oss-sec mailing list archives
Re: new FFMpeg stuff
From: Rémi Denis-Courmont <remi () remlab net>
Date: Thu, 25 Jul 2013 11:08:45 +0200
On Thu, 25 Jul 2013 03:01:33 -0600, Kurt Seifried <kseifried () redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/25/2013 02:52 AM, Jean-Baptiste Kempf wrote:On 25 Jul, Kurt Seifried wrote :Can the VLC security team confirm/correct this as needed so we can ensure it's correct before I assign CVEs? thanks.Why the VLC security team should be involved in that?Because they want to help make sure the CVEs get correctly assigned? If you guys don't care about getting CVE's done properly well that's your choice I guess and I'll assign the CVEs as best I can. But I was hoping VLC upstream might help out.
It's not that we don't care about CVE IDs. But "upstream VLC" is upstream VLC, i.e. the VLC code base. We just do not have the resources and expertise to evaluate FFmpeg/libav security issues individually. Besides, VLC can be linked dynamically with many different FFmpeg or libav versions. So keeping track of their security issues within the context of VLC is more or less impossible. That is up to the VLC binary packagers, not to upstream developers. -- Rémi Denis-Courmont Sent from my collocated server
Current thread:
- new FFMpeg stuff Kurt Seifried (Jul 08)
- Re: new FFMpeg stuff Moritz Muehlenhoff (Jul 08)
- Re: new FFMpeg stuff Michael Niedermayer (Jul 09)
- Re: new FFMpeg stuff Kurt Seifried (Jul 25)
- Re: new FFMpeg stuff Jean-Baptiste Kempf (Jul 25)
- Re: new FFMpeg stuff Kurt Seifried (Jul 25)
- Re: new FFMpeg stuff Rémi Denis-Courmont (Jul 25)
- Re: new FFMpeg stuff Jean-Baptiste Kempf (Jul 25)
- Re: new FFMpeg stuff Michael Niedermayer (Jul 09)
- Re: new FFMpeg stuff Moritz Muehlenhoff (Jul 08)