ffmpeg: CVE-2020-35964

Debian Bug report logs - #980000
ffmpeg: CVE-2020-35964

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ffmpeg: CVE-2020-35964

Date: Tue, 12 Jan 2021 19:11:06 +0100

Source: ffmpeg
Version: 7:4.3.1-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ffmpeg.

CVE-2020-35964[0]:
| track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-
| bounds write because of incorrect extradata packing.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35964
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35964
[1] https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 980000-submitter@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <noreply@salsa.debian.org>

To: 980000-submitter@bugs.debian.org

Subject: Bug#980000 marked as pending in ffmpeg

Date: Tue, 12 Jan 2021 19:41:58 +0000

Control: tag -1 pending

Hello,

Bug #980000 in ffmpeg reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/multimedia-team/ffmpeg/-/commit/ad751149626f54ef8403774d242929792f4783c4

------------------------------------------------------------------------
Apply upstream fix for CVE-2020-35964

Closes: #980000
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/980000

Message #15 received at 980000-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 980000-close@bugs.debian.org

Subject: Bug#980000: fixed in ffmpeg 7:4.3.1-6

Date: Tue, 12 Jan 2021 20:33:30 +0000

Source: ffmpeg
Source-Version: 7:4.3.1-6
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 980000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 Jan 2021 20:48:08 +0100
Source: ffmpeg
Architecture: source
Version: 7:4.3.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 979999 980000
Changes:
 ffmpeg (7:4.3.1-6) unstable; urgency=medium
 .
   * Team upload
   * debian/control:
     - Bump Standards-Version
     - Drop obsolete Build-Depends
     - Switch to libfontconfig-dev and libfreetype-dev
   * debian/patches:
     - Fix out-of-bounds write in libavcodec/exr.c (Closes: #980000)
       (CVE-2020-35964)
     - Fix out-of-bounds write in libavcodec/vividas.c (Closes: #979999)
       (CVE-2020-35965)
Checksums-Sha1:
 f4d71c30cf8b46b3e0b92a10140c55935a1905c2 5369 ffmpeg_4.3.1-6.dsc
 b8e3601cf67d6a647d45ad4ae554cf011e49e075 90292 ffmpeg_4.3.1-6.debian.tar.xz
Checksums-Sha256:
 260e967ede8c0dc393ab80ea16ec3220fb2cbcf6a9e1fa34f0493e653976dc4e 5369 ffmpeg_4.3.1-6.dsc
 0df3d8d4ed4785b795848caf148571268e58c739be28e8fe24c4d0726d482834 90292 ffmpeg_4.3.1-6.debian.tar.xz
Files:
 002cfa5047ca37644f17b3cc94e6e318 5369 video optional ffmpeg_4.3.1-6.dsc
 d0a62ba671a2af7dd84598d71797f2f5 90292 video optional ffmpeg_4.3.1-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl/+BykACgkQafL8UW6n
GZOSxA/+Ok5J1i3HYUXDrmO6rKs2RT45VzJveNKHVyp5QdadchWkIzvz6YyqszJr
55wk4BkVTsygdfYsapmGc1DGbUZEEuaRXKKTXGGZPhmkUlaCyE3hzwiPeMEJ6TAF
oUsdPWviZa2TqQjyPDvKTZ7Sg5gQCU/5SoSE1REGi2gCmSnXpmG8i3PU+PwJ9DVT
QVj/jKuCwj9vdf7uJq/N9o7vc5jvMuOP6+cSsH/0ASaLmIl6NViCDWCa+PKWUEdJ
YHanHNaDeBR+GpqxNbCZw/LO2SvX3L4w3KCuTC9fYXAdZorOzW8b69cUSdLiR8T9
er3eeFWfEBClj6ILrNnGkF7Ig4hz0dQ7qEMmzOAnV/2B9PHZduIr4rWcDH9r5e0P
iHwOElYA6RfVYj7NRPgLP4EZIBkd/Xegk2XPF1ESIh+0GbseBtDaS0h4tdEgM5dQ
MDXUfLmMUKEOiTAwKpZVCLv45zS2QMAfyZiORBXGFq3kw2mkGtCW+9jq4FTJJJqx
n/3NyM4Jx6mjNlTD8U5BJukgIswBEViA/alYWMO8Y5cWl5TPYUY9DcbzNxEVeQr/
6/Im55Oc+8CKIN+ERmSeiUGskHFvDw1bOHr2d/eCINjtb4Evny671Z5jFWYDvEPc
YraF4a2/BsGgRycMu4VIcMi0XvuUGBejZSZGoFt7Jd3FuQjIxzo=
=Oje9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.