-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, in http://tonelli.sns.it/pub/mplayer/lenny/mplayer_1.0~rc2-17+lenny2_amd64.changes you will find the new version of mplayer for lenny that fixes bug 508803 a. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklGyw8ACgkQ9B/tjjP8QKRIVgCfY3m503Co5k5XX4gCrH5JNtIR qqIAniOoixMKliGCT7lsyo5Y7CC4e9te =hIYS -----END PGP SIGNATURE-----
Hi, * A Mennucc <mennucc1 at debian.org> [2008-12-15 22:38]:> in > http://tonelli.sns.it/pub/mplayer/lenny/mplayer_1.0~rc2-17+lenny2_amd64.changes > > you will find the new version of mplayer for lenny that fixes bug 508803It would be nice if we could get additional input from you for #407010, maybe there is a chance to fix this and possibly fixing this as well. There was also some input from the faad upstream, please see: http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-December/001947.html So far, thanks for contacting us. Cheers NIco -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081215/65814345/attachment.pgp
hi, first of all, let me mention that TWinVQ is decoded via a binary DLL, and will not play in a default install On Mon, Dec 15, 2008 at 10:45:35PM +0100, Nico Golde wrote:> It would be nice if we could get additional input from you > for #407010, maybe there is a chance to fix this and > possibly fixing this as well.:-> that is a difficult and hairy bug, since AFAIK, the bug is actually in libfaad, and is fixed in the new upstream of libfaad, but , to fix into Etch and Lenny, we would need to understand and extract the relevant minimal patch for libfaad BTW was this ever reported to the faad2 mantainer? a.
let me also mention that I compiled it using ''pbuilder'', so dependencies and such are quite fine. a.
Hi, * A Mennucc <debdev at tonelli.sns.it> [2008-12-17 12:17]:> first of all, let me mention that TWinVQ is decoded via a binary DLL, > and will not play in a default installThanks, I therefore downgraded the impact of the vulnerability in our tracker.> On Mon, Dec 15, 2008 at 10:45:35PM +0100, Nico Golde wrote: > > It would be nice if we could get additional input from you > > for #407010, maybe there is a chance to fix this and > > possibly fixing this as well. > > :-> that is a difficult and hairy bug, since AFAIK, the bug is > actually in libfaad, and is fixed in the new upstream of libfaad, but > , to fix into Etch and Lenny, we would need to understand and extract > the relevant minimal patch for libfaad > > BTW was this ever reported to the faad2 mantainer?Yes, did you miss the other part of my previous mail? :) See http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-December/001947.html and the following mails in this thread. I had not time yet to test the patches upstream referenced in the last mail. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081217/e396975b/attachment.pgp
On Wed, Dec 17, 2008 at 12:41:18PM +0100, Nico Golde wrote:> > BTW was this ever reported to the faad2 mantainer? > > Yes, did you miss the other part of my previous mail? :) > See http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-December/001947.htmlI think there is a misunderstanding here. What I mean, is: we need to submit a bug report against faad2 in Debian, so that the Debian mantainer (M.W.S.Bell) is aware of all this. In the thread you mention above, I see no such contact (although I cannot be sure, since the web interface does not show recipients ... weird). a.
Hi, * A Mennucc <debdev at tonelli.sns.it> [2008-12-17 15:35]:> On Wed, Dec 17, 2008 at 12:41:18PM +0100, Nico Golde wrote: > > > BTW was this ever reported to the faad2 mantainer? > > > > Yes, did you miss the other part of my previous mail? :) > > See http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-December/001947.html > > I think there is a misunderstanding here. What I mean, is: > we need to submit a bug report against faad2 in Debian, > so that the Debian mantainer (M.W.S.Bell) is aware of all this.Ah ok, got your point. This won''t help in this case as you don''t build against the system wide copy of faad and all present faad versions in Debian don''t have this bug.> In the thread you mention above, I see no such contact > (although I cannot be sure, since the web interface does not show > recipients ... weird).No sorry, just a misunderstand (maintainer vs upstream maintainer). Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081217/c6e7f0f7/attachment.pgp
On Wed, Dec 17, 2008 at 03:40:27PM +0100, Nico Golde wrote:> Hi, > * A Mennucc <debdev at tonelli.sns.it> [2008-12-17 15:35]: > > On Wed, Dec 17, 2008 at 12:41:18PM +0100, Nico Golde wrote: > > > > BTW was this ever reported to the faad2 mantainer? > > > > > > Yes, did you miss the other part of my previous mail? :) > > > See http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-December/001947.html > > > > I think there is a misunderstanding here. What I mean, is: > > we need to submit a bug report against faad2 in Debian, > > so that the Debian mantainer (M.W.S.Bell) is aware of all this. > > Ah ok, got your point. This won''t help in this case as you > don''t build against the system wide copy of faad and all > present faad versions in Debian don''t have this bug.hmm... now it is me, I was in a misunderstanding I thought that mplayer was using the external libfaad, since it is linked against it; but after looking at the build log , I stand corrected, the building process builds the internal libfaad and it links I have prepared another source pub/lenny/mplayer_1.0~rc2-17+lenny3.dsc that has ''configure'' options so that is built with the external libfaaad; this one does not crash on the file lol-mplayer.aac a.
Hi, * A Mennucc <debdev at tonelli.sns.it> [2008-12-18 14:35]:> On Wed, Dec 17, 2008 at 03:40:27PM +0100, Nico Golde wrote: > > * A Mennucc <debdev at tonelli.sns.it> [2008-12-17 15:35]: > > > On Wed, Dec 17, 2008 at 12:41:18PM +0100, Nico Golde wrote: > > > > > BTW was this ever reported to the faad2 mantainer? > > > > > > > > Yes, did you miss the other part of my previous mail? :) > > > > See http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-December/001947.html > > > > > > I think there is a misunderstanding here. What I mean, is: > > > we need to submit a bug report against faad2 in Debian, > > > so that the Debian mantainer (M.W.S.Bell) is aware of all this. > > > > Ah ok, got your point. This won''t help in this case as you > > don''t build against the system wide copy of faad and all > > present faad versions in Debian don''t have this bug. > > hmm... now it is me, I was in a misunderstanding > > I thought that mplayer was using the external libfaad, since it is > linked against it; but after looking at the build log , > I stand corrected, the building process builds the internal > libfaad and it links > > I have prepared another source > pub/lenny/mplayer_1.0~rc2-17+lenny3.dsc > > that has ''configure'' options so that is built with the external > libfaaad; this one does not crash on the file lol-mplayer.aacOk thanks, please go ahead uploading it as explained on: http://testing-security.debian.net/uploading.html Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081218/19fa9711/attachment.pgp