GNU bug report logs
Reported by
ashish.is@lostca.se Date
2024-08-25T00:39:01
Severity
important Tags
patch security
Report forwarded
to guix-patches@gnu.org:bug#72799; Package guix-patches.
(Sun, 25 Aug 2024 00:39:01 GMT) (full text , mbox , link ).
Acknowledgement sent
to ashish.is@lostca.se:guix-patches@gnu.org.
(Sun, 25 Aug 2024 00:39:01 GMT) (full text , mbox , link ).
Message #5 received at submit@debbugs.gnu.org (full text , mbox , reply ):
From: Ashish SHUKLA <ashish.is@lostca.se>
Hi,
Attached series of patches updates ffmpeg to latest versions which fixes
following vulnerabilities:
CVE-2024-7055
CVE-2024-7272
Thanks!
Ashish SHUKLA (3):
gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055 ].
gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055 , CVE-2024-7272 ].
gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055 ].
gnu/packages/video.scm | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
base-commit: f25ea6847fa4eb1bc0a6bfb965e145b94f20a6f8
--
2.46.0
Information forwarded
to guix-patches@gnu.org:bug#72799; Package guix-patches.
(Sun, 25 Aug 2024 00:42:02 GMT) (full text , mbox , link ).
Message #8 received at 72799@debbugs.gnu.org (full text , mbox , reply ):
From: Ashish SHUKLA <ashish.is@lostca.se>
* gnu/packages/video.scm (ffmpeg-4): Update to 4.4.5.
Change-Id: Ie35066988c26af338120b2ce002c767ff4c7aaec
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 1089e0b6ba..0c56a43ecb 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1885,14 +1885,14 @@ (define-public ffmpeg-5
(define-public ffmpeg-4
(package
(inherit ffmpeg-5)
- (version "4.4.2")
+ (version "4.4.5")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg- "
version ".tar.xz"))
(sha256
(base32
- "14xadxm1yaamp216nq09xwasxg5g133v86dbb33mdg5di1zrlhdg"))))
+ "01xb2vj4n52fv2y56n5ifirgzlg16qbgfg98f6ifbbhm6l6lwlgr"))))
(inputs (modify-inputs (package-inputs ffmpeg)
(replace "sdl2" sdl2-2.0)))
(arguments
--
2.46.0
Information forwarded
to guix-patches@gnu.org:bug#72799; Package guix-patches.
(Sun, 25 Aug 2024 00:42:02 GMT) (full text , mbox , link ).
Message #11 received at 72799@debbugs.gnu.org (full text , mbox , reply ):
From: Ashish SHUKLA <ashish.is@lostca.se>
* gnu/packages/video.scm (ffmpeg-5): Update to 5.1.6.
Change-Id: If86cbff17d63528b42a9c5ce2c062014251b8fcb
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index d8276b331e..1089e0b6ba 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1873,14 +1873,14 @@ (define-public ffmpeg
(define-public ffmpeg-5
(package
(inherit ffmpeg)
- (version "5.1.4")
+ (version "5.1.6")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg- "
version ".tar.xz"))
(sha256
(base32
- "0qwhyhil805hns7yksdxagnrcc90h60al7lz1rc65kd1j2w3nf2l"))))))
+ "1g8116rp4fgq82br8lclb2dmw3fvyh2zkzhnngm7z97pg1i0dypl"))))))
(define-public ffmpeg-4
(package
--
2.46.0
Information forwarded
to guix-patches@gnu.org:bug#72799; Package guix-patches.
(Sun, 25 Aug 2024 00:42:02 GMT) (full text , mbox , link ).
Message #14 received at 72799@debbugs.gnu.org (full text , mbox , reply ):
From: Ashish SHUKLA <ashish.is@lostca.se>
* gnu/packages/video.scm (ffmpeg): Update to 6.1.2.
Change-Id: I4f15c4619da8b1dba474237cd839e2c79f651346
---
gnu/packages/video.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7d22d2f8f7..d8276b331e 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -69,6 +69,7 @@
;;; Copyright © 2023 Jaeme Sifat <jaeme@runbox.com>
;;; Copyright © 2023 Zheng Junjie <873216071@qq.com>
;;; Copyright © 2024 Artyom V. Poptsov <poptsov.artyom@gmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1670,14 +1671,14 @@ (define-public libva-utils
(define-public ffmpeg
(package
(name "ffmpeg")
- (version "6.1.1")
+ (version "6.1.2")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg- "
version ".tar.xz"))
(sha256
(base32
- "0s7r2qv8gh2a3w568n9xxgcz0q8j5ww1jdsci1hm9f4l1yqg9146"))))
+ "0f2fr8ywchhlkdff88lr4d4vscqzsi1ndjh3r5jwbkayf94lcqiv"))))
(outputs '("out" "debug"))
(build-system gnu-build-system)
(inputs
--
2.46.0
Added tag(s) security.
Request was from "Ashish SHUKLA" <ashish.is@lostca.se>
to control@debbugs.gnu.org.
(Sun, 25 Aug 2024 00:44:02 GMT) (full text , mbox , link ).
Severity set to 'important' from 'normal'
Request was from "Ashish SHUKLA" <ashish.is@lostca.se>
to control@debbugs.gnu.org.
(Sun, 25 Aug 2024 00:44:02 GMT) (full text , mbox , link ).
Information forwarded
to guix-patches@gnu.org:bug#72799; Package guix-patches.
(Fri, 30 Aug 2024 21:33:02 GMT) (full text , mbox , link ).
Message #21 received at 72799@debbugs.gnu.org (full text , mbox , reply ):
Hi!
Patches apply and build fine.
However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
ffmpeg-5 is fine, only 12 packages to be rebuild.
Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
in the separate branch?
Need some experienced maintainers to understand how it should be resolved.
Display info messages
Send a report that this bug log contains spam .
debbugs.gnu.org maintainers
<help-debbugs@gnu.org >.
Last modified:
Mon Nov 4 22:20:38 2024;
Machine Name:
wallace-server
GNU bug tracking system
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/ .
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.