You are not logged in.
Pages: 1
We should update mplayer:
http://www.mplayerhq.hu/design7/news.html
There are several severe security issues in mplayer 1.0RC2.
Cheers,
Blind
Offline
1.0R2 is in arch. These new bugfixes need yet be put in a source package.
Offline
This doesn't belong to the forums, but to the bug tracker : http://bugs.archlinux.org
pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))
Offline
Well, it has been flagged out of date.
Should be enough, hopefully.
Just wanted to point this out.
Cheers,
Blind
Offline
Out of date, what? It isn't out of date, last release is still 1.0rc2.
And no, it is not enough. If you want to do this correctly, report it on the bug tracker as I already said.
pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))
Offline
It was flagged by mistake around a month ago. Premonition?
Offline
Relax man, I didn't flag it out-of-date...
I assumed that it was flagged because of this security issue, though.
In any case, if the dev hasn't picked it up from there, I have my doubts they will react to a bug report.
In any case, I will file a report later, if I get to it.
Don't jump all over me.
Cheers,
Blind
PS:
http://bugs.archlinux.org/task/9474
Last edited by Blind (2008-02-05 20:15:52)
Offline
In any case, if the dev hasn't picked it up from there, I have my doubts they will react to a bug report.
Here's the difference - we don't always have time to read the forum. We do, however, make a point of evaluating every bug report posted. The bugtracker also provides a more structured way of communicating, discussing and tracking issues.
Offline
Well, I understand, and it sounds alright to me.
I shouldn't have assumed it was flagged out of data today because of the security issues. That assumption was based on:
1. I know the dev gets an email, when things are flagged out of date, thus allowing for a direct notification, maybe quicker action (when the comment says: security problem)?
2. Why wasn't it unflagged, when this happened a moth ago?
Alright, next time I will go right ahead to the bugtracker.
Cheers,
Blind
Offline
Perfect, thanks. Now your task as an user is done, and we let the dev worry about it
pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))
Offline
I would assume that the devs would be subscribed to the security lists for the packages that they maintain. Is this not generally the case with Arch?
(I'm not trolling. I'm genuinely interested in the information.)
Offline
I guess they do. On the other hand, they usually have LOTS of packages at their hands...
I give the dev a lot of credit, 'cause mplayer is a b*&ch to compile.
But it is the best player/encoder there is, imho.
Cheers,
Blind
Offline
There used to be a security group for Archlinux. I wonder what happened. I wouldn't mind helping out if there is a need for a security group again.
Offline
The mplayer package in Extra has still not been patched with the latest security updates even though they were released almost a month ago.
What is even worse, is that the PKGBUILD in cvs for mplayer uses an ftp url in the source array that requires a non-anonymous login... so makepkg cannot download the sources. Someone dropped the ball on this one.
Offline
Personally I don't really think it's such a huge issue -- but what do I know... Anyways, I've made a PKGBUILD that should take care of those security issues in case anyone feels really strongly about this.
# $Id: PKGBUILD,v 1.15 2008/01/01 12:18:31 andyrtr Exp $
# Maintainer: Thomas Bächler <thomas@archlinux.org>
pkgname=mplayer
pkgver=1.0rc2
pkgrel=3
pkgdesc="A movie player for linux"
arch=(i686 x86_64)
depends=('libxxf86dga' 'libxv' 'libmad' 'libungif' 'cdparanoia' 'gtk2'
'sdl' 'lame' 'libtheora' 'xvidcore'
'libgl' 'smbclient' 'aalib' 'jack-audio-connection-kit'
'x264>=20070616' 'faac' 'lirc-utils')
license=('GPL')
url="http://www.mplayerhq.hu/"
makedepends=('libcaca' 'unzip' 'live-media' 'libdca')
backup=('etc/mplayer/codecs.conf' 'etc/mplayer/input.conf')
source=(http://www.mplayerhq.hu/MPlayer/releases/MPlayer-${pkgver}.tar.bz2
ftp://ftp1.mplayerhq.hu/MPlayer/skins/Blue-1.7.tar.bz2
http://www.mplayerhq.hu/MPlayer/patches/stream_cddb_fix_20080120.diff
http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff
http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff
http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff)
#MPlayer-1.0rc1-gnome-screensaver.patch)
md5sums=('7e27e535c2d267637df34898f1b91707'
'e4e2020d11b681aac898103b3ba723c4'
'c7d1bcdd61fcceb7598d61fe2213c587'
'6a2c124586e1e6c44ae4ca1b4be9b6e4'
'ce999929155f509a3e6bee41d9d613ed'
'320af7daa1b248ee8e8c15d34d7923e3')
build() {
cd $startdir/src/MPlayer-${pkgver}
# Custom CFLAGS break the mplayer build
unset CFLAGS
# Add support for gnome screensaver
#patch -p1 -i ../MPlayer-1.0rc1-gnome-screensaver.patch || return 1
patch -Np0 -i ../stream_cddb_fix_20080120.diff || return 1
patch -Np0 -i ../url_fix_20080120.diff || return 1
patch -Np0 -i ../demux_mov_fix_20080129.diff || return 1
patch -Np0 -i ../demux_audio_fix_20080129.diff || return 1
cd $startdir/src/MPlayer-${pkgver}
./configure --prefix=/usr --enable-gui --disable-arts --enable-x11 \
--enable-runtime-cpudetection --confdir=/etc/mplayer --disable-nas \
--enable-gl --enable-tv-v4l1 --enable-tv-v4l2 --enable-largefiles \
--disable-liblzo --disable-speex --disable-openal \
--disable-fribidi --disable-libdv --disable-musepack \
--language=all --disable-dvdnav --disable-esd --disable-mga \
--with-extraincdir=/usr/lib/live-media
[ "$CARCH" = "i686" ] && sed 's|-march=i486|-march=i686|g' -i config.mak
make || return 1
make -j1 DESTDIR=${startdir}/pkg install
cp etc/{codecs.conf,input.conf,example.conf} ${startdir}/pkg/etc/mplayer/
ln -s /usr/share/fonts/TTF/Vera.ttf ${startdir}/pkg/usr/share/mplayer/subfont.ttf
rm -rf ${startdir}/pkg/usr/share/mplayer/font
mv ${startdir}/src/Blue ${startdir}/pkg/usr/share/mplayer/skins/default
}
Offline
Looks almost identical to the one I have building now... great minds I guess.
I added more error checking and some informative messages. I didn't include the "-N" option with patch, just "-p0". I guess it is safer to include it.
Offline
Pages: 1