Bug 203502 - multimedia/ffmpeg -- multiple vulnerabilities
Summary: multimedia/ffmpeg -- multiple vulnerabilities
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-multimedia mailing list
Depends on:
Reported: 2015-10-02 11:32 UTC by dezillium
Modified: 2015-10-02 18:20 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description dezillium 2015-10-02 11:32:59 UTC
pkg audit reports multiple vulnerabilities:

gstreamer1-libav-1.4.5 is vulnerable:
ffmpeg -- use-after-free
CVE: CVE-2015-3417
WWW: https://vuxml.FreeBSD.org/freebsd/da434a78-e342-4d9a-87e2-7497e5f117ba.html

gstreamer1-libav-1.4.5 is vulnerable:
ffmpeg -- multiple vulnerabilities
CVE: CVE-2015-6826
CVE: CVE-2015-6825
CVE: CVE-2015-6824
CVE: CVE-2015-6823
CVE: CVE-2015-6822
CVE: CVE-2015-6821
CVE: CVE-2015-6820
CVE: CVE-2015-6819
CVE: CVE-2015-6818
WWW: https://vuxml.FreeBSD.org/freebsd/3d950687-b4c9-4a86-8478-c56743547af8.html

gstreamer1-libav-1.4.5 is vulnerable:
ffmpeg -- out-of-bounds array access
CVE: CVE-2015-3395
WWW: https://vuxml.FreeBSD.org/freebsd/80c66af0-d1c5-449e-bd31-63b12525ff88.html
Comment 1 Jan Beich freebsd_committer 2015-10-02 18:20:33 UTC
gstreamer1-libav was fixed by ports r397984 before 2015Q4 branched. 2015Q3 isn't supported since 2015-10-01. So, why are your gstreamr1* packages still at 1.4.5?

A few ports maintained by multimedia@ are still affected: multimedia/avidemux and multimedia/gstreamer-ffmpeg. avidemux is waiting for the next upstream release. gstreamer-ffmpeg is not maintained upstream (entire 0.x series) and needs either to be removed or having fixes backported. Depending on ffmpeg0 wouldn't help as that isn't maintained upstream as well.

Other ports in those VuXML entries mainly illustrate liability from not respecting system libs[1]. Upstream of multimedia/libav probably has different priorities unless all those vulnerabilites don't apply to their diverged code.

If you want a specific port fixed then it should be noted in Summary. Each port requires different amount of work and has different maintainer. VuXML itself is advisory in nature and can be ignored in certain cases (by default for PACKAGE_BUILDING) or fixed if inaccurate.

[1] https://www.freebsd.org/doc/en/books/porters-handbook/bundled-libs.html