libav: mark as insecure #111330
libav: mark as insecure #111330
Conversation
dotlambda
added
1.severity: security
9.needs: port to stable
|
Thats a lot of packages to break. Why don't we patch for the vulnerabilities? |
I guess we could find some patches over at ffmpeg, but wouldn't it be easier to patch everything to use ffmpeg instead? |
|
I'm not aware of a way to notify them. |
|
@jtojnar @IvarWithoutBones @prusnak Libav is not in https://github.com/AppImage/pkg2appimage/blob/master/excludelist. Should we just remove it from |
ofborg
bot
added
10.rebuild-linux: 1-10
10.rebuild-linux: 11-100
and removed
10.rebuild-linux: 0
10.rebuild-linux: 1-10
labels
We brought the number down from 74 to 7. |
|
Checked the unpaper change and it is OK. Thanks! |
|
My only experience is with the ovito package. I changed libav in the |
| lib.optional (lib.versionOlder version "12.1") "CVE-2017-9051" | ||
| ++ lib.optionals (lib.versionOlder version "12.3") [ "CVE-2018-5684" "CVE-2018-5766" ] | ||
| ++ lib.optionals (lib.versionOlder version "12.4") [ "CVE-2019-9717" "CVE-2019-9720" ]; |
There was a problem hiding this comment.
The complete list from the links you provided is
CVE-2014-5271
CVE-2015-3395
CVE-2015-5479
CVE-2016-3062
CVE-2016-6832
CVE-2016-7393
CVE-2016-7424
CVE-2016-8675
CVE-2016-8676
CVE-2017-16803
CVE-2017-9051
CVE-2018-11102
CVE-2018-11224
CVE-2018-18826
CVE-2018-18827
CVE-2018-18828
CVE-2018-18829
CVE-2018-19128
CVE-2018-19129
CVE-2018-19130
CVE-2018-20001
CVE-2018-5684
CVE-2018-5766
CVE-2019-14371
CVE-2019-14372
CVE-2019-14441
CVE-2019-14442
CVE-2019-14443
CVE-2019-9717
CVE-2019-9719
CVE-2019-9720
Definitely makes the case that this package should be gone. I guess the thinking then is it isn't really worth the time to lay these all out? I'm okay with that.
|
Alternative suggestion: Just use |
|
@erikarvstedt @peti @romildo Can we make |
It is ok for me. |
The latter has more features and doesn't depend on an outdated version of libav.
dotlambda
force-pushed
the
libav-insecure
branch
from
a487189
to
d4c07d6
Compare
|
#111693 for signumone-ks. Removing |
|
@dotlambda I don't think zulu should depend on libav or ffmpeg, I've checked all the so files it should be fine to remove them. |
pkgs/top-level/aliases.nix
Outdated
| @@ -294,6 +294,7 @@ mapAliases ({ | |||
| kinetic-cpp-client = throw "kinetic-cpp-client has been removed from nixpkgs, as it's abandoned."; # 2020-04-28 | |||
| kicad-with-packages3d = kicad; # added 2019-11-25 | |||
| krename-qt5 = krename; # added 2017-02-18 | |||
| keyfinder = throw "keyfinder has been removed because it was broken"; # added 2021-02-01 | |||
There was a problem hiding this comment.
It seems to work for someone #18475 (comment)
There was a problem hiding this comment.
False positive: #18475 (comment) ;-)
There was a problem hiding this comment.
@ajs124 Or would say we should keep it anyway? It would defiitely be marked as insecure.
There was a problem hiding this comment.
Instead of removing it, I now added a commit updating it to version 2.4.
dotlambda
force-pushed
the
libav-insecure
branch
from
7feef30
to
8484b0b
Compare
|
Thanks for the notification about clickshare-csc1. Sadly, clickshare won't build with ffmpeg: It needs As long as libav_0_8 isn't removed from nixpkgs, it's probably best to leave clickshare as it is. Users are warned about the situation and can decide themselves if they accept the risk of installing a vulnerable package. I don't know of any other solution. |
|
Is anything preventing us from merging? |
|
backport: #112396 |
TredwellGit
added
8.has: port to stable
Motivation for this change
closes #90844 and closes #90852 and closes #90839
I didn't list all vulnerabilities under
knownVulnerabilities.Consequences of this change
This disables the following packages:
Is there a way to make ofborg ping their maintainers?For those maintainers: Consider switching to ffmpeg.