summaryrefslogtreecommitdiffstats
path: root/multimedia/winff/changelog
diff options
context:
space:
mode:
Diffstat (limited to 'multimedia/winff/changelog')
-rw-r--r--multimedia/winff/changelog56
1 files changed, 56 insertions, 0 deletions
diff --git a/multimedia/winff/changelog b/multimedia/winff/changelog
index 6da305c6fb..e464b2ee64 100644
--- a/multimedia/winff/changelog
+++ b/multimedia/winff/changelog
@@ -70,3 +70,59 @@ in slackware.
This build removes all other localization files except english
since it contains outdated links and may pose security risk.
Bumped the build no.
+
+20/01/2023:
+
+Fixed $ARCH issue for 32-bit systems. freepascal supports i386
+only. The SlackBuild is modified to reflect that.Bumped the
+build no.
+
+Users of WinFF must be aware of these two security issues that are
+still unresolved upstream.
+
+a. The first one is due to the way filenames are inserted in the
+temporary shell scripts generated to convert the media. Due to the
+lack of character escaping, it is possible to insert system command using
+specially crafted filename such as 'aaa";xcalc;".avi' or "aaa$(xcalc).mp4'
+Thus leading to an arbitrary command execution.
+
+b. The second issue is related to the permission of this temporary shell
+script. every users can access to them and modify them. Even if those files
+are only temporary and launched right after generation, it leads to a
+race-condition case where another user may try to replace the script content
+before its execution in order to execute its own command with the winff
+user permission.
+
+you can read about this issue here:
+https://github.com/WinFF/winff/issues/242
+
+As for first issue check the filename before converting otherwise it
+will compromise your system and don't download from untrusted sources.
+For the second I have no clue and this is beyond my abilities.If you have
+a patch for these issue feel free to send it to me.
+
+
+11/01/2024:
+
+Upgraded to the latest git commit 31b79e3.
+
+22/01/2024:
+
+Added -pie and -zdefs hardening flags to linker.
+Bumped the build no.
+
+27/02/2024:
+
+Updated to version 1.6.3
+
+03/03/2024:
+
+Resubmit to SBo
+Modify the SlackBuild to avoid creating object code files to /usr/share/lazarus
+when compiling winff and remove unused function in doinst.sh Thanks to Andrew Clemons
+for pointing it out.
+
+27/04/2024:
+
+Updated to version 1.6.4
+Fixed dead links. Fix documentation to properly open the pdf.
generated by cgit v1.2.3 (git 2.32.0) at 2024-05-07 08:03:41 +0200