diff options
Diffstat (limited to 'multimedia/winff/changelog')
-rw-r--r-- | multimedia/winff/changelog | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/multimedia/winff/changelog b/multimedia/winff/changelog index 6da305c6fb..e464b2ee64 100644 --- a/multimedia/winff/changelog +++ b/multimedia/winff/changelog @@ -70,3 +70,59 @@ in slackware. This build removes all other localization files except english since it contains outdated links and may pose security risk. Bumped the build no. + +20/01/2023: + +Fixed $ARCH issue for 32-bit systems. freepascal supports i386 +only. The SlackBuild is modified to reflect that.Bumped the +build no. + +Users of WinFF must be aware of these two security issues that are +still unresolved upstream. + +a. The first one is due to the way filenames are inserted in the +temporary shell scripts generated to convert the media. Due to the +lack of character escaping, it is possible to insert system command using +specially crafted filename such as 'aaa";xcalc;".avi' or "aaa$(xcalc).mp4' +Thus leading to an arbitrary command execution. + +b. The second issue is related to the permission of this temporary shell +script. every users can access to them and modify them. Even if those files +are only temporary and launched right after generation, it leads to a +race-condition case where another user may try to replace the script content +before its execution in order to execute its own command with the winff +user permission. + +you can read about this issue here: +https://github.com/WinFF/winff/issues/242 + +As for first issue check the filename before converting otherwise it +will compromise your system and don't download from untrusted sources. +For the second I have no clue and this is beyond my abilities.If you have +a patch for these issue feel free to send it to me. + + +11/01/2024: + +Upgraded to the latest git commit 31b79e3. + +22/01/2024: + +Added -pie and -zdefs hardening flags to linker. +Bumped the build no. + +27/02/2024: + +Updated to version 1.6.3 + +03/03/2024: + +Resubmit to SBo +Modify the SlackBuild to avoid creating object code files to /usr/share/lazarus +when compiling winff and remove unused function in doinst.sh Thanks to Andrew Clemons +for pointing it out. + +27/04/2024: + +Updated to version 1.6.4 +Fixed dead links. Fix documentation to properly open the pdf. |