Bug#871931: libvpx: CVE-2017-0641
Moritz Mühlenhoff
jmm at inutil.org
Sat Aug 12 20:15:33 UTC 2017
On Sat, Aug 12, 2017 at 09:37:12PM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> > Hi,
> >
> > we are already using:
> >
> > --size-limit=16384x16384
>
> Yupp, I know that, I added that comment to the tracker. It's not clear
> to me if we need to limit it quite further. The android approach is to
> limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
> version where the size-limit was added (which should be 1.4.0-4. But
> the size-limit to 16384x16384 was back in 2015 added to
> mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
> it further.
I think our build is perfectly fine in stretch. It's probably a bigger
issue for libvpx as used by smart phones, but for a desktop build
I don't think we shoudl modify the current defaults in stable (it might
break existing setups even).
I think we can mark this as unimportant and for buster follow upstream
defaults.
> cc'ing Moritz, who added libvpx to our DSA needed list on that
> purpose.
That was only for oldstable, sorry for the confusion.
Cheers,
Moritz
More information about the pkg-multimedia-maintainers
mailing list