Select provider of libav* libraries

Bálint Réczey balint at balintreczey.hu
Mon May 18 13:12:40 UTC 2015


Hi Reinhard,

2015-05-18 12:16 GMT+02:00 Reinhard Tartler <siretart at gmail.com>:
...
>>
>> > These days, FFmpeg for
>> > sure asks for most (if not all) CVE numbers recently assigned, and
>> > claims
>> > to provide patches for them.
>>
>> FFmpeg not only claims to provide patches, but actually does provide them:
>> most CVEs link to the corresponding patch.
>
> In many many cases, the descriptions of the patches and the issues are
> sub-standard, in many cases even misleading. In no case that I looked at,
> the issue was immediately reproducible, because all of the referenced
> samples are held back and it is not easy at all the get access to them. And
> even if you do contact people via email and eventually are provided the
> samples, reproducing the issue remains very challenging.
>
> I stopped looking actively at them when I repeatedly came to the conclusion
> that the issue can only be seen when seen when used in the test harnish that
> Google uses for testing libavcodec within chrome.
Thank you for for sharing this. This matches my perception as well and
if it is true Libav project should have stopped claiming being able to
provide security support for Libav long time ago. They can blame
others for not giving them full info about the issues, but that does
not close the CVE-s.
The situation made me remove libav from almost all systems I use.

Thanks,
Balint



More information about the pkg-multimedia-maintainers mailing list