Bug#871931: libvpx: CVE-2017-0641
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 12 19:37:12 UTC 2017
Hi
On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> Hi,
>
> we are already using:
>
> --size-limit=16384x16384
Yupp, I know that, I added that comment to the tracker. It's not clear
to me if we need to limit it quite further. The android approach is to
limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
version where the size-limit was added (which should be 1.4.0-4. But
the size-limit to 16384x16384 was back in 2015 added to
mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
it further.
*but*
cc'ing Moritz, who added libvpx to our DSA needed list on that
purpose.
Regards,
Salvatore
More information about the pkg-multimedia-maintainers
mailing list