[FFmpeg-devel] backport fixes for CVE-2019-9718 and CVE-2019-9721

Dominik 'Rathann' Mierzejewski dominik at greysector.net
Wed Mar 20 13:08:52 EET 2019


On Wednesday, 20 March 2019 at 00:48, Carl Eugen Hoyos wrote:
> 2019-03-19 23:28 GMT+01:00, Dominik 'Rathann' Mierzejewski
> <dominik at greysector.net>:
> 
> > Were the CVE IDs not known at the time these were pushed to master?
> 
> No, how would this be possible?

Easy: you can request the ID at https://cveform.mitre.org/ before
pushing the commits.

> > Not having them in the commit log made it more difficult to find them.
> 
> I thought the CVE's themselves contains the commits, no?

They do, but looking at the commits only I wouldn't know there were CVE
IDs associated with them, so the relation is one-way only. I would feel
better if the commit log said a CVE ID was being fixed.

Regards,
Dominik
-- 
Fedora   https://getfedora.org  |  RPM Fusion  http://rpmfusion.org
There should be a science of discontent. People need hard times and
oppression to develop psychic muscles.
        -- from "Collected Sayings of Muad'Dib" by the Princess Irulan


More information about the ffmpeg-devel mailing list