Created attachment 218110 [details]
patch for multimedia/mythtv and multimedia/mythtv-frontend
Upgrade multimedia/mythtv and multimedia/mythtv-frontend from 30 to 31.0
Bumps python to 3.5+
Uses ffmpeg 4.3.1 so CVE-2016-10191 no longer applies
Configuration options changed to reflect update
Release notes: https://www.mythtv.org/wiki/Release_Notes_-_31
Poudriere testports attached
Poudriere logs attached as theyre 2.4 and 2.2m respectively
@Alan Does this update resolve security vulnerabilities by way of switching the dependency from a bundled ffmpeg to ports?
CVE-2016-10191 only lists before 3.2.2 as vulnerable,
the version of ffmpeg included in 31.0 is 4.2.1,
there isn't an option to use ffmpeg from ports.
I've checked the source file
and it contains the check for "RTMP packet size mismatch" from patch-CVE-2016-10191.
head -n 4 work/mythtv-31.0/mythtv/external/FFmpeg/Changelog
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
Created attachment 218213 [details]
Patch to upgrade www/mythplugin-mythweb
poudriere testport log
@Alan So just to be explicit, the current port version is affected by at least one vulnerability, and the patches here, resolve them (include changes to mitigate/resolve them) ?
@Koobs For clarity:
There are no vulnerabilities in the current version 30.0.
This update removes dependency on python 2.7 in favour of 3.5+.
The patch for www/mythplugin-mythweb keeps it in sync with MythTV.
MythTV version 30.0 used a non vulnerable ffmpeg (4.0.2), the CVE patch was superfluous and benign.
I'd like to add that I've tested the multimedia/mythtv & multimedia/mythtv-frontend patches and deployed the packages to a couple of my test systems and everything appears to be working as expected. The new version also addresses a bug where after you play one video a white box remains on the screen.
I'm just wanting to add my input as the package in ports is marked as broken and this will address the broken port as well as fix a bug in the previous version.
Would it help to expedite this if I took maintainership of the three ports?