Bug 21548

Summary: avidemux 2.7.0 updates bundled ffmpeg to 3.3.x
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, mageia, sysadmin-bugs, tarazed25
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK advisory
Source RPM: avidemux-2.6.20-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-17 11:59:46 CEST 
Avidemux 2.7.0 has been released on August 15:
http://fixounet.free.fr/avidemux/news.html#2017-08-15

Since it updates the bundled ffmpeg to 3.3.x, I think we should update to this version for Mageia 5 (sync with the update I already did in Cauldron).  We really should also fix it to use our compiler flags so that the debug packages don't have to be disabled as I did in Cauldron.
Comment 1 Nicolas Lécureuil 2017-08-19 23:41:14 CEST 
pushed in updates_testing
src.rpm:
        avidemux-2.7.0-1.mga6

CC: (none) => mageia
Assignee: shlomif => qa-bugs

Comment 2 David Walser 2017-08-20 00:32:53 CEST 
We haven't fixed the compilation flags yet, and it also has a tainted version.

Assignee: qa-bugs => pkg-bugs

Comment 3 David Walser 2017-08-20 22:20:06 CEST 
Note that there are core and tainted builds of this package.

Advisory:
========================

Updated avidemux packages fix security vulnerabilities:

The avidemux package has been updated to version 2.7.0.  Avidemux includes a
bundled copy of the ffmpeg libraries, which have been updated from version
3.0.7 to version 3.3.3, fixing several security issues and other bugs.

References:
http://fixounet.free.fr/avidemux/news.html#2017-08-15
http://ffmpeg.org/security.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
libavidemux-2.7.0-1.mga6
avidemux-devel-2.7.0-1.mga6
avidemux-cli-2.7.0-1.mga6
avidemux-qt-2.7.0-1.mga6
avidemux-plugins-2.7.0-1.mga6
avidemux-cli-plugins-2.7.0-1.mga6
avidemux-qt-plugins-2.7.0-1.mga6

from avidemux-2.7.0-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2017-08-21 02:02:33 CEST 
mga6  x86_64  Mate

Updated from Core Updates Testing

$ rpm -qa | grep avidemux
avidemux-qt-plugins-2.7.0-1.mga6
avidemux-cli-2.7.0-1.mga6
lib64avidemux-2.7.0-1.mga6
avidemux-plugins-2.7.0-1.mga6
avidemux-cli-plugins-2.7.0-1.mga6
avidemux-qt-2.7.0-1.mga6
avidemux-devel-2.7.0-1.mga6

$ avidemux3_qt5

Opened a short m4v film clip, played it and cut off the first minute and played it again.  Removed about 25 seconds from the end and saved the result as an mkv file.  Closed the interface and played the shortened clip in vlc.  No loss of quality.

Enabled Tainted Updates Testing and replaced the packages.

Opened an mp4 file using avidemux3_qt5.  Trimmed bits off at the start and the end.  Tried to convert the initial 4:3 aspect ratio to 16:9 but that failed.  Otherwise good.

CC: (none) => tarazed25

Len Lawrence 2017-08-21 02:03:11 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 5 Lewis Smith 2017-08-21 20:10:44 CEST 
Validating (this is M6 only); advisory to do.

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => validated_update

Lewis Smith 2017-08-21 22:12:00 CEST

Whiteboard: MGA6-64-OK => MGA6-64-OK advisory

Comment 6 Mageia Robot 2017-08-21 22:59:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0295.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED