ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

Debian Bug report logs - #806519
ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

Date: Sat, 28 Nov 2015 11:28:47 +0100

Source: ffmpeg
Version: 7:2.8.2-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for ffmpeg.

CVE-2015-8363[0]:
| The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in
| FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does
| not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which
| allows remote attackers to cause a denial of service (out-of-bounds
| heap-memory access) or possibly have unspecified other impact via a
| crafted image with two or more of these markers.

CVE-2015-8364[1]:
| Integer overflow in the ff_ivi_init_planes function in
| libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x
| through 2.8.2 allows remote attackers to cause a denial of service
| (out-of-bounds heap-memory access) or possibly have unspecified other
| impact via crafted image dimensions in Indeo Video Interactive data.

CVE-2015-8365[2]:
| The smka_decode_frame function in libavcodec/smacker.c in FFmpeg
| before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not
| verify that the data size is consistent with the number of channels,
| which allows remote attackers to cause a denial of service
| (out-of-bounds array access) or possibly have unspecified other impact
| via crafted Smacker data.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8363
[1] https://security-tracker.debian.org/tracker/CVE-2015-8364
[2] https://security-tracker.debian.org/tracker/CVE-2015-8365

Regards,
Salvatore

Message #10 received at 806519@bugs.debian.org (full text, mbox, reply):

From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 806519@bugs.debian.org

Subject: Re: Bug#806519: ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

Date: Sat, 28 Nov 2015 11:34:57 +0100

Control: tag -1 pending

Hi Salvatore,

On 28.11.2015 11:28, Salvatore Bonaccorso wrote:
> the following vulnerabilities were published for ffmpeg.
> 
> CVE-2015-8363[0]:
> CVE-2015-8364[1]:
> CVE-2015-8365[2]:
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

That's already fixed in git, see [3].

Best regards,
Andreas

3: https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/commit/?id=1acd88b486b5d1527c507d177026d584637cfe1a

Message #17 received at 806519@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>

Cc: 806519@bugs.debian.org

Subject: Re: Bug#806519: ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

Date: Sat, 28 Nov 2015 13:02:54 +0100

Hi Andreas,

On Sat, Nov 28, 2015 at 11:34:57AM +0100, Andreas Cadhalpun wrote:
> Control: tag -1 pending
> 
> Hi Salvatore,
> 
> On 28.11.2015 11:28, Salvatore Bonaccorso wrote:
> > the following vulnerabilities were published for ffmpeg.
> > 
> > CVE-2015-8363[0]:
> > CVE-2015-8364[1]:
> > CVE-2015-8365[2]:
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> That's already fixed in git, see [3].

Thanks! I will update the security-tracker information with the fixed
version once it enters unstable.

Thanks for your work,

Regards,
Salvatore

Message #22 received at 806519-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

To: 806519-close@bugs.debian.org

Subject: Bug#806519: fixed in ffmpeg 7:2.8.3-1

Date: Sat, 28 Nov 2015 12:34:01 +0000

Source: ffmpeg
Source-Version: 7:2.8.3-1

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 806519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Nov 2015 11:39:49 +0100
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavcodec-ffmpeg56 libavcodec-ffmpeg-extra56 libavcodec-extra libavcodec-dev libavdevice-ffmpeg56 libavdevice-dev libavfilter-ffmpeg5 libavfilter-dev libavformat-ffmpeg56 libavformat-dev libavresample-ffmpeg2 libavresample-dev libavutil-ffmpeg54 libavutil-dev libpostproc-ffmpeg53 libpostproc-dev libswresample-ffmpeg1 libswresample-dev libswscale-ffmpeg3 libswscale-dev libav-tools
Architecture: source
Version: 7:2.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Description:
 ffmpeg     - Tools for transcoding, streaming and playing of multimedia files
 ffmpeg-dbg - Debug symbols for the FFmpeg multimedia framework
 ffmpeg-doc - Documentation of the FFmpeg multimedia framework
 libav-tools - Compatibility links for libav-tools (transitional package)
 libavcodec-dev - FFmpeg library with de/encoders for audio/video codecs - developm
 libavcodec-extra - FFmpeg library with extra codecs (metapackage)
 libavcodec-ffmpeg-extra56 - FFmpeg library with additional de/encoders for audio/video codecs
 libavcodec-ffmpeg56 - FFmpeg library with de/encoders for audio/video codecs - runtime
 libavdevice-dev - FFmpeg library for handling input and output devices - developmen
 libavdevice-ffmpeg56 - FFmpeg library for handling input and output devices - runtime fi
 libavfilter-dev - FFmpeg library containing media filters - development files
 libavfilter-ffmpeg5 - FFmpeg library containing media filters - runtime files
 libavformat-dev - FFmpeg library with (de)muxers for multimedia containers - develo
 libavformat-ffmpeg56 - FFmpeg library with (de)muxers for multimedia containers - runtim
 libavresample-dev - FFmpeg compatibility library for resampling - development files
 libavresample-ffmpeg2 - FFmpeg compatibility library for resampling - runtime files
 libavutil-dev - FFmpeg library with functions for simplifying programming - devel
 libavutil-ffmpeg54 - FFmpeg library with functions for simplifying programming - runti
 libpostproc-dev - FFmpeg library for post processing - development files
 libpostproc-ffmpeg53 - FFmpeg library for post processing - runtime files
 libswresample-dev - FFmpeg library for audio resampling, rematrixing etc. - developme
 libswresample-ffmpeg1 - FFmpeg library for audio resampling, rematrixing etc. - runtime f
 libswscale-dev - FFmpeg library for image scaling and various conversions - develo
 libswscale-ffmpeg3 - FFmpeg library for image scaling and various conversions - runtim
Closes: 806519
Changes:
 ffmpeg (7:2.8.3-1) unstable; urgency=medium
 .
   * Switch debian/watch to xz instead of gz.
   * Import new upstream bugfix release 2.8.3.
     Fixes CVE-2015-8363, CVE-2015-8364 and CVE-2015-8365. (Closes: #806519)
   * Respect CC and CXX from the environment in debian/rules.
Checksums-Sha1:
 0f4e81bdbdb5ade110af1b17f44f72df3ca29bb2 4734 ffmpeg_2.8.3-1.dsc
 a6f39efe1bea9a9b271c903d3c1dcb940a510c87 7199216 ffmpeg_2.8.3.orig.tar.xz
 ed92b051f003da5aa0a59505f5c306fb392f1132 41348 ffmpeg_2.8.3-1.debian.tar.xz
Checksums-Sha256:
 a99a86ad728893913f04cb7cd6b74ddcfece8ba89307c28a3147282d1b722f0c 4734 ffmpeg_2.8.3-1.dsc
 18e22e3866d3b5fefcb1911c0d87ae8ababc30b7ea15901c1cf02885ccf6704a 7199216 ffmpeg_2.8.3.orig.tar.xz
 3595f2a91905dfdf1e6bf416a0fab7111992a67382bd0003eec253643f6cced5 41348 ffmpeg_2.8.3-1.debian.tar.xz
Files:
 f3051d407652a6c9ff2763497faff201 4734 video optional ffmpeg_2.8.3-1.dsc
 2af2723dd53364ac0635efd20cf6e34e 7199216 video optional ffmpeg_2.8.3.orig.tar.xz
 6137c4c5a35de9fdea7aebb3a2d6ab3d 41348 video optional ffmpeg_2.8.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWWYvxAAoJEPZk0la0aRp9i7MP/0i5iPSi0Num5UsgdunhU3jV
9Q/51uN73OT/noqVJULBVeTzp4tlb9s16z7Mt2G/YqJ2Vwi1uHoxu+uvIUZPqWKs
VG+lqoEJK5O1KsRG9R6zVH1X9Akbe9zum8Mk6AWgJOVzUb0Sry4kE8n7V6N21xcA
+ymQ8zPVU99P4k04pXgH7IGnRuY/1HRZ6yd6TSLEOrcn/ksp30YFRPRUUy+jknof
s5ax8Fpe3310Iwnj7nbuw9KCuBUwz+fAE1oZqKDYpb7XMTnqBDnM6P6MzTRSPHVb
Pcayqppc+L7CGwaOiB+T+QZXgfB+bxbRNvGSkS2Tttwwa9ZF6c5+9luHiOl7taSS
ntW0eeoUOQxD2wtPidp9z21yRggFSAPMk1RAbFws31dg0XyyE4TlVFbFymBJRRYo
YOqm3eX+zOQ+oGGq8dhs0n9RAK7Oohs5H7FPfzy+vpdpvYm4ZVnMQw+bwgajmxxV
reNVliLhvMY3V3L4V97Arsnk+Ky/olPxHYRdS2csp+b3n4d3U5QrK+qxub+3I1bG
ovFV9rR+7zjDZJnKpXyLxFTewECP3vxRIbor7mD+eJFreiV8pPWk1NyUsYsA4njh
PsJZvCzYt2Hjs5gJ2pswvcCtdTMHSkvHGUbqQk8yme2ZpLYWKT6OUXYi3fQI6x8Q
asSQtNgCmB3ttidB0o3M
=9Sqx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.