[PATCH 0/3] ffmpeg updates [fixes CVE-2024-7055, CVE-2024-7272]

  • Done
  • quality assurance status badge
Details
3 participants
  • ashish.is
  • Maxim Cournoyer
  • Rodion Goritskov
Owner
unassigned
Submitted by
ashish.is
Severity
important
A
A
ashish.is wrote on 25 Aug 02:34 +0200
(address . guix-patches@gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
cover.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

Hi,

Attached series of patches updates ffmpeg to latest versions which fixes
following vulnerabilities:

CVE-2024-7055
CVE-2024-7272

Thanks!

Ashish SHUKLA (3):
gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055].
gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055, CVE-2024-7272].
gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055].

gnu/packages/video.scm | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)


base-commit: f25ea6847fa4eb1bc0a6bfb965e145b94f20a6f8
--
2.46.0
A
A
ashish.is wrote on 25 Aug 02:39 +0200
[PATCH 3/3] gnu: ffmpeg-4: Update to 4.4.5 [fixes CVE-2024-7055].
(address . 72799@debbugs.gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
24c7b9dde2e4d1479e58c80697d9ce4a3ca97288.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg-4): Update to 4.4.5.

Change-Id: Ie35066988c26af338120b2ce002c767ff4c7aaec
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 1089e0b6ba..0c56a43ecb 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1885,14 +1885,14 @@ (define-public ffmpeg-5
(define-public ffmpeg-4
(package
(inherit ffmpeg-5)
- (version "4.4.2")
+ (version "4.4.5")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "14xadxm1yaamp216nq09xwasxg5g133v86dbb33mdg5di1zrlhdg"))))
+ "01xb2vj4n52fv2y56n5ifirgzlg16qbgfg98f6ifbbhm6l6lwlgr"))))
(inputs (modify-inputs (package-inputs ffmpeg)
(replace "sdl2" sdl2-2.0)))
(arguments
--
2.46.0
A
A
ashish.is wrote on 25 Aug 02:39 +0200
[PATCH 2/3] gnu: ffmpeg-5: Update to 5.1.6 [fixes CVE-2024-7055, CVE-2024-7272].
(address . 72799@debbugs.gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
274eeb8f1c025e31191b28e5b977eb16e6d7b7e0.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg-5): Update to 5.1.6.

Change-Id: If86cbff17d63528b42a9c5ce2c062014251b8fcb
---
gnu/packages/video.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index d8276b331e..1089e0b6ba 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1873,14 +1873,14 @@ (define-public ffmpeg
(define-public ffmpeg-5
(package
(inherit ffmpeg)
- (version "5.1.4")
+ (version "5.1.6")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "0qwhyhil805hns7yksdxagnrcc90h60al7lz1rc65kd1j2w3nf2l"))))))
+ "1g8116rp4fgq82br8lclb2dmw3fvyh2zkzhnngm7z97pg1i0dypl"))))))
(define-public ffmpeg-4
(package
--
2.46.0
A
A
ashish.is wrote on 25 Aug 02:39 +0200
[PATCH 1/3] gnu: ffmpeg: Update to 6.1.2 [fixes CVE-2024-7055].
(address . 72799@debbugs.gnu.org)(name . Ashish SHUKLA)(address . ashish.is@lostca.se)
3608fedabb4c19adc34ebfec4d77f4f577b60328.1724546078.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/video.scm (ffmpeg): Update to 6.1.2.

Change-Id: I4f15c4619da8b1dba474237cd839e2c79f651346
---
gnu/packages/video.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7d22d2f8f7..d8276b331e 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -69,6 +69,7 @@
;;; Copyright © 2023 Jaeme Sifat <jaeme@runbox.com>
;;; Copyright © 2023 Zheng Junjie <873216071@qq.com>
;;; Copyright © 2024 Artyom V. Poptsov <poptsov.artyom@gmail.com>
+;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1670,14 +1671,14 @@ (define-public libva-utils
(define-public ffmpeg
(package
(name "ffmpeg")
- (version "6.1.1")
+ (version "6.1.2")
(source (origin
(method url-fetch)
(uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
version ".tar.xz"))
(sha256
(base32
- "0s7r2qv8gh2a3w568n9xxgcz0q8j5ww1jdsci1hm9f4l1yqg9146"))))
+ "0f2fr8ywchhlkdff88lr4d4vscqzsi1ndjh3r5jwbkayf94lcqiv"))))
(outputs '("out" "debug"))
(build-system gnu-build-system)
(inputs
--
2.46.0
A
A
Ashish SHUKLA wrote on 25 Aug 02:42 +0200
update bug state
(address . control@debbugs.gnu.org)
D3OKQOMWTMEG.ZYCJI6JGDT91@lostca.se
tag 72799 security
severity 72799 important
quit
R
R
Rodion Goritskov wrote on 30 Aug 23:30 +0200
Re: [bug#72799] [PATCH 0/3] ffmpeg updates [fixes CVE-2024-7055, CVE-2024-7272]
(address . 72799@debbugs.gnu.org)
87r0a5aeci.fsf@gmail.com
Hi!

Patches apply and build fine.

However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
ffmpeg-5 is fine, only 12 packages to be rebuild.

Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
in the separate branch?

Need some experienced maintainers to understand how it should be resolved.
M
M
Maxim Cournoyer wrote on 12 Nov 13:09 +0100
(name . Rodion Goritskov)(address . rodion.goritskov@gmail.com)
871pzg4ps1.fsf@gmail.com
Hello,

Rodion Goritskov <rodion.goritskov@gmail.com> writes:

Toggle quote (13 lines)
> Hi!
>
> Patches apply and build fine.
>
> However, it looks like ffmpeg-4 and ffmpeg-6 triggers lots (~1000 for
> ffmpeg-4 and ~700 for ffmpeg-6) package rebuilds.
> ffmpeg-5 is fine, only 12 packages to be rebuild.
>
> Maybe ffmpeg-4 and ffmpeg-6 should be grafted (these CVEs looks scary) and patches for them send
> in the separate branch?
>
> Need some experienced maintainers to understand how it should be resolved.

It would have been better to build on a topic branch, but I've opted to
take a shortcut here and push directly to master for this time.

Closing!

--
Thanks,
Maxim
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 72799@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 72799
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch