Bug 249484 - multimedia/mythtv: Update to 31.0
Summary: multimedia/mythtv: Update to 31.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Kyle Evans
URL: https://www.mythtv.org/wiki/Release_N...
Keywords:
Depends on:
Blocks: 249337
  Show dependency treegraph
 
Reported: 2020-09-20 16:39 UTC by Alan Hicks
Modified: 2020-12-16 02:51 UTC (History)
5 users (show)

See Also:
koobs: maintainer-feedback? (ahicks)
kevans: merge-quarterly-


Attachments
patch for multimedia/mythtv and multimedia/mythtv-frontend (112.58 KB, patch)
2020-09-20 16:39 UTC, Alan Hicks
no flags Details | Diff
Patch to upgrade www/mythplugin-mythweb (1.90 KB, patch)
2020-09-23 15:45 UTC, Alan Hicks
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Hicks 2020-09-20 16:39:08 UTC
Created attachment 218110 [details]
patch for multimedia/mythtv and multimedia/mythtv-frontend

Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0
Bumps python to 3.5+
Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies
Configuration options changed to reflect update
Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31
Poudriere testports attached
Comment 1 Alan Hicks 2020-09-20 16:49:25 UTC
Poudriere logs attached as theyre 2.4 and 2.2m respectively
https://p-o.co.uk/downloads/mythtv-31.0,1.log
https://p-o.co.uk/downloads/mythtv-frontend-31.0,1.log
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2020-09-21 07:22:05 UTC
@Alan Does this update resolve security vulnerabilities by way of switching the dependency from a bundled ffmpeg to ports?
Comment 3 Alan Hicks 2020-09-21 10:26:11 UTC
CVE-2016-10191 only lists before 3.2.2 as vulnerable,
the version of ffmpeg included in 31.0 is 4.2.1,
there isn't an option to use ffmpeg from ports.

I've checked the source file
work/mythtv-31.0/mythtv/external/FFmpeg/libavformat/rtmppkt.c
and it contains the check for "RTMP packet size mismatch" from patch-CVE-2016-10191.

head -n 4 work/mythtv-31.0/mythtv/external/FFmpeg/Changelog
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.

version 4.2.1:

https://nvd.nist.gov/vuln/detail/CVE-2016-10191
Comment 4 Alan Hicks 2020-09-23 15:45:12 UTC
Created attachment 218213 [details]
Patch to upgrade www/mythplugin-mythweb

poudriere testport log
https://p-o.co.uk/downloads/mythplugin-mythweb-31.0.log
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2020-09-24 00:49:29 UTC
@Alan So just to be explicit, the current port version is affected by at least one vulnerability, and the patches here, resolve them (include changes to mitigate/resolve them) ?
Comment 6 Alan Hicks 2020-09-24 03:50:53 UTC
@Koobs For clarity:
There are no vulnerabilities in the current version 30.0.
This update removes dependency on python 2.7 in favour of 3.5+.
The patch for www/mythplugin-mythweb keeps it in sync with MythTV.

MythTV version 30.0 used a non vulnerable ffmpeg (4.0.2), the CVE patch was superfluous and benign.
Comment 7 Bryan Erickson 2020-10-08 18:20:34 UTC
I'd like to add that I've tested the multimedia/mythtv & multimedia/mythtv-frontend patches and deployed the packages to a couple of my test systems and everything appears to be working as expected. The new version also addresses a bug where after you play one video a white box remains on the screen. 

I'm just wanting to add my input as the package in ports is marked as broken and this will address the broken port as well as fix a bug in the previous version.
Comment 8 Alan Hicks 2020-10-22 11:38:09 UTC
Would it help to expedite this if I took maintainership of the three ports?
Comment 9 Kyle Evans freebsd_committer 2020-12-12 14:07:34 UTC
(In reply to Alan Hicks from comment #8)

I'd tend to recommend it if for the sake of longevity, but I do not insist.

Based on the patch split, is it safe to assume that mythplugin-mythweb can be upgraded after the fact in a separate commit?
Comment 10 Alan Hicks 2020-12-12 20:33:56 UTC
(In reply to Kyle Evans from comment #9)

Yes it's safe to upgrade mythplugin-mythweb in a separate commit, let me know if I should open one and re-sumbit patch.

I've used MythTV for a while so happy to look after it, let me know if there's anything I should do to accept maintainership.

Thanks
Comment 11 Kyle Evans freebsd_committer 2020-12-12 21:03:45 UTC
(In reply to Alan Hicks from comment #10)

Perfect, thanks! I'll do one more Q/A pass tonight then commit.

No further action required; you've acknowledged that you're interested in MAINTAINERship coinciding with this here patch to save it from the grim reaper at the end of the month, I will pass MAINTAINER to your Bugzilla e-mail address when I commit it.
Comment 12 Kyle Evans freebsd_committer 2020-12-13 17:25:52 UTC
(In reply to Kyle Evans from comment #11)

Sorry, Q/A took a little longer than I thought because it has a large number of deps that I hadn't built yet -- I've got this staged for commit when I get some time (maybe ~8 hours?) along with an update to audio/mythplugin-mythmusic to mitigate the breakage that would occur for it.
Comment 13 commit-hook freebsd_committer 2020-12-16 02:48:49 UTC
A commit references this bug:

Author: kevans
Date: Wed Dec 16 02:48:06 UTC 2020
New revision: 558199
URL: https://svnweb.freebsd.org/changeset/ports/558199

Log:
  multimedia/mythtv: update to 31.0

  - Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0
  - Bumps python to 3.5+
  - Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies
  - Configuration options changed to reflect update

  Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31

  audio/mythplugin-mythmusic also bumped as a reverse dep.

  Pass maintainership of multimedia/mythtv* to submitter.

  PR:		249484
  Submitted by:	Alan Hicks <ahicks p-o co uk>

Changes:
  head/audio/mythplugin-mythmusic/Makefile
  head/audio/mythplugin-mythmusic/distinfo
  head/audio/mythplugin-mythmusic/pkg-plist
  head/multimedia/mythtv/Makefile
  head/multimedia/mythtv/distinfo
  head/multimedia/mythtv/files/audio.h
  head/multimedia/mythtv/files/ca.h
  head/multimedia/mythtv/files/dmx.h
  head/multimedia/mythtv/files/frontend.h
  head/multimedia/mythtv/files/net.h
  head/multimedia/mythtv/files/osd.h
  head/multimedia/mythtv/files/patch-CVE-2016-10191
  head/multimedia/mythtv/files/patch-configure
  head/multimedia/mythtv/files/patch-external_FFmpeg_libavformat_rtsp.c
  head/multimedia/mythtv/files/patch-external_libmythdvdnav_dvdnav_dvdnav_dvdnav.h
  head/multimedia/mythtv/files/patch-libs_libmythmetadata_imagemetadata.cpp
  head/multimedia/mythtv/files/patch-libs_libmythtv_DVD_dvdringbuffer.h
  head/multimedia/mythtv/files/patch-libs_libmythtv_videodev2.h
  head/multimedia/mythtv/files/version.h
  head/multimedia/mythtv/files/video.h
  head/multimedia/mythtv/pkg-plist
  head/multimedia/mythtv-frontend/Makefile
  head/multimedia/mythtv-frontend/pkg-plist
Comment 14 commit-hook freebsd_committer 2020-12-16 02:49:50 UTC
A commit references this bug:

Author: kevans
Date: Wed Dec 16 02:49:14 UTC 2020
New revision: 558200
URL: https://svnweb.freebsd.org/changeset/ports/558200

Log:
  www/mythplugin-mythweb: update to 31.0

  Pass MAINTAINER to submitter.

  PR:		249484
  Submitted by:	Alan Hicks <ahicks p-o co uk>

Changes:
  head/www/mythplugin-mythweb/Makefile
  head/www/mythplugin-mythweb/distinfo
  head/www/mythplugin-mythweb/pkg-plist
Comment 15 Kyle Evans freebsd_committer 2020-12-16 02:51:12 UTC
Committed, thanks!