Debian Package Tracker

general

source: ffmpeg (main)
version: 7:4.1.1-1
maintainer: Debian Multimedia Maintainers (archive) [DMD]
uploaders: Andreas Cadhalpun [DMD] – James Cowgill [DMD] – Balint Reczey [DMD] – Alexander Strasser [DMD] – Reinhard Tartler [DMD]
arch: all any
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 7:3.2.12-1~deb9u1
stable-sec: 7:3.2.12-1~deb9u1
testing: 7:4.1.1-1
unstable: 7:4.1.1-1

versioned links

7:3.2.12-1~deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.0.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.1.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ffmpeg
ffmpeg-doc
libavcodec-dev
libavcodec-extra
libavcodec-extra58
libavcodec58
libavdevice-dev
libavdevice58
libavfilter-dev
libavfilter-extra
libavfilter-extra7
libavfilter7
libavformat-dev
libavformat58
libavresample-dev
libavresample4
libavutil-dev
libavutil56
libpostproc-dev
libpostproc55
libswresample-dev
libswresample3
libswscale-dev
libswscale5

action needed

A new upstream version is available: 4.1.3 high

A new upstream version 4.1.3 is available, you should consider packaging it.

Created: 2019-03-24 Last update: 2019-04-18 09:37

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-9721: A denial of service in the subtitle decoder in FFmpeg 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
CVE-2019-9718: In FFmpeg 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.

Please fix them.

Created: 2019-03-13 Last update: 2019-04-08 21:25

2 security issues in buster high

There are 2 open security issues in buster.

2 important issues:

CVE-2019-9721: A denial of service in the subtitle decoder in FFmpeg 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
CVE-2019-9718: In FFmpeg 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.

Please fix them.

Created: 2019-03-13 Last update: 2019-04-08 21:25

Depends on packages which need a new maintainer normal

The packages that ffmpeg depends on which need a new maintainer are:

libcdio-paranoia (#881910)
- Build-Depends: libcdio-paranoia-dev
- Depends: libcdio-cdda2 libcdio-paranoia2
libiec61883 (#826285)
- Build-Depends: libiec61883-dev
- Depends: libiec61883-0

Created: 2017-12-02 Last update: 2019-04-18 08:34

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2019-02-26 Last update: 2019-04-18 08:29

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 7:4.1.1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 80c2336c547d648fc2ae3447ce374e82fdfe957f
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Tue Mar 12 19:07:55 2019 -0400

    ffmpeg: Add suggests to the 'ffplay' binary package
    
    Suggested by: Josh Triplett

commit f6ac389d2f9de5aa4191cb9ff8d39cec97b38156
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Mar 11 08:20:05 2019 -0400

    Introduce new binary package ffplay (Closes: #923494)
    
    The ffplay utility is an SDL application, which these days comes
    with a lot of sizable dependencies. In a headless installation that
    is used for transcoding and streaming, such dependencies, like on
    X11, wayland, etc. may not be desirable.
    
    This also disables the sdl2 output device, which according to Carl-Eugen
    from FFmpeg upstream is mostly used for debugging.
    
    With this patch, the ffmpeg binary package has a depends line like this:
    
     Package: ffmpeg
     Version: 7:4.1.1-2
     Architecture: amd64
     Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
     Installed-Size: 1808
     Depends: libavcodec58 (= 7:4.1.1-2), libavdevice58 (= 7:4.1.1-2), libavfilter7 (= 7:4.1.1-2), libavformat58 (= 7:4.1.1-2), libavresample4 (= 7:4.1.1-2), libavutil56 (= 7:4.1.1-2), libc6 (>= 2.14), libpostproc55 (= 7:4.1.1-2), libswresample3 (= 7:4.1.1-2), libswscale5 (= 7:4.1.1-2)
     Suggests: ffmpeg-doc
     Breaks: libav-tools (<< 6:12~~), qt-faststart (<< 7:2.7.1-3~), winff (<< 1.5.5-5~)
     Replaces: libav-tools (<< 6:12~~), qt-faststart (<< 7:2.7.1-3~)
     Section: video
    
    Note that there is a dependency on libavdevice58, but not on SDL.
    
    The 'ffplay' binary package has a depends line that looks like this:
    
     Package: ffplay
     Source: ffmpeg
     Version: 7:4.1.1-2
     Architecture: amd64
     Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
     Installed-Size: 226
     Depends: libavcodec58 (= 7:4.1.1-2), libavdevice58 (= 7:4.1.1-2), libavfilter7 (= 7:4.1.1-2), libavformat58 (= 7:4.1.1-2), libavresample4 (= 7:4.1.1-2), libavutil56 (= 7:4.1.1-2), libc6 (>= 2.14), libpostproc55 (= 7:4.1.1-2), libsdl2-2.0-0 (>= 2.0.9), libswresample3 (= 7:4.1.1-2), libswscale5 (= 7:4.1.1-2), ffmpeg
     Suggests: ffmpeg-doc
     Breaks: ffmpeg (<< 7:4.1.1-2~), libav-tools (<< 6:12~~), qt-faststart (<< 7:2.7.1-3~), winff (<< 1.5.5-5~)
     Replaces: ffmpeg (<< 7:4.1.1-2~), libav-tools (<< 6:12~~), qt-faststart (<< 7:2.7.1-3~)
     Section: video
    
    Note that this includes both libavdevice58 as well as libsdl2-2.

commit b1a5d699616e15878e5685044e47c8f127fa273f
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Mar 11 18:52:08 2019 -0400

    syncronize tree with upstream

commit a119507e15bd20c138667663979703c0e834bdf9
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Mar 11 08:30:28 2019 -0400

    include empty debian/patches/series file
    
    this unbreaks building with dgit

commit eb9c27a1c9909d7d8cb87d650be0686f8dc6051d
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Mar 11 08:14:20 2019 -0400

    prepare new upload

Created: 2019-03-12 Last update: 2019-04-18 02:11

3 ignored security issues in stretch low

There are 3 open security issues in stretch.

3 issues skipped by the security teams:

CVE-2018-1999011: FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provided as input to FFmpeg. This vulnerability appears to have been fixed in 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later.
CVE-2019-9718: In FFmpeg 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
CVE-2018-15822: The flv_write_packet function in libavformat/flvenc.c in FFmpeg through 4.0.2 does not check for an empty audio packet, leading to an assertion failure.

Please fix them.

Created: 2017-12-01 Last update: 2019-04-08 21:25

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-10-01 Last update: 2018-10-01 03:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.3.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2019-02-15 18:43

testing migrations

This package will soon be part of the auto-x265 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2019-02-25] ffmpeg 7:4.1.1-1 MIGRATED to testing (Debian testing watch)
[2019-02-15] Accepted ffmpeg 7:4.1.1-1 (source) into unstable (James Cowgill)
[2018-12-31] ffmpeg 7:4.1-1 MIGRATED to testing (Debian testing watch)
[2018-12-22] Accepted ffmpeg 7:4.1-1 (source) into unstable (James Cowgill)
[2018-11-06] ffmpeg 7:4.0.3-1 MIGRATED to testing (Debian testing watch)
[2018-11-03] Accepted ffmpeg 7:4.0.3-1 (source) into unstable (James Cowgill)
[2018-09-25] ffmpeg 7:4.0.2-2 MIGRATED to testing (Debian testing watch)
[2018-09-25] ffmpeg 7:4.0.2-2 MIGRATED to testing (Debian testing watch)
[2018-09-22] Accepted ffmpeg 7:4.0.2-2 (source) into unstable (James Cowgill)
[2018-08-04] Accepted ffmpeg 7:3.2.12-1~deb9u1 (source) into proposed-updates->stable-new, proposed-updates (James Cowgill)
[2018-07-29] Accepted ffmpeg 7:3.2.12-1~deb9u1 (source) into stable->embargoed, stable (James Cowgill)
[2018-07-24] ffmpeg 7:4.0.2-1 MIGRATED to testing (Debian testing watch)
[2018-07-24] ffmpeg 7:4.0.2-1 MIGRATED to testing (Debian testing watch)
[2018-07-21] Accepted ffmpeg 7:4.0.2-1 (source) into unstable (James Cowgill)
[2018-07-19] Accepted ffmpeg 7:3.2.11-1~deb9u1 (source) into proposed-updates->stable-new, proposed-updates (James Cowgill)
[2018-07-18] Accepted ffmpeg 7:4.0.1-2 (source) into unstable (James Cowgill)
[2018-07-17] Accepted ffmpeg 7:3.2.11-1~deb9u1 (source) into stable->embargoed, stable (James Cowgill)
[2018-07-13] ffmpeg 7:3.4.3-1 MIGRATED to testing (Debian testing watch)
[2018-07-11] Accepted ffmpeg 7:4.0.1-1 (source) into experimental (Sebastian Ramacher)
[2018-07-10] Accepted ffmpeg 7:3.4.3-1 (source) into unstable (Sebastian Ramacher)
[2018-06-06] Accepted ffmpeg 7:4.0-3 (source) into experimental (James Cowgill)
[2018-05-06] Accepted ffmpeg 7:4.0-2 (source) into experimental (James Cowgill)
[2018-04-22] Accepted ffmpeg 7:4.0-1 (source) into experimental (James Cowgill)
[2018-04-14] ffmpeg 7:3.4.2-2 MIGRATED to testing (Debian testing watch)
[2018-04-09] Accepted ffmpeg 7:3.4.2-2 (source) into unstable (James Cowgill)
[2018-02-18] ffmpeg 7:3.4.2-1 MIGRATED to testing (Debian testing watch)
[2018-02-12] Accepted ffmpeg 7:3.4.2-1 (source) into unstable (James Cowgill)
[2018-02-11] Accepted ffmpeg 7:3.2.10-1~deb9u1~bpo8+1 (source all) into jessie-backports->backports-policy, jessie-backports (James Cowgill)
[2018-02-08] Accepted ffmpeg 7:3.2.10-1~deb9u1 (source) into proposed-updates->stable-new, proposed-updates (James Cowgill)
[2018-01-24] Accepted ffmpeg 7:3.5~git20180113-1 (source amd64 all) into experimental, experimental (James Cowgill)

bugs [bug history graph]

all: 14 15
RC: 0
I&N: 7 8
M&W: 6
F&P: 1
patch: 0

links

homepage
lintian
buildd: logs, checks, clang, reproducibility, cross
popcon
debci
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7:4.1.1-1
7 bugs