GNU bug report logs

#72799 [PATCH 0/3] ffmpeg updates [fixes CVE-2024-7055, CVE-2024-7272]

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by ashish.is@lostca.se
Date 2024-08-25T00:39:01
Severity important
Tags patch security
Done Maxim Cournoyer <maxim.cournoyer@gmail.com>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#72799; Package guix-patches. (Sun, 25 Aug 2024 00:39:01 GMT) (full text, mbox, link).

Acknowledgement sent to ashish.is@lostca.se:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Sun, 25 Aug 2024 00:39:01 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Ashish SHUKLA <ashish.is@lostca.se>

Hi,

Attached series of patches updates ffmpeg to latest versions which fixes
following vulnerabilities:

CVE-2024-7055
CVE-2024-7272

Thanks!

Ashish SHUKLA (3):
  gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055].
  gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055, CVE-2024-7272].
  gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055].

 gnu/packages/video.scm | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)


base-commit: f25ea6847fa4eb1bc0a6bfb965e145b94f20a6f8
-- 
2.46.0

Information forwarded to guix-patches@gnu.org:
bug#72799; Package guix-patches. (Sun, 25 Aug 2024 00:42:02 GMT) (full text, mbox, link).

Message #8 received at 72799@debbugs.gnu.org (full text, mbox, reply):

From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg-4): Update to 4.4.5.

Change-Id: Ie35066988c26af338120b2ce002c767ff4c7aaec
---
 gnu/packages/video.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 1089e0b6ba..0c56a43ecb 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1885,14 +1885,14 @@ (define-public ffmpeg-5
 (define-public ffmpeg-4
   (package
     (inherit ffmpeg-5)
-    (version "4.4.2")
+    (version "4.4.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "14xadxm1yaamp216nq09xwasxg5g133v86dbb33mdg5di1zrlhdg"))))
+               "01xb2vj4n52fv2y56n5ifirgzlg16qbgfg98f6ifbbhm6l6lwlgr"))))
     (inputs (modify-inputs (package-inputs ffmpeg)
               (replace "sdl2" sdl2-2.0)))
     (arguments
-- 
2.46.0

Information forwarded to guix-patches@gnu.org:
bug#72799; Package guix-patches. (Sun, 25 Aug 2024 00:42:02 GMT) (full text, mbox, link).

Message #11 received at 72799@debbugs.gnu.org (full text, mbox, reply):

From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg-5): Update to 5.1.6.

Change-Id: If86cbff17d63528b42a9c5ce2c062014251b8fcb
---
 gnu/packages/video.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index d8276b331e..1089e0b6ba 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1873,14 +1873,14 @@ (define-public ffmpeg
 (define-public ffmpeg-5
   (package
     (inherit ffmpeg)
-    (version "5.1.4")
+    (version "5.1.6")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0qwhyhil805hns7yksdxagnrcc90h60al7lz1rc65kd1j2w3nf2l"))))))
+                "1g8116rp4fgq82br8lclb2dmw3fvyh2zkzhnngm7z97pg1i0dypl"))))))
 
 (define-public ffmpeg-4
   (package
-- 
2.46.0

Information forwarded to guix-patches@gnu.org:
bug#72799; Package guix-patches. (Sun, 25 Aug 2024 00:42:02 GMT) (full text, mbox, link).

Message #14 received at 72799@debbugs.gnu.org (full text, mbox, reply):

From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg): Update to 6.1.2.

Change-Id: I4f15c4619da8b1dba474237cd839e2c79f651346
---
 gnu/packages/video.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7d22d2f8f7..d8276b331e 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -69,6 +69,7 @@
 ;;; Copyright © 2023 Jaeme Sifat <jaeme@runbox.com>
 ;;; Copyright © 2023 Zheng Junjie <873216071@qq.com>
 ;;; Copyright © 2024 Artyom V. Poptsov <poptsov.artyom@gmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1670,14 +1671,14 @@ (define-public libva-utils
 (define-public ffmpeg
   (package
     (name "ffmpeg")
-    (version "6.1.1")
+    (version "6.1.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0s7r2qv8gh2a3w568n9xxgcz0q8j5ww1jdsci1hm9f4l1yqg9146"))))
+                "0f2fr8ywchhlkdff88lr4d4vscqzsi1ndjh3r5jwbkayf94lcqiv"))))
     (outputs '("out" "debug"))
     (build-system gnu-build-system)
     (inputs
-- 
2.46.0

Added tag(s) security. Request was from "Ashish SHUKLA" <ashish.is@lostca.se> to control@debbugs.gnu.org. (Sun, 25 Aug 2024 00:44:02 GMT) (full text, mbox, link).

Severity set to 'important' from 'normal' Request was from "Ashish SHUKLA" <ashish.is@lostca.se> to control@debbugs.gnu.org. (Sun, 25 Aug 2024 00:44:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#72799; Package guix-patches. (Fri, 30 Aug 2024 21:33:02 GMT) (full text, mbox, link).

Message #21 received at 72799@debbugs.gnu.org (full text, mbox, reply):

Hi!

Patches apply and build fine.

However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
ffmpeg-5 is fine, only 12 packages to be rebuild.

Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
in the separate branch?

Need some experienced maintainers to understand how it should be resolved.

Reply sent to Maxim Cournoyer <maxim.cournoyer@gmail.com>:
You have taken responsibility. (Tue, 12 Nov 2024 12:11:02 GMT) (full text, mbox, link).

Notification sent to ashish.is@lostca.se:
bug acknowledged by developer. (Tue, 12 Nov 2024 12:11:02 GMT) (full text, mbox, link).

Message #26 received at 72799-done@debbugs.gnu.org (full text, mbox, reply):

Hello,

Rodion Goritskov <rodion.goritskov@gmail.com> writes:

> Hi!
>
> Patches apply and build fine.
>
> However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
> ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
> ffmpeg-5 is fine, only 12 packages to be rebuild.
>
> Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
> in the separate branch?
>
> Need some experienced maintainers to understand how it should be resolved.

It would have been better to build on a topic branch, but I've opted to
take a shortcut here and push directly to master for this time.

Closing!

-- 
Thanks,
Maxim

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 10 Dec 2024 12:24:19 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Fri Jan 3 04:15:25 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.