New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[r19.09] libvpx: add patches for CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433 #74751
Conversation
…VE-2019-9433 backports sourced from debian package 1.7.0-3+deb10u1, included in-repo as file is not available on sources.debian.org or salsa.debian.org
b6937d4
to
9bcc760
Compare
Incidentally, I'll just add a note on how I'm running the libvpx |
All tests passed. |
@risicle I have some questions on whether this already fixes all 4 of the CVEs or only the first two, over at #60826 (comment) |
OK updated, I have checked that according to Debian all 4 CVEs listed are fixed by those patches. Remaining is only what's fixed by
Is that also one of the CVEs? |
That is apparently CVE-2019-9325. See the notes in https://security-tracker.debian.org/tracker/CVE-2019-9325 |
This seems to come from e.g. https://release.debian.org/proposed-updates/buster_diffs/libvpx_1.7.0-3+deb10u1.debdiff which I got linked from https://release.debian.org/proposed-updates/stable.html. |
OK, I've updated the table, it is all clear now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have double-checked that the changes in here are the same as in Debian and that they are intended to fix the 4 CVEs involved.
I have not double-checked whether Debian's changes are sensible or if they are fully equivalent to the upstream (non-backport) commits listed in #60826 (comment)
Cool thanks ✔️ |
Motivation for this change
https://nvd.nist.gov/vuln/detail/CVE-2019-9232
https://nvd.nist.gov/vuln/detail/CVE-2019-9325
https://nvd.nist.gov/vuln/detail/CVE-2019-9371
https://nvd.nist.gov/vuln/detail/CVE-2019-9433
Backports sourced from debian package
1.7.0-3+deb10u1
, included in-repo as file is not available on sources.debian.org or salsa.debian.org. I'm still running the (long, slow) unit tests, but everything seems ok so far.For master, see #60826
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @