[PATCH 0/3] ffmpeg updates [fixes CVE-2024-7055, CVE-2024-7272]

  • Open
  • quality assurance status badge
Details
2 participants
  • ashish.is
  • Rodion Goritskov
Owner
unassigned
Submitted by
ashish.is
Severity
important

Debbugs page

A
A
ashish.is wrote on 24 Aug 17:34 -0700
(address . guix-patches@gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
cover.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

Hi,

Attached series of patches updates ffmpeg to latest versions which fixes
following vulnerabilities:

CVE-2024-7055
CVE-2024-7272

Thanks!

Ashish SHUKLA (3):
gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055].
gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055, CVE-2024-7272].
gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055].

gnu/packages/video.scm | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)


base-commit: f25ea6847fa4eb1bc0a6bfb965e145b94f20a6f8
--
2.46.0
A
A
ashish.is wrote on 24 Aug 17:39 -0700
[PATCH 3/3] gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055].
(address . 72799@debbugs.gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
24c7b9dde2e4d1479e58c80697d9ce4a3ca97288.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg-4): Update to 4.4.5.

Change-Id: Ie35066988c26af338120b2ce002c767ff4c7aaec
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 1089e0b6ba..0c56a43ecb 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1885,14 +1885,14 @@ (define-public ffmpeg-5
(define-public ffmpeg-4
(package
(inherit ffmpeg-5)
- (version "4.4.2")
+ (version "4.4.5")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "14xadxm1yaamp216nq09xwasxg5g133v86dbb33mdg5di1zrlhdg"))))
+ "01xb2vj4n52fv2y56n5ifirgzlg16qbgfg98f6ifbbhm6l6lwlgr"))))
(inputs (modify-inputs (package-inputs ffmpeg)
(replace "sdl2" sdl2-2.0)))
(arguments
--
2.46.0
A
A
ashish.is wrote on 24 Aug 17:39 -0700
[PATCH 2/3] gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055, CVE-2024-7272].
(address . 72799@debbugs.gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
274eeb8f1c025e31191b28e5b977eb16e6d7b7e0.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg-5): Update to 5.1.6.

Change-Id: If86cbff17d63528b42a9c5ce2c062014251b8fcb
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index d8276b331e..1089e0b6ba 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1873,14 +1873,14 @@ (define-public ffmpeg
(define-public ffmpeg-5
(package
(inherit ffmpeg)
- (version "5.1.4")
+ (version "5.1.6")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "0qwhyhil805hns7yksdxagnrcc90h60al7lz1rc65kd1j2w3nf2l"))))))
+ "1g8116rp4fgq82br8lclb2dmw3fvyh2zkzhnngm7z97pg1i0dypl"))))))
(define-public ffmpeg-4
(package
--
2.46.0
A
A
ashish.is wrote on 24 Aug 17:39 -0700
[PATCH 1/3] gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055].
(address . 72799@debbugs.gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
3608fedabb4c19adc34ebfec4d77f4f577b60328.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg): Update to 6.1.2.

Change-Id: I4f15c4619da8b1dba474237cd839e2c79f651346
---
gnu/packages/video.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7d22d2f8f7..d8276b331e 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -69,6 +69,7 @@
;;; Copyright © 2023 Jaeme Sifat <jaeme@runbox.com>
;;; Copyright © 2023 Zheng Junjie <873216071@qq.com>
;;; Copyright © 2024 Artyom V. Poptsov <poptsov.artyom@gmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1670,14 +1671,14 @@ (define-public libva-utils
(define-public ffmpeg
(package
(name "ffmpeg")
- (version "6.1.1")
+ (version "6.1.2")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "0s7r2qv8gh2a3w568n9xxgcz0q8j5ww1jdsci1hm9f4l1yqg9146"))))
+ "0f2fr8ywchhlkdff88lr4d4vscqzsi1ndjh3r5jwbkayf94lcqiv"))))
(outputs '("out" "debug"))
(build-system gnu-build-system)
(inputs
--
2.46.0
A
A
Ashish SHUKLA wrote on 24 Aug 17:42 -0700
update bug state
(address . control@debbugs.gnu.org)
D3OKQOMWTMEG.ZYCJI6JGDT91@lostca.se
tag 72799 security
severity 72799 important
quit
R
R
Rodion Goritskov wrote on 30 Aug 14:30 -0700
Re: [bug#72799] [PATCH 0/3] ffmpeg updates [fixes CVE-2024-7055, CVE-2024-7272]
(address . 72799@debbugs.gnu.org)
87r0a5aeci.fsf@gmail.com
Hi!

Patches apply and build fine.

However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
ffmpeg-5 is fine, only 12 packages to be rebuild.

Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
in the separate branch?

Need some experienced maintainers to understand how it should be resolved.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 72799@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 72799
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch