libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674

Debian Bug report logs - #717009
libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@linux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674

Date: Tue, 16 Jul 2013 02:14:18 +0200

Package: libavcodec53
Version: 6:0.8.7-1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I have here another series of CVEs for libav. Some of these are fixed, some
of these I was not able to check. Those without comment were checked by me
and seem valid - at least to me.

CVE-2013-0845
CVE-2013-0846
CVE-2013-0847 - vim '+/while (avio_tell(s->pb) < end' libavformat/id3v2.c
  above command brings you to the suspected problem position in libav, the
  problem looks solved to me
  This one is actually for libavformat, but I include it here for simplicity
CVE-2013-0848 - I was not able to find the problem in libav
CVE-2013-0849 - fixed in experimental
CVE-2013-0850 - seems fixed in experimental
CVE-2013-0851
CVE-2013-0852
CVE-2013-0853
CVE-2013-0854 - fixed in experimental
CVE-2013-0855 - looks invalid as the problem is checked in alac_set_info
CVE-2013-0856
CVE-2013-0857
CVE-2013-0858 - I was not able to find the problem in libav
CVE-2013-0860 - I was not able to find the problem in libav
CVE-2013-0861
CVE-2013-0865 - fixed in experimental
CVE-2013-0866 - looks fixed. am I correct?
CVE-2013-0867 - I was not able to find the problem in libav
CVE-2013-0868
CVE-2013-0869 - looks fixed. am I correct?
CVE-2013-0870 - seems to be invalid - relevant code fragment is not present
  in libav
CVE-2013-0873 - looks fixed. am I correct?
CVE-2013-0874 - seems to be invalid - relevant code fragment is not present
  in libav
CVE-2013-3670 looks valid - libav commits given in security tracker fix
  different things AFAICS
CVE-2013-3672
CVE-2013-3674

I hope these cses are a bit more well-defined as those I sent in January.

cu soon, hopefully,

AW

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9.8 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages libavcodec53 depends on:
ii  libavutil51            6:0.8.7-1
ii  libc6                  2.17-7
ii  libdirac-encoder0      1.0.2-6
ii  libgsm1                1.0.13-4
ii  libmp3lame0            3.99.5+repack1-3
ii  libopenjpeg2           1.3+dfsg-4.6
ii  libschroedinger-1.0-0  1.0.11-2
ii  libspeex1              1.2~rc1-7
ii  libtheora0             1.1.1+dfsg.1-3.1
ii  libva1                 1.1.1-3
ii  libvorbis0a            1.3.2-1.3
ii  libvorbisenc2          1.3.2-1.3
ii  libvpx1                1.2.0-2
ii  libx264-123            2:0.123.2189+git35cf912-1
ii  libxvidcore4           2:1.3.2-9
ii  multiarch-support      2.17-7
ii  zlib1g                 1:1.2.8.dfsg-1

libavcodec53 recommends no packages.

libavcodec53 suggests no packages.

-- no debconf information

Message #10 received at 717009@bugs.debian.org (full text, mbox, reply):

From: shirish शिरीष <shirishag75@gmail.com>

To: 717009@bugs.debian.org

Cc: 706798@bugs.debian.org

Subject: Any update on those security hole bugs of libav9 ?

Date: Wed, 14 Aug 2013 11:08:46 +0530

Hi all,
With the planned transition of libav9 i.e. #706798 would the security
holes be fixed as well ?
-- 
          Regards,
          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
065C 6D79 A68C E7EA 52B3  8D70 950D 53FB 729A 8B17

Message #15 received at 717009@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: shirish शिरीष <shirishag75@gmail.com>

Cc: 717009@bugs.debian.org, 706798@bugs.debian.org

Subject: Re: Any update on those security hole bugs of libav9 ?

Date: Thu, 15 Aug 2013 18:36:33 +0200

severity 717009 important
thanks

On Wed, Aug 14, 2013 at 11:08:46AM +0530, shirish शिरीष wrote:
> Hi all,
> With the planned transition of libav9 i.e. #706798 would the security
> holes be fixed as well ?

This is currently being worked out with upstream. Most are fixed by now
or only affect ffmpeg, not libav. For details see the Debian security
tracker. CVE assignments for libav/ffmpeg are a bit murky since the code
bases have diverged.

Cheers,
        Moritz

Message #22 received at 717009-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 717009-close@bugs.debian.org

Subject: Bug#717009: fixed in libav 6:9.9-1

Date: Tue, 08 Oct 2013 00:18:39 +0000

Source: libav
Source-Version: 6:9.9-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 717009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Oct 2013 18:07:14 -0400
Source: libav
Binary: libav-tools libav-dbg libav-doc libavutil52 libavcodec54 libavdevice53 libavformat54 libavfilter3 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libswscale-dev libavresample-dev libavresample1 libavutil-extra-52 libavcodec-extra-54 libavdevice-extra-53 libavfilter-extra-3 libavformat-extra-54 libswscale-extra-2 libavcodec-extra
Architecture: source all amd64
Version: 6:9.9-1
Distribution: experimental
Urgency: low
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-tools - Multimedia player, server, encoder and transcoder
 libavcodec-dev - Development files for libavcodec
 libavcodec-extra - Libav codec library (additional codecs meta-package)
 libavcodec-extra-54 - Libav codec library (additional codecs)
 libavcodec54 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice-extra-53 - Libav device handling library (transitional package)
 libavdevice53 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter-extra-3 - Libav filter library (transitional package)
 libavfilter3 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat-extra-54 - Libav file format library (transitional package)
 libavformat54 - Libav file format library
 libavresample-dev - Development files for libavresample
 libavresample1 - Libav audo resampling library
 libavutil-dev - Development files for libavutil
 libavutil-extra-52 - Libav utility library (transitional package)
 libavutil52 - Libav utility library
 libswscale-dev - Development files for libswscale
 libswscale-extra-2 - Libav video software scaling library (transitional package)
 libswscale2 - Libav video scaling library
Closes: 717009
Changes: 
 libav (6:9.9-1) experimental; urgency=low
 .
   * New upstream release 9.9
   * Too many security related upstream changes to list here, please cf. to
     upstream changelog. Closes: #717009
Checksums-Sha1: 
 8b07a24997a620b75749ae441d9b734cae0c87d5 3467 libav_9.9-1.dsc
 5093a924543305b64d48fcd73b193ad4e7a0fa7f 4071992 libav_9.9.orig.tar.xz
 7dbee245892cfe74d5423a8897217c7bbbdbad3d 49894 libav_9.9-1.debian.tar.gz
 f292e7528a33ab57b5ceabf4de8411e26bdc3a1a 14369524 libav-doc_9.9-1_all.deb
 869a4ba0b5a7ffca0562b98b7e2e22f47ebd357b 53640 libavutil-extra-52_9.9-1_all.deb
 bac36d689e36d473d3f7a156b3f5b78cd78126fe 53644 libavdevice-extra-53_9.9-1_all.deb
 b0bc1672d02eb9106ee5adbe09aba2127593e2da 53630 libavfilter-extra-3_9.9-1_all.deb
 6c577ff09343e4d9b0d660d43543bdb00572bee8 53636 libavformat-extra-54_9.9-1_all.deb
 e81b9e3d8835e51fafeaab5b265c77f2e00a3d83 53650 libswscale-extra-2_9.9-1_all.deb
 371e50b5a6b8191f859ee721939194fd1a566ce2 53676 libavcodec-extra_9.9-1_all.deb
 40f198b18c9e37a0bd2bb6f83e959f7fd8c47c28 3351684 libav-tools_9.9-1_amd64.deb
 6a1212c35e98071f6f0570c032d5d4d127c87d08 22510986 libav-dbg_9.9-1_amd64.deb
 34e7483819b009cb86fa6680c74bf0d0e15e7ec8 109978 libavutil52_9.9-1_amd64.deb
 dd9a16fb75d060571f512075045025c99e14d9ea 2394980 libavcodec54_9.9-1_amd64.deb
 fb25999603ea87ae6aa73a7636589b33fb14dcc5 77860 libavdevice53_9.9-1_amd64.deb
 0989dd5f59b81f510a46388bdbe04beb0ae574c6 524100 libavformat54_9.9-1_amd64.deb
 0f129947996cfcf085a99b61fd0e4c7a12f38daa 141500 libavfilter3_9.9-1_amd64.deb
 df8a040ffd4389cd284c595b0fd351cb9797bfaa 127528 libswscale2_9.9-1_amd64.deb
 f442e74a4f541525ea172cb858f7151ed78e804b 156904 libavutil-dev_9.9-1_amd64.deb
 bc49ec8fb38653c55d14c473ff76590fd674b6cc 2645720 libavcodec-dev_9.9-1_amd64.deb
 b7fe04b110b084795b74b31d336a0193d5f0e0dc 80252 libavdevice-dev_9.9-1_amd64.deb
 aebae5f5cb9d628e54bba40870285047ee277dd8 619562 libavformat-dev_9.9-1_amd64.deb
 dfdf6c92b95c3b77499ddc61b9d1cf9021ee87c4 165306 libavfilter-dev_9.9-1_amd64.deb
 637125c861f98aab4f8b3719ec1d82c00ace02ca 139950 libswscale-dev_9.9-1_amd64.deb
 14eeb5484767e3545c5b0ca982fb50ac50064cf3 94076 libavresample-dev_9.9-1_amd64.deb
 0bcb1bba0d11155adec5a5c55987c8372950dcd8 84874 libavresample1_9.9-1_amd64.deb
 37248ef06829b0a49b83589cbd8d5665051a3b67 2395394 libavcodec-extra-54_9.9-1_amd64.deb
Checksums-Sha256: 
 82097617bbd9c746583181c9e94e3abaed184140bb0d034a982d5bdcd74e21f7 3467 libav_9.9-1.dsc
 69b65af3307854dc69a8edae46da36a4d5d6a2ecdc130fc4f59f30b1b08797e7 4071992 libav_9.9.orig.tar.xz
 c865fc41023703ac1956f6674b8693489c5a372b76cc65eb80159f0bb14065c0 49894 libav_9.9-1.debian.tar.gz
 721c6e4f57382c9a960db512eafa70d5f2d7dee798b5e766db7bd1903ce2f915 14369524 libav-doc_9.9-1_all.deb
 805ec34b5e0395325600e520c02112917bb735add42afde06456980c8ad06702 53640 libavutil-extra-52_9.9-1_all.deb
 d75bfda765b19ca252a46e69666ae1efcf3e430d2bd2eb94c7fad11b01c3e5eb 53644 libavdevice-extra-53_9.9-1_all.deb
 368e52b7f3eeeacbe142bb92ae0a2c7599dabcfc705feb40b6fe18ab0f169dc3 53630 libavfilter-extra-3_9.9-1_all.deb
 7d5177212fc7956c9991add9f0a41bf3eae8570ae7a146290b197993c556989b 53636 libavformat-extra-54_9.9-1_all.deb
 6edc26ed0cd15dc8f5ff5b0e2325871edb1af19b7337d0e432cbd7c57a148b3b 53650 libswscale-extra-2_9.9-1_all.deb
 2fdbb2ce82da146b433440d0b46209aa7d7c15d29ec6fa1bdbab6e58c476c8f4 53676 libavcodec-extra_9.9-1_all.deb
 f437ad7785ac2337aae3f01af8d6c58b0a95148543fe4e2fff7f29c9f7fd08ea 3351684 libav-tools_9.9-1_amd64.deb
 9e0bd0befa2b1ddaad0011c52cb419ecc1863447da1ceec67150e8678a3538e8 22510986 libav-dbg_9.9-1_amd64.deb
 dac1bde490118bbb15c219cbbf28ea44ba0975e17e4166d65c53b655c25ad146 109978 libavutil52_9.9-1_amd64.deb
 201a2aa173e9657ca8e6f4373b1f5fcd9eed3a79e86ca1e00797dffca4b94d27 2394980 libavcodec54_9.9-1_amd64.deb
 5ef11de4fd23309a17dcec37a0c2410cc4b90c0bc1e6c37e49cc01008135d379 77860 libavdevice53_9.9-1_amd64.deb
 12d0992b69b3a0ce30d51a88538e2717909080d7820b22bfdf3993bcd5c3269e 524100 libavformat54_9.9-1_amd64.deb
 1aad47102624dd70d15227f69773ddd7c5bf9396eda81bb142a7c085394c5dba 141500 libavfilter3_9.9-1_amd64.deb
 82912e034762325f11a6bcad51191ef1e0fd32554f2940d641a65e96c740f567 127528 libswscale2_9.9-1_amd64.deb
 dc40f12f2028e0ae0668e5fcd3cfed6caa8a5314de912ec20dcb1bcbb979ce2e 156904 libavutil-dev_9.9-1_amd64.deb
 5823cda05b379be841ba0d789b6403917e4b401dfad4ae0653adb735c2bbd993 2645720 libavcodec-dev_9.9-1_amd64.deb
 a04e06d03521e2a4167d968dd53f583ebb9469571d37ace8d752cff50d58749a 80252 libavdevice-dev_9.9-1_amd64.deb
 53a1c25fb9fc10d4882b5f12ce8933c9e0c1ebd9dfd493c8039f7be9c7e5a8ec 619562 libavformat-dev_9.9-1_amd64.deb
 c7e3d587eedb4182043e31f38d62f367837ffe600aeb035b8c4d19c1018fd5a6 165306 libavfilter-dev_9.9-1_amd64.deb
 c34675e826bf02e823423ade88fd76405931af95db445ec1bcfc750262db7f1e 139950 libswscale-dev_9.9-1_amd64.deb
 c4f6dd79386f4ceabbf5096e40a7e6c72dbf8f76d1a7c031ed16f60a5e09dc91 94076 libavresample-dev_9.9-1_amd64.deb
 79a7778a4f4665a244bebb61e6717603e889d4c5681bc34c81af0f83393d4789 84874 libavresample1_9.9-1_amd64.deb
 9ce8191b7c513775e456441cd89b135b5ddc945f9617f3a0e0a7508885026dce 2395394 libavcodec-extra-54_9.9-1_amd64.deb
Files: 
 496d1a9fbde876aa57335bf3cc5f7fe4 3467 libs optional libav_9.9-1.dsc
 c4a1a2fa2491f341903822e9083e5b41 4071992 libs optional libav_9.9.orig.tar.xz
 a29b7d537729b2b48a4c66a9d2d1213e 49894 libs optional libav_9.9-1.debian.tar.gz
 fdb47faafd1013c476da014be2a99dc0 14369524 doc optional libav-doc_9.9-1_all.deb
 5a5c0540827cc08022336491136760aa 53640 oldlibs extra libavutil-extra-52_9.9-1_all.deb
 710fc692367ddabfa9fc3374daab881b 53644 oldlibs extra libavdevice-extra-53_9.9-1_all.deb
 eba2e754bd4a330ea2c972a7f734149d 53630 oldlibs extra libavfilter-extra-3_9.9-1_all.deb
 de3edecec65e452d36739d1426a98fab 53636 oldlibs extra libavformat-extra-54_9.9-1_all.deb
 3bc9bf96a426247c7572da568d7ffcd3 53650 oldlibs extra libswscale-extra-2_9.9-1_all.deb
 d7b10b8968f3cd32129b9dc1fb8606d2 53676 libs extra libavcodec-extra_9.9-1_all.deb
 1671dcd6bbcb8a6f55f49caa83d64705 3351684 video optional libav-tools_9.9-1_amd64.deb
 dfedf30eb4ab9b77d89f5cb0a2757d67 22510986 debug extra libav-dbg_9.9-1_amd64.deb
 93f01c57e3c7b5242758944c3e01e792 109978 libs optional libavutil52_9.9-1_amd64.deb
 ee45f60003fe478fa72d7f6aa7a875aa 2394980 libs optional libavcodec54_9.9-1_amd64.deb
 8a23a05092a66ce92df507fa280bbeb2 77860 libs optional libavdevice53_9.9-1_amd64.deb
 217270e436a22b789f6d116eec547964 524100 libs optional libavformat54_9.9-1_amd64.deb
 256ce322074d10881eaa01022fe430c3 141500 libs optional libavfilter3_9.9-1_amd64.deb
 6655c115bd2d1b574c6394323c9c5497 127528 libs optional libswscale2_9.9-1_amd64.deb
 8631eeb0893033735058f3cc6c324dda 156904 libdevel optional libavutil-dev_9.9-1_amd64.deb
 04954f9d06998485f8bfe07125386f0b 2645720 libdevel optional libavcodec-dev_9.9-1_amd64.deb
 28ea90c23bac8d36427f35b536fbf47d 80252 libdevel optional libavdevice-dev_9.9-1_amd64.deb
 72616273fca6618e9cde2fa5dea5b74e 619562 libdevel optional libavformat-dev_9.9-1_amd64.deb
 15f58ab78af737679a5720c8539e9f90 165306 libdevel optional libavfilter-dev_9.9-1_amd64.deb
 d6498dca07bb5f3320fbf17b4d838165 139950 libdevel optional libswscale-dev_9.9-1_amd64.deb
 cc82fc57c5f3e5114b62cdddfff899ed 94076 libdevel optional libavresample-dev_9.9-1_amd64.deb
 6c7b3f64742923a7f028607326ad6ef5 84874 libs optional libavresample1_9.9-1_amd64.deb
 b75d5308202ca05a3f1660fc47132d47 2395394 libs optional libavcodec-extra-54_9.9-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAlJTNG0ACgkQmAg1RJRTSKS62gCeMjgkAjw82vvjJnV7BzpFn7GR
Xi8AnitSItS/m/xT/eZchHR6tGiyWgb8
=LeWW
-----END PGP SIGNATURE-----

Message #27 received at 717009@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 717009@bugs.debian.org

Subject: Re: Bug#717009 closed by Reinhard Tartler <siretart@tauware.de> (Bug#717009: fixed in libav 6:9.9-1)

Date: Mon, 28 Oct 2013 20:34:27 +0100

[Message part 1 (text/plain, inline)]

Hi!

begin  quotation  from Debian Bug Tracking System (in <handler.717009.D717009.138119152026841.notifdone@bugs.debian.org>):
> This is an automatic notification regarding your Bug report
> which was filed against the libavcodec53 package:
> 
> #717009: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670, CVE-2013-3672, CVE-2013-3674
> 
> It has been closed by Reinhard Tartler <siretart@tauware.de>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Reinhard Tartler <siretart@tauware.de> by
> replying to this email.

some of these still do not seem fixed to me...

> Date: Tue, 16 Jul 2013 02:14:18 +0200
> From: Arne Wichmann <aw@linux.de>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Subject: libavcodec53: CVEs CVE-2013-0844 to CVE-2013-0874, CVE-2013-3670,
>  CVE-2013-3672, CVE-2013-3674
> X-Mailer: reportbug 6.4.4

Namely the following:

> CVE-2013-0845
> CVE-2013-0851
> CVE-2013-0852
> CVE-2013-0868
> CVE-2013-3670 looks valid - libav commits given in security tracker fix
>   different things AFAICS
> CVE-2013-3672
> CVE-2013-3674

Are these irrelevant for libav?

Furthermore:

> CVE-2013-0848 - I was not able to find the problem in libav
> CVE-2013-0860 - I was not able to find the problem in libav

Can I consider these fixed?

And finally - is there a chance that we get a fixed version for stable,
too?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.