTREVISION 8) are important to have on the quarterly branch.  The 8->9 bump is just to chase the new version of *x264 ports.  The 9->10 bump (over two commits) is mostly for OPTIONS cleanup - except for a CFLAGS fix for armv6 (which is not a security fix - I don't know how strictly we adhere to security fixes only on the quarterly branch).

IMO, your plan to resolve the PORTREVISION conflict and merge the patch otherwise as is to the quarterly branch seems correct (although I'm not sure running mfh with 394265 is correct - seems to be an unrelated changeset).
Comment 15 commit-hook freebsd_committer 2015-08-25 23:59:09 UTC
A commit references this bug:

Author: junovitch
Date: Tue Aug 25 23:58:20 UTC 2015
New revision: 395326
URL: https://svnweb.freebsd.org/changeset/ports/395326

Log:
  MFH: r391234

  multimedia/ffmpeg0: Use OPTIONS helpers, Honour CFLAGS

  - Use OPTIONS helpers for as many as conditional blocks as possible.
    Blocks with FFMPEG_* and other variables not supported by the helper
    framework are not modified.
  - Honour CFLAGS for armv6 (= -> ?=)

  While I'm here:

  - Sort and group common or related Makefile sections where it made sense
    to do so and improved readability. Put global things up the top and
    conditional blocks below.
  - Improve whitespace alignment for readability.

  Approved by:		wg (maintainer)
  Differential Revision:	https://reviews.freebsd.org/D2981

  MFH: r391234

  multimedia/ffmpeg0: Fix X11GRAB dependency typo

  Fix a typo (s/xent/xext) in the X11GRAB USE_XORG dependency assignment that was
  introduced in r391234.

  PR:		201321
  Submitted by:	Andrey Fesenko <andrey bsdnir info>
  Approved by:	pointyhat (koobs)

  MFH: r395164

  multimedia/ffmpeg0: security update 0.7.16 -> 0.7.17

  PR:		200852
  Security:	65b14d39-d01f-419c-b0b8-5df60b929973
  Submitted by:	John Hein <z7dr6ut7gs@snkmail.com>
  Approved by:	wg (maintainer), delphij (mentor)
  Approved by:	ports-secteam (delphij)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/multimedia/ffmpeg0/Makefile
  branches/2015Q3/multimedia/ffmpeg0/distinfo
Comment 16 Jason Unovitch freebsd_committer 2015-08-26 00:25:27 UTC
(In reply to Walter Schwarzenfeld from comment #10, comment #11, and comment #13)

Walter, hopefully my explanation over in the forums at https://forums.FreeBSD.org/threads/updating-ffmpeg0.52887 clears up why the patch wasn't needed.  If you have any questions on it we can discuss it on the Forums.

(In reply to John Hein from comment #14)

Security update plus build and runtime fixes.  After discussing with ports-secteam the r391217 shlib bump would not have worked out but the cleanup and CFLAG handling for armv6 was worthwhile.  It was merged with the security update.
Comment 17 Jason Unovitch freebsd_committer 2015-08-26 00:26:28 UTC
Comment on attachment 160337 [details]
ffmpeg0.diff

Obsolete patch for ffmpeg0-0.8
Comment 18 Jason Unovitch freebsd_committer 2015-08-26 00:27:28 UTC
Thank you! All updates have been committed and I am closing the PR.