Libavcodec being blacklisted with Firefox
James Cowgill
jcowgill at debian.org
Tue Sep 27 09:54:01 UTC 2016
Hi,
[- some Debian people which should be subscribed to the multimedia list]
[+ security team]
On 27/09/16 02:32, Jean-Yves Avenard wrote:
> Hello
>
> I am writing to you as you are listed as one of the libavcodec maintainers on either Debian or Ubuntu distribution.
>
> We discovered a serious security vulnerability in libavcodec 54 and earlier. Only libavcodec from LibAV is impacted.#
What is the security vulnerability you are referring to? Does it have a
CVE ID?
> We have submitted fixes for libavcodec 54 to the LibAV team which have been accepted. They have also agreed to bump the micro version making the first version with no vulnerability version 54.35.1
> https://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/9
>
> libavcodec 53 is also impacted, however we have no solution for this.
This is a problem as Debian does not ship libavcodec 54. The versions
from version.h we currently have are:
Wheezy: libavcodec 53.35.0
Jessie: libavcodec 56.1.0 (not affected)
Stretch: libavcodec 57.48.101 (not affected, from ffmpeg)
> As a result, we have blacklisted libavcodec with a version earlier than 54.35.1.
We can't upgrade libavcodec 53 in Wheezy to libavcodec 54 because that
would break everything (ABI bump). Hypothetically, would it be possible
to allow a version like "53.35.1" which also fixes the vulnerability?
This would require some coordination with upstream.
> This means that Firefox 50 and later will no longer be able to play some videos on system using libavcodec with the vulnerability.
> Systems using libavcodec from the FFmpeg tree aren’t impacted.
>
> The easiest course of action for whomever is creating the Debian or Ubuntu libav* package is to resync with upstream to grab the fixes…
>
> There will be no binary incompatibilities with existing packages using the fixed libavcodec.
>
> Thank you for updating the packages.
Thanks,
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160927/324619c8/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list