Bug 249484 - multimedia/mythtv: Update to 31.0
Summary: multimedia/mythtv: Update to 31.0
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL: https://www.mythtv.org/wiki/Release_N...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-20 16:39 UTC by Alan Hicks
Modified: 2020-10-22 11:38 UTC (History)
3 users (show)

See Also:
koobs: maintainer-feedback? (ahicks)


Attachments
patch for multimedia/mythtv and multimedia/mythtv-frontend (112.58 KB, patch)
2020-09-20 16:39 UTC, Alan Hicks
no flags Details | Diff
Patch to upgrade www/mythplugin-mythweb (1.90 KB, patch)
2020-09-23 15:45 UTC, Alan Hicks
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Hicks 2020-09-20 16:39:08 UTC
Created attachment 218110 [details]
patch for multimedia/mythtv and multimedia/mythtv-frontend

Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0
Bumps python to 3.5+
Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies
Configuration options changed to reflect update
Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31
Poudriere testports attached
Comment 1 Alan Hicks 2020-09-20 16:49:25 UTC
Poudriere logs attached as theyre 2.4 and 2.2m respectively
https://p-o.co.uk/downloads/mythtv-31.0,1.log
https://p-o.co.uk/downloads/mythtv-frontend-31.0,1.log
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2020-09-21 07:22:05 UTC
@Alan Does this update resolve security vulnerabilities by way of switching the dependency from a bundled ffmpeg to ports?
Comment 3 Alan Hicks 2020-09-21 10:26:11 UTC
CVE-2016-10191 only lists before 3.2.2 as vulnerable,
the version of ffmpeg included in 31.0 is 4.2.1,
there isn't an option to use ffmpeg from ports.

I've checked the source file
work/mythtv-31.0/mythtv/external/FFmpeg/libavformat/rtmppkt.c
and it contains the check for "RTMP packet size mismatch" from patch-CVE-2016-10191.

head -n 4 work/mythtv-31.0/mythtv/external/FFmpeg/Changelog
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.

version 4.2.1:

https://nvd.nist.gov/vuln/detail/CVE-2016-10191
Comment 4 Alan Hicks 2020-09-23 15:45:12 UTC
Created attachment 218213 [details]
Patch to upgrade www/mythplugin-mythweb

poudriere testport log
https://p-o.co.uk/downloads/mythplugin-mythweb-31.0.log
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2020-09-24 00:49:29 UTC
@Alan So just to be explicit, the current port version is affected by at least one vulnerability, and the patches here, resolve them (include changes to mitigate/resolve them) ?
Comment 6 Alan Hicks 2020-09-24 03:50:53 UTC
@Koobs For clarity:
There are no vulnerabilities in the current version 30.0.
This update removes dependency on python 2.7 in favour of 3.5+.
The patch for www/mythplugin-mythweb keeps it in sync with MythTV.

MythTV version 30.0 used a non vulnerable ffmpeg (4.0.2), the CVE patch was superfluous and benign.
Comment 7 Bryan Erickson 2020-10-08 18:20:34 UTC
I'd like to add that I've tested the multimedia/mythtv & multimedia/mythtv-frontend patches and deployed the packages to a couple of my test systems and everything appears to be working as expected. The new version also addresses a bug where after you play one video a white box remains on the screen. 

I'm just wanting to add my input as the package in ports is marked as broken and this will address the broken port as well as fix a bug in the previous version.
Comment 8 Alan Hicks 2020-10-22 11:38:09 UTC
Would it help to expedite this if I took maintainership of the three ports?