libav: multiple CVEs in ffmpeg/libav

Debian Bug report logs - #688847
libav: multiple CVEs in ffmpeg/libav

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libav: multiple CVEs in ffmpeg/libav

Date: Wed, 26 Sep 2012 10:22:19 +0200

Source: libav
Severity: grave
Justification: user security hole

Hi,

it seems that a huge pile of CVE were allocated for ffmpeg/libav and are
supposed to be fixed in 0.11:

CVE-2012-2772

CVE-2012-2774
CVE-2012-2775
CVE-2012-2776
CVE-2012-2777

CVE-2012-2779

CVE-2012-2782
CVE-2012-2783
CVE-2012-2784
CVE-2012-2785
CVE-2012-2786
CVE-2012-2787
CVE-2012-2788
CVE-2012-2789
CVE-2012-2790
CVE-2012-2791
CVE-2012-2792
CVE-2012-2793
CVE-2012-2794
CVE-2012-2795
CVE-2012-2796
CVE-2012-2797
CVE-2012-2798
CVE-2012-2799
CVE-2012-2800
CVE-2012-2801
CVE-2012-2802
CVE-2012-2803
CVE-2012-2804

As far as I can tell you're already aware of that, but so it's just a
tracking bug.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #14 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Yves-Alexis Perez <corsac@debian.org>, 688847@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#688847: libav: multiple CVEs in ffmpeg/libav

Date: Sun, 14 Oct 2012 17:00:54 -0400

On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez <corsac@debian.org> wrote:
> Source: libav
> Severity: grave
> Justification: user security hole
>
> Hi,
>
> it seems that a huge pile of CVE were allocated for ffmpeg/libav

short status update:

Most/all of the CVEs have now been backported upstream. Before
releaseing 0.8.4, I need to review the list to ensure that nothing was
forgotten. You can help with this by reviewing the list here:

http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8

-- 
regards,
    Reinhard

Message #19 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Reinhard Tartler <siretart@gmail.com>

Cc: Yves-Alexis Perez <corsac@debian.org>, 688847@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#688847: libav: multiple CVEs in ffmpeg/libav

Date: Mon, 15 Oct 2012 09:39:39 +0200

On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote:
> On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez <corsac@debian.org> wrote:
> > Source: libav
> > Severity: grave
> > Justification: user security hole
> >
> > Hi,
> >
> > it seems that a huge pile of CVE were allocated for ffmpeg/libav
> 
> short status update:
> 
> Most/all of the CVEs have now been backported upstream. Before
> releaseing 0.8.4, I need to review the list to ensure that nothing was
> forgotten. You can help with this by reviewing the list here:
> 
> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8

Hi Reinhard,
I double-checked the list and the following CVE IDs fixed in the ffmpeg
0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific
I suppose):

CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
               d462949974668ffb013467d12dc4934b9106fe19
CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
               2a7063de547b1d8fb1cef523469390fb59fb2c50
               b3a43515827f3d22a881c33b87384f01c86786fd
CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04

None of these are merged into 0.5.x, has the code diverged so much?

Cheers,
        Moritz

Message #24 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Yves-Alexis Perez <corsac@debian.org>, 688847@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#688847: libav: multiple CVEs in ffmpeg/libav

Date: Mon, 15 Oct 2012 05:38:37 -0400

On Mon, Oct 15, 2012 at 3:39 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote:
>> On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez <corsac@debian.org> wrote:
>> > Source: libav
>> > Severity: grave
>> > Justification: user security hole
>> >
>> > Hi,
>> >
>> > it seems that a huge pile of CVE were allocated for ffmpeg/libav
>>
>> short status update:
>>
>> Most/all of the CVEs have now been backported upstream. Before
>> releaseing 0.8.4, I need to review the list to ensure that nothing was
>> forgotten. You can help with this by reviewing the list here:
>>
>> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8
>
> Hi Reinhard,
> I double-checked the list and the following CVE IDs fixed in the ffmpeg
> 0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific
> I suppose):
>
> CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
> CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
> CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
> CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
>                d462949974668ffb013467d12dc4934b9106fe19
> CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
> CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
> CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
> CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
>                2a7063de547b1d8fb1cef523469390fb59fb2c50
>                b3a43515827f3d22a881c33b87384f01c86786fd
> CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
> CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
> CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
> CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
> CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04

Those are commits from ffmpeg, and do not necessarily apply to libav
as well. Our current working list looks like this:

fixed:
    CVE-2012-2772 (cb7190cd2c691fd93e4d3664f3fce6c19ee001dd)
    CVE-2012-2775 (9853e41aa0a6cfff629ff7009685eb8bf8d64e7f)
    CVE-2012-2777 (c20a69630619d14ae92c5541d52c579d7c8f3e94)
    CVE-2012-2779 (891918431db628db17885ed947ee387b29826a64)
    CVE-2012-2784 (same as CVE-2012-2777)
    CVE-2012-2785 (326f7a68bbd429c63fd2f19f4050658982b5b081
d462949974668ffb013467d12dc4934b9106fe19)
    CVE-2012-2786 (ee715f49a06bf3898246d01b056284a9bb1bcbb9)
    CVE-2012-2787 (b146d74730ab9ec5abede9066f770ad851e45fbc)
    CVE-2012-2788 (0af49a63c7f87876486ab09482d5b26b95abce60)
    CVE-2012-2789 (99f392a584dd10b553facc8e819f2c7e982e176d)
    CVE-2012-2790 (66197988b1ee914825afbc3084e6da63f862068a)
    CVE-2012-2792 (065b3a1cfa3f23aedf76244b3f3883ba913173ff)
    CVE-2012-2793 (b631e4ed64f7d1b9ca8f897fda31140e8d1fad81)
    CVE-2012-2796 (1100acbab26883007898c53efeb289f562c6e514)
    CVE-2012-2776 (e4d4044339b9c3b0f45f7203cd026eda3c0414c0)
    CVE-2012-2794 (2d09cdbaf2f449ba23d54e97e94bd97ca22208c6)
    CVE-2012-2800 (ae3da0ae5550053583a6f281ea7fd940497ea0d1)
    CVE-2012-2795 (607f57152c59bcec26caaf2060a86d96f76c4e8b
f48fbf2eb5ba7015c65b31c266edf399dd6a82b1
6a99310fce49f51773ab7d8ffa4f4748bbf58db9)
    CVE-2012-2798 (d05f72c75445969cd7bdb1d860635c9880c67fb6)
    CVE-2012-2799 (d65d8347314b645051e336aed141aaf32a6c0d02)
    CVE-2012-2801 (85f477935cd6b34e6ec2716b20e15ce748277a89)

submitted:
    CVE-2012-2783 (has been oked, but looks shady)

invalid?:
CVE-2012-2774 -- ffmpeg fix is not a fix, it's unclear what real issue
it is supposed to fix
CVE-2012-2804 -- same as above
CVE-2012-2782 -- Ronald says it does not apply to us
CVE-2012-2797 -- Justin says it's completely wrong
CVE-2012-2803 -- looks very shady

other:
CVE-2012-2791 (0846719dd11ab3f7a7caee13e7af71f71d913389) -- needs
input from kostya
CVE-2012-2802 -- Justin said he'd fix it differently

>
> None of these are merged into 0.5.x, has the code diverged so much?

I arrived only today from my two week trip and will work on backports
for 0.7-0.5 this week. Sorry for the delay.

Cheers,
Reinhard

-- 
regards,
    Reinhard

Message #31 received at 688847-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 688847-close@bugs.debian.org

Subject: Bug#688847: fixed in libav 6:9~beta1-1

Date: Sat, 20 Oct 2012 11:00:09 +0000

Source: libav
Source-Version: 6:9~beta1-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 688847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 16 Oct 2012 18:38:46 +0200
Source: libav
Binary: libav-tools libav-dbg libav-doc libavutil51 libavcodec54 libavdevice53 libavformat54 libavfilter3 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libswscale-dev libavresample-dev libavresample0 libavutil-extra-51 libavcodec-extra-54 libavdevice-extra-53 libavfilter-extra-3 libavformat-extra-54 libswscale-extra-2
Architecture: source amd64 all
Version: 6:9~beta1-1
Distribution: experimental
Urgency: low
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-tools - Multimedia player, server, encoder and transcoder
 libavcodec-dev - Development files for libavcodec
 libavcodec-extra-54 - Libav codec library (additional codecs)
 libavcodec54 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice-extra-53 - Libav device handling library (transitional package)
 libavdevice53 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter-extra-3 - Libav filter library (transitional package)
 libavfilter3 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat-extra-54 - Libav file format library (transitional package)
 libavformat54 - Libav file format library
 libavresample-dev - Development files for libavresample
 libavresample0 - Libav audo resampling library
 libavutil-dev - Development files for libavutil
 libavutil-extra-51 - Libav utility library (transitional package)
 libavutil51 - Libav utility library
 libswscale-dev - Development files for libswscale
 libswscale-extra-2 - Libav video software scaling library (transitional package)
 libswscale2 - Libav video scaling library
Closes: 671934 674139 679542 680602 681491 683895 688847
Changes: 
 libav (6:9~beta1-1) experimental; urgency=low
 .
   [ Fabian Greffrath ]
   * Imported Upstream version 6:0.8.99-3213-gd16860a
 .
   [ Andres Mejia ]
   * Update libav-doc doc base. (Closes: #674139)
 .
   [ Fabian Greffrath ]
   * Use the cond_enable() macro for all additional features in
     debian/confflags.
   * Tidy up and sort configuration flags.
   * Add a debian/README.source file that describes how to rebuild libav with a
     reduced feature set in order to avoid circular build-dependencies for
     bootstrapping.
   * Restrict Build-Depends to "yasm [any-amd64 any-i386]" and explicitely
     disable it if not found.
 .
   [ Reinhard Tartler ]
   * add dependency on libavcodec54 to libav-dbg
   * add Pre-Depend on dpkg to libav-tools to ensure smooth updates
   * libav-tools.install: make files to install more explicit
 .
   [ Loïc Minier ]
   * Install the shared flavor last
   * control/Uploaders: update my email address
 .
   [ Reinhard Tartler ]
   * Declare a 'Breaks' relationship against mplayer, Closes: #671934
   * Bug fix: "Multi-Arch: foreign libraries", thanks to Stepan Golosunov.
   * Remove Multi-arch header from the empty, transitional -extra- packages
 .
   [ Fabian Greffrath ]
   * Mention qt-faststart in the long description (Closes: #681491.)
   * Install all debug symbols into libav-dbg (Closes: #680602).
   * Do not run doxygen if it is not installed.
   * Fix up debian/changelog and get dependencies right accordingly.
 .
   [ Reinhard Tartler ]
   * Make libav-extra-dbg arch:all
   * Fix generation of shlibs file (Closes: #679542)
 .
   [ Fabian Greffrath ]
   * Also make libav-regular-dbg 'arch: all' for consistency with the other debug packages.
   * Fix generation of shlibs file not only for libavcodec*, but for all the other library packages as well.
   * Use xz compression for binary packages, thanks Ansgar Burchardt (Closes: #683895).
 .
   [ Reinhard Tartler ]
   * Drop the package libav-regular-dbg
 .
   [ Fabian Greffrath ]
   * Clarify relations between libavcodec54 and libavcodec-extra-54 in debian/control.
 .
   [ Reinhard Tartler ]
   * New Upstream version: 9 beta1
   * remove compatibility links for ff* tools.
   * New release fixes all known CVE entries so far (Closes: #688847)
   * libav-dbg: avoid dependency on 'ffmpeg' package
   * remove package libav-extra-dbg
   * allow co-installation of libav-dbg with libavcodec-extra-54
   * temporarily disable libopus support until #690563 is fixed
Checksums-Sha1: 
 02eb8d48d2ca3babd44733c9f871f67151826b1c 3454 libav_9~beta1-1.dsc
 31bcbd7e80c648d93bb4cb57bcc39f8392899b51 4077544 libav_9~beta1.orig.tar.xz
 54a471f00e62c72de0a509feeed8cab48aa1ac1c 39574 libav_9~beta1-1.debian.tar.gz
 f510bad7b10b396f60bbcb15380a1a103c5912ac 3433906 libav-tools_9~beta1-1_amd64.deb
 3fd5e8df2568493301a81fa1c9ac9620943299cc 33845570 libav-dbg_9~beta1-1_amd64.deb
 0c09132e51f0208e58a1e3342865b9ab62056b97 13770020 libav-doc_9~beta1-1_all.deb
 8786676071e1cc7b49f4cf5e7c3c4819a16abb61 98604 libavutil51_9~beta1-1_amd64.deb
 c7c241b62bd0f2fd42b0d1cac4f76dc08b935e60 2516728 libavcodec54_9~beta1-1_amd64.deb
 562d232c95ee46fd472424a3a4a9bb5d6df27004 66366 libavdevice53_9~beta1-1_amd64.deb
 9bc818b803a290ba12055abe1b17b175b0be4e0b 503604 libavformat54_9~beta1-1_amd64.deb
 ff009cd06ac08f99c99f5878a4edc9ab6c7e7a90 132220 libavfilter3_9~beta1-1_amd64.deb
 5a4fd2bdfe34de167b2bc267e0717bb9b0ac8d40 115448 libswscale2_9~beta1-1_amd64.deb
 9f9376129aaf0e57584e4cf36b60129f0265cd22 142916 libavutil-dev_9~beta1-1_amd64.deb
 e31be879ce55f55303215c8a497422cfbe795910 2775718 libavcodec-dev_9~beta1-1_amd64.deb
 0f8151c3a88be643566e4179660a95dc606ca681 68416 libavdevice-dev_9~beta1-1_amd64.deb
 7a13695cc124ef2e7f6322a3cefe4380df779272 591784 libavformat-dev_9~beta1-1_amd64.deb
 d7f3de1313f8449b7bd23cb0ed3fcce944e2d018 155556 libavfilter-dev_9~beta1-1_amd64.deb
 d259e809684ed1455508a4b43e2f4eccbe4f6979 126720 libswscale-dev_9~beta1-1_amd64.deb
 e4b127cb547d4fecaac61a2d040c156f93d07c84 76902 libavresample-dev_9~beta1-1_amd64.deb
 a85abfaf65a680284aec8ba479a8d4fcd433af9a 70492 libavresample0_9~beta1-1_amd64.deb
 cfebefeb5aa25b1fa50b1dbbb585d976efb72f72 41316 libavutil-extra-51_9~beta1-1_all.deb
 c2a70921f9f7d8654e9797261c58c18bc1a19f28 2520274 libavcodec-extra-54_9~beta1-1_amd64.deb
 3fa8c21947b72e8e33323edf9243cdf62714a059 41316 libavdevice-extra-53_9~beta1-1_all.deb
 29567053cf2dc90b69543e85fa829d3a680011d0 41314 libavfilter-extra-3_9~beta1-1_all.deb
 7ae64c4a7cb9392ced7d32c83f8d46aa8bfcc8f1 41308 libavformat-extra-54_9~beta1-1_all.deb
 a8c2ccc7bb2b0a6293505008162028c5d9fc965e 41314 libswscale-extra-2_9~beta1-1_all.deb
Checksums-Sha256: 
 41cbdd9b8810ef9f2dfee52aeb2d2f14e28f28fbffb82507f81dde156e62e7a7 3454 libav_9~beta1-1.dsc
 c0e2bdd31a470643fef955c24975d82563bc01ba753ea73a99931cb6f336dfff 4077544 libav_9~beta1.orig.tar.xz
 a1f61ef2cc2c62129e22a49d4933d05519c4db9af9370c09432ba19b82bee48f 39574 libav_9~beta1-1.debian.tar.gz
 f39e8561cff2f7cd8fde98b75543e98be689075b18a95367e1a4a36494671d4d 3433906 libav-tools_9~beta1-1_amd64.deb
 74c1e795ff7b5727ab6a5ba1316e07ae1bb1c5acb25629b5caf5e2d9fe184b4a 33845570 libav-dbg_9~beta1-1_amd64.deb
 c7de4368d8b2d9ca40f4b397cbbae5b849ce531924da8db78ea1fd1a2e75af2f 13770020 libav-doc_9~beta1-1_all.deb
 a026ce916747a416a1cea19c5db8755d63d0db1f7cba7a4f1bd1ae4831c554c0 98604 libavutil51_9~beta1-1_amd64.deb
 f33b437a56bfc543cd1922a8f255fbf18e6f1f91ec94c36488662d735253fc3c 2516728 libavcodec54_9~beta1-1_amd64.deb
 d6b6e7dae9f14c925ff86f29eba78ebb719cc616c9435df398ab3815e2a8b423 66366 libavdevice53_9~beta1-1_amd64.deb
 22cc54abb25244ce6c0070e1c954f49d73d3f1e09653520896fe8ab57ec6f2ad 503604 libavformat54_9~beta1-1_amd64.deb
 3b27e6ca2fd0b15acc6f57292aca3dd2e1b674581ff05c4c0685bc2393c4374f 132220 libavfilter3_9~beta1-1_amd64.deb
 26e996ec74fda2a797808719110dd8bda2526197b35ea190671122138680cd2a 115448 libswscale2_9~beta1-1_amd64.deb
 7e71f97ce6212163ca119fda92e169a5e9a36e572eb0e90e4c804a74016e8d99 142916 libavutil-dev_9~beta1-1_amd64.deb
 2cf9bb0114d78962c2f441ae2862c12c849367d23ae7d96af9f45b8645929b1d 2775718 libavcodec-dev_9~beta1-1_amd64.deb
 94a6b232f464c67e21dae21563764590da593fcaa779e333dc8c2d5da2571438 68416 libavdevice-dev_9~beta1-1_amd64.deb
 8748146ba25e73d70203031513d6ae1a9277488db943d7a6f2ea8b0b213c8a38 591784 libavformat-dev_9~beta1-1_amd64.deb
 4d6941c5df24f1e6bb8d6aa061d48d71ca2cec4a790670474bfae741f98120ab 155556 libavfilter-dev_9~beta1-1_amd64.deb
 99aabb4c4261e20044412f6ca84c50d6ca347c71b92bbe457dab14632066d984 126720 libswscale-dev_9~beta1-1_amd64.deb
 465c5f098fb6abc584b483c6d4b6ec656555ed7cd47badcaf6728ce52805e089 76902 libavresample-dev_9~beta1-1_amd64.deb
 9b8c2c9233ccb1643c1ec3bae1be0d9a5f57dd87cfaeed8590a392c1ec2a477d 70492 libavresample0_9~beta1-1_amd64.deb
 bcca391b56ffceace804024c27332dac0f5d0c3cc00d71aab2fec30d6d203a2b 41316 libavutil-extra-51_9~beta1-1_all.deb
 eebc4f6ed2534688662ee336c661b9810997bf78197a089ec7abe92223e40a24 2520274 libavcodec-extra-54_9~beta1-1_amd64.deb
 36e89c483e74b953ccd481635865453c9b421d4d432fcc5224a42a5c8c7dba7e 41316 libavdevice-extra-53_9~beta1-1_all.deb
 3b858755ae13ec8886b39d7922a7b790f90354fe542da049edd61f0b3e9de85d 41314 libavfilter-extra-3_9~beta1-1_all.deb
 5322c041eb117b55fe968facaf59f7bc49c100a4fbea2a132b8ec5f7cfa94f38 41308 libavformat-extra-54_9~beta1-1_all.deb
 29643c54fb3032fe6ad0f48f3304e73b7ac112016960b5641c49cdf4b93c8912 41314 libswscale-extra-2_9~beta1-1_all.deb
Files: 
 c8e8e7f311442662f59f4f5b01c0b3c5 3454 libs optional libav_9~beta1-1.dsc
 ab5175c01285320af771474c37307960 4077544 libs optional libav_9~beta1.orig.tar.xz
 52ae229c9684feadf355d58c58dc3b3f 39574 libs optional libav_9~beta1-1.debian.tar.gz
 3846a76732e1808b4f76f8f88381c456 3433906 video optional libav-tools_9~beta1-1_amd64.deb
 0b6c5feccd42f79ba155cdf43849c20e 33845570 debug extra libav-dbg_9~beta1-1_amd64.deb
 48645f1736a4d3fb0a8c63c9b091df04 13770020 doc optional libav-doc_9~beta1-1_all.deb
 0a324842a93e412fc92df57207e5a267 98604 libs optional libavutil51_9~beta1-1_amd64.deb
 2719c3d3fe151cbfa2b52fc11b98605c 2516728 libs optional libavcodec54_9~beta1-1_amd64.deb
 91b94daf903c13b09b98ae931e2736bd 66366 libs optional libavdevice53_9~beta1-1_amd64.deb
 e709def1dd908e9fa8e47470f2d3e386 503604 libs optional libavformat54_9~beta1-1_amd64.deb
 42b0fdd25b64dcd7af9a36f370919858 132220 libs optional libavfilter3_9~beta1-1_amd64.deb
 0f64125db2068204e77bad4fb6720e69 115448 libs optional libswscale2_9~beta1-1_amd64.deb
 240ff00c575afca3a014ad7d5c0e9f97 142916 libdevel optional libavutil-dev_9~beta1-1_amd64.deb
 ed7bf87763246d9e620666312ca80ed9 2775718 libdevel optional libavcodec-dev_9~beta1-1_amd64.deb
 3f3de548dd464210d794d72376a37fdd 68416 libdevel optional libavdevice-dev_9~beta1-1_amd64.deb
 fb232d60bf0f13350cb629afb79bfaca 591784 libdevel optional libavformat-dev_9~beta1-1_amd64.deb
 f91ecb74ca62eabcb0a94151b2ea8557 155556 libdevel optional libavfilter-dev_9~beta1-1_amd64.deb
 ae00451eb5de259f81d6b8b771362623 126720 libdevel optional libswscale-dev_9~beta1-1_amd64.deb
 7e625c9bef187b86202bae708ccb677f 76902 libdevel optional libavresample-dev_9~beta1-1_amd64.deb
 5ddaa7f195f3e138b3858e34a4c63611 70492 libs optional libavresample0_9~beta1-1_amd64.deb
 4b1271217cc3d7313f8ec20b62f34929 41316 oldlibs extra libavutil-extra-51_9~beta1-1_all.deb
 0a116446e44240887c987bf268d2a6a8 2520274 libs optional libavcodec-extra-54_9~beta1-1_amd64.deb
 c2e1af85c7f04ab15728ba20e63d8994 41316 oldlibs extra libavdevice-extra-53_9~beta1-1_all.deb
 7ac02abc7413e16616dd45a69eab83d3 41314 oldlibs extra libavfilter-extra-3_9~beta1-1_all.deb
 9b7d019ae2067aee5299d0c4e766a3eb 41308 oldlibs extra libavformat-extra-54_9~beta1-1_all.deb
 31593bea5b95fbb0a1e6e6ce12757867 41314 oldlibs extra libswscale-extra-2_9~beta1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAlB9pvYACgkQmAg1RJRTSKQ7swCfXC9B9VGoxjVgSRakyPUHHJFP
QCgAn2L6hjY64TL/7lgTD7pGIpCtRHhT
=NqVx
-----END PGP SIGNATURE-----

Message #36 received at 688847-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 688847-close@bugs.debian.org

Subject: Bug#688847: fixed in libav 6:0.8.4-1

Date: Tue, 23 Oct 2012 07:03:00 +0000

Source: libav
Source-Version: 6:0.8.4-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 688847@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 22 Oct 2012 20:57:08 +0200
Source: libav
Binary: libav-tools ffmpeg ffmpeg-dbg libav-dbg libav-extra-dbg ffmpeg-doc libav-doc libavutil51 libavcodec53 libavdevice53 libavformat53 libavfilter2 libpostproc52 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev libavutil-extra-51 libavcodec-extra-53 libavdevice-extra-53 libavfilter-extra-2 libpostproc-extra-52 libavformat-extra-53 libswscale-extra-2
Architecture: all amd64 source
Version: 6:0.8.4-1
Distribution: unstable
Urgency: low
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 688847 690726
Description: 
 ffmpeg-dbg - Debug symbols for Libav related packages (transitional package)
 ffmpeg-doc - Documentation of the Libav API (transitional package)
 ffmpeg     - Multimedia player, server, encoder and transcoder (transitional p
 libavcodec53 - Libav codec library
 libavcodec-dev - Development files for libavcodec
 libavcodec-extra-53 - Libav codec library (additional codecs)
 libav-dbg  - Debug symbols for Libav related packages
 libavdevice53 - Libav device handling library
 libavdevice-dev - Development files for libavdevice
 libavdevice-extra-53 - Libav device handling library (transitional package)
 libav-doc  - Documentation of the Libav API
 libav-extra-dbg - Debug symbols for Libav related packages (transitional package)
 libavfilter2 - Libav video filtering library
 libavfilter-dev - Development files for libavfilter
 libavfilter-extra-2 - Libav filter library (transitional package)
 libavformat53 - Libav file format library
 libavformat-dev - Development files for libavformat
 libavformat-extra-53 - Libav video postprocessing library (transitional package)
 libav-tools - Multimedia player, server, encoder and transcoder
 libavutil51 - Libav utility library
 libavutil-dev - Development files for libavutil
 libavutil-extra-51 - Libav utility library (transitional package)
 libpostproc52 - Libav video postprocessing library
 libpostproc-dev - Development files for libpostproc
 libpostproc-extra-52 - Libav video postprocessing library (transitional package)
 libswscale2 - Libav video scaling library
 libswscale-dev - Development files for libswscale
 libswscale-extra-2 - Libav video software scaling library (transitional package)
Changes: 
 libav (6:0.8.4-1) unstable; urgency=low
 .
   * New upstream security/bugfix release. New release fixes:
     (bug numbers reference http://bugzilla.libav.org, Closes: #688847)
     - h464 (Bug 118), vc1dec (CVE-2012-2796), sipr, bmpdec (bug 367), alsdec
       (CVE-2012-2775), rv34/rv40 (CVE-2012-2772), indeo3/indeo4
       (CVE-2012-2776, CVE-2012-2779, CVE-2012-2787, CVE-2012-2794,
       CVE-2012-2800), vorbisenc, vorbisdec (Bug 277), snow, ac3dec
       (CVE-2012-2802), avsdec (CVE-2012-2801), dfa (CVE-2012-2786,
       CVE-2012-2798), lagrith (CVE-2012-2793), wmaprodec (CVE-2012-2789 &
       Bug 327), avidec (CVE-2012-2788, CVE-2012-2790), cavsdec
       (CVE-2012-2777, CVE-2012-2784), wav (Bug 379), yuff4mpeg (Bug 373),
       mpegaudio, tiffenc, smacker (Bug 265).
     - smaller bug fixes in avconv (Bug 352)
     - fix lt() and lte() in function evaluator
     - fix segfault in avformat_open_input()
     - fix segfault in golomb decoder (bug 310)
     - fix segfault (double free) in libavfilter
     - convert dfa decoder to bytestream2 API to protect from overreads
     - bugfix in vf_pad/scale filter (Bug 203 & 245)
     - lavc: remove stats_out and stats_in from the options table.
       (Bug 380, Closes: #690726)
   * Drop patches applied upstream.
Checksums-Sha1: 
 7c682b1fc8721b261253e2efac496f1af0ca284d 367602 libav-tools_0.8.4-1_amd64.deb
 04ca39cef422e3e641bdb4402b9f61e44d1b6a4a 137502 ffmpeg_0.8.4-1_amd64.deb
 9d2e302962517c1e85889e4f969896feede14d47 42624 ffmpeg-dbg_0.8.4-1_all.deb
 977d0e5506330d900de0c7c026ac6408c12ebf8b 21699776 libav-dbg_0.8.4-1_amd64.deb
 8f4490d4ac6f9ebe1402c02d5cd2bb689ceaedf0 42620 libav-extra-dbg_0.8.4-1_all.deb
 f68863213765043640746714eadaa05837caf47d 42688 ffmpeg-doc_0.8.4-1_all.deb
 3af87de8a67dbd04c8e879328cbf61749b7e7836 12442554 libav-doc_0.8.4-1_all.deb
 2e5e6a55c77169ee992c0449bc7ef53d2194e3fd 92080 libavutil51_0.8.4-1_amd64.deb
 bbda12b4fa30324530bd97b7fa4c54813ab7b65e 2501034 libavcodec53_0.8.4-1_amd64.deb
 1442e31ccce5a22ce2eed2a35de0f9970ead934d 67850 libavdevice53_0.8.4-1_amd64.deb
 acb0512bf969ee002ff736c166cb504c7bcd8352 463386 libavformat53_0.8.4-1_amd64.deb
 c69f93886808041d97003c5f7343d5188089a54f 114132 libavfilter2_0.8.4-1_amd64.deb
 6d69d58dfeba27fad74f6eaea1774f88d8f396e7 88136 libpostproc52_0.8.4-1_amd64.deb
 525c9445c47e5c31ddcabc0c44e5e4581e840a9d 120000 libswscale2_0.8.4-1_amd64.deb
 ff7fbf7d84ece33d7e338f405d69b8a8b1f7b2fa 131966 libavutil-dev_0.8.4-1_amd64.deb
 a874f99124a8194fb4385caecb016334ba6ab9dd 2745882 libavcodec-dev_0.8.4-1_amd64.deb
 d946430d91f70ad863b4b0cf9eb43a809ac7c30f 69654 libavdevice-dev_0.8.4-1_amd64.deb
 c57da72b08d7927bc4e2dccb486dd7faf5ff8229 549582 libavformat-dev_0.8.4-1_amd64.deb
 4fe6bd37edc0b5277d167822265a767d7fa15c0d 133566 libavfilter-dev_0.8.4-1_amd64.deb
 c3c3bd127cc51ff19989cdb76b4c12692c06e00f 88316 libpostproc-dev_0.8.4-1_amd64.deb
 1375f38a26cb99d32a8bb4e3581a9e13a8c580d2 130392 libswscale-dev_0.8.4-1_amd64.deb
 10dcde6b03b86d9c03cdfb0d838c2256f6eeae4a 42654 libavutil-extra-51_0.8.4-1_all.deb
 9c718dcaeb675c243b0b414f21e42f33224c9e8a 2504614 libavcodec-extra-53_0.8.4-1_amd64.deb
 48393bead6cb332b78b55dba70f8a25bab60f2f1 42658 libavdevice-extra-53_0.8.4-1_all.deb
 a20c4ac54e67582ffd478c040fddd5c22ee36a9a 42654 libavfilter-extra-2_0.8.4-1_all.deb
 d124b73c8cda534ed93867fbff8fa818b54cefcc 42672 libpostproc-extra-52_0.8.4-1_all.deb
 71f934f0656d616a0c17f95b442a1ad2d4f42296 42660 libavformat-extra-53_0.8.4-1_all.deb
 ae152eb690f7f9ba053475ecab9cd651f2994826 42660 libswscale-extra-2_0.8.4-1_all.deb
 0079f7b70a2e1af02189aa867b3584de4686c5cd 3680 libav_0.8.4-1.dsc
 050043f36de55b1a716645f959112d65246ede0f 5449993 libav_0.8.4.orig.tar.gz
 9720c71d6722450b581020c8e9f50a46d1f09eaf 42497 libav_0.8.4-1.debian.tar.gz
Checksums-Sha256: 
 a6de9d86ee61d623b86cffb0b6cf0857f31ffd1a9e431901101caab3984fb1ca 367602 libav-tools_0.8.4-1_amd64.deb
 a84bca76fe1ced433d43b9ad2bec74ce75a9b37a2a68b4b14210830f11213ba9 137502 ffmpeg_0.8.4-1_amd64.deb
 d7a00a4ebbdf35a1089aeecee391ad9f18aae4436e1104047730ff5cc65b7132 42624 ffmpeg-dbg_0.8.4-1_all.deb
 267b80fd604a87e32787e2709ca687b90f67d6d5ea9a397baa50982dd3d4ae08 21699776 libav-dbg_0.8.4-1_amd64.deb
 73d6285a0ec167baffd603e1cd395485c787d55a3da89722bfee2b403e39c1d0 42620 libav-extra-dbg_0.8.4-1_all.deb
 b5d58ef38ed52c3d05f9f7f513fee4113c7e408d7ae0d6869d8e63d137c3943e 42688 ffmpeg-doc_0.8.4-1_all.deb
 0c5b720a6c978ede7f85dae6d388c7a50793d8f990483f97d51a1a38eaa35a79 12442554 libav-doc_0.8.4-1_all.deb
 b7a7d60490ce7675ac9c860f44a388f40a897da0d42a56e2d9ca9eac4be82547 92080 libavutil51_0.8.4-1_amd64.deb
 e046e73e25a475349f43b316e95ae1cea305d8ecfabb0a683b4e9d6942a18e19 2501034 libavcodec53_0.8.4-1_amd64.deb
 339805050a5c73e6d16ff553f7cf9fd09cb0ca643141a58c4dd0c258ee400262 67850 libavdevice53_0.8.4-1_amd64.deb
 52d973879c74562503888e564b8122ce093e33de8952de7a427128b951539754 463386 libavformat53_0.8.4-1_amd64.deb
 d30b2ce10caeb85e4e3dad6485389dcb24027963d98bd79dbaa9d04d35eb1633 114132 libavfilter2_0.8.4-1_amd64.deb
 7c1190543f7bb4ca8739b791640509d876fcea6f34a57f55d5827604aff4ea30 88136 libpostproc52_0.8.4-1_amd64.deb
 b5c26bcaf542f7bb8c2cb53dee4cf42ffac978c5f0808160ca724cc2f49c0366 120000 libswscale2_0.8.4-1_amd64.deb
 e3368e51e04d80874d6267ac3f27fdd3d8b78f2227ed14f081f28279c957ea10 131966 libavutil-dev_0.8.4-1_amd64.deb
 bcf63b2471773bebf145dd6066a112b98c5292123541a56543dc2b8f9777c7a4 2745882 libavcodec-dev_0.8.4-1_amd64.deb
 9ae1568a94a5be63a863cbebe73517e78a73b0d3f8fafa52c1da84a5d222320c 69654 libavdevice-dev_0.8.4-1_amd64.deb
 778fc018e4b480de351bb50c3b566efc2343086ff5e59bb0d2e388c7c33a26e7 549582 libavformat-dev_0.8.4-1_amd64.deb
 ae15ea316cf3d776fcab0744d3ed51850c0da12ff5825f5cb44beba54382c729 133566 libavfilter-dev_0.8.4-1_amd64.deb
 2d0d2bbd8db9ce6ad0e5eb9f7bc1b2bf3429fe0fb55558fc30ecd18c60d9f410 88316 libpostproc-dev_0.8.4-1_amd64.deb
 749866b92df296934f16a1ad81529420f31e63e91dcaa1627576cbaf228e7b00 130392 libswscale-dev_0.8.4-1_amd64.deb
 c347199ac3ccd5dfc65290c8ad79f0cf091dbcee63be027655f92c39541c462f 42654 libavutil-extra-51_0.8.4-1_all.deb
 c4a5e22410115ddc08bb35bd3ffe95ed53a97d4b4f7d7671775087f87d1bea9d 2504614 libavcodec-extra-53_0.8.4-1_amd64.deb
 0e84c860abe2ef38b5cc8e705d0f877cc8706f7a7b4e5225222c7d282e85af00 42658 libavdevice-extra-53_0.8.4-1_all.deb
 f96bae69c6533228b60a08d385900ac8d61a88efd1d44579b779c750ac409859 42654 libavfilter-extra-2_0.8.4-1_all.deb
 08d32ab8b890e75dd709535f55419d9df42127af6d4794018907e8c42e97761c 42672 libpostproc-extra-52_0.8.4-1_all.deb
 2496e05686de7edb1b929a868ebba042ff985fb5cbd09fa69cc1d16bbeca72e2 42660 libavformat-extra-53_0.8.4-1_all.deb
 64890c1a96cc943b0fbd21e92f26756e2a4abe9ea0f22217e3e7a1aff9ea9227 42660 libswscale-extra-2_0.8.4-1_all.deb
 34f018e2d7242c3010ae40310edacaf2ac416cc73cdf9c869222fcce52b8e9a2 3680 libav_0.8.4-1.dsc
 5127e415334f0a09059c6bb44b759d714c7a85b0fe757747ed31643e88d4cf42 5449993 libav_0.8.4.orig.tar.gz
 e759e1784fc968ce775daac239e0d42fabb987b28bbfe0f898d2ec0f035ffbec 42497 libav_0.8.4-1.debian.tar.gz
Files: 
 b8c0c9fbd1cf82feec3b19d4cb55525d 367602 video optional libav-tools_0.8.4-1_amd64.deb
 2718f7d03d94c529d36f111563849d22 137502 oldlibs extra ffmpeg_0.8.4-1_amd64.deb
 ad7f84e6294e7c3c2522a08b6f974bb9 42624 oldlibs extra ffmpeg-dbg_0.8.4-1_all.deb
 d120376257d758384be4378199437e32 21699776 debug extra libav-dbg_0.8.4-1_amd64.deb
 9053e5b05b4e7131d0178f2673c39953 42620 oldlibs extra libav-extra-dbg_0.8.4-1_all.deb
 2c5d6420271ac80dfa9645a343f9f8b5 42688 oldlibs extra ffmpeg-doc_0.8.4-1_all.deb
 201a4f23f8d96b57548108eb33bbf4e8 12442554 doc optional libav-doc_0.8.4-1_all.deb
 bfc2d110bbe8db7cbff24183f411fed3 92080 libs optional libavutil51_0.8.4-1_amd64.deb
 3c87ddcd8a29731bfb154d788e7ecb53 2501034 libs optional libavcodec53_0.8.4-1_amd64.deb
 adf9736bc348de198527f9bdb6e0a6e3 67850 libs optional libavdevice53_0.8.4-1_amd64.deb
 9a3ba47108f8427321e79ab527f9f33e 463386 libs optional libavformat53_0.8.4-1_amd64.deb
 7b84fa8e4440c6f48cb9ac4ddd2c7fbf 114132 libs optional libavfilter2_0.8.4-1_amd64.deb
 73734c677fe660bec83839e968eb1ce7 88136 libs optional libpostproc52_0.8.4-1_amd64.deb
 b7f133e85b1a7c2ccbbf47879ef23ae1 120000 libs optional libswscale2_0.8.4-1_amd64.deb
 133178e54e2f91b63c0938be7ba0385d 131966 libdevel optional libavutil-dev_0.8.4-1_amd64.deb
 aa192140885132d6331bcceaa2575a75 2745882 libdevel optional libavcodec-dev_0.8.4-1_amd64.deb
 2a2da2a8534dfc33ee577eb99c148659 69654 libdevel optional libavdevice-dev_0.8.4-1_amd64.deb
 e5f064445de0a2c58c2efb3e0311970b 549582 libdevel optional libavformat-dev_0.8.4-1_amd64.deb
 ddd5c430b0ccd4e2603005ebb9cce65e 133566 libdevel optional libavfilter-dev_0.8.4-1_amd64.deb
 6f1d5291102cd9d733cf3d052956f3e0 88316 libdevel optional libpostproc-dev_0.8.4-1_amd64.deb
 c2fd6f4956704eb7b5a325ecc3ad5be6 130392 libdevel optional libswscale-dev_0.8.4-1_amd64.deb
 d60adbacafe2921a3db877c66d96f6e3 42654 oldlibs extra libavutil-extra-51_0.8.4-1_all.deb
 138d4acf82bc29e34175a052e44011cf 2504614 libs optional libavcodec-extra-53_0.8.4-1_amd64.deb
 a36bf302121d84ca91eacadfc2070190 42658 oldlibs extra libavdevice-extra-53_0.8.4-1_all.deb
 8884a6ef68f0d8d73adbd79ae7fb827a 42654 oldlibs extra libavfilter-extra-2_0.8.4-1_all.deb
 f56ff8aba5be31b2093df77631fe44ad 42672 oldlibs extra libpostproc-extra-52_0.8.4-1_all.deb
 dd7a4243ecc8dbbbadcd9ca8c4255611 42660 oldlibs extra libavformat-extra-53_0.8.4-1_all.deb
 e3f945838e36dbc06a997073b62246f5 42660 oldlibs extra libswscale-extra-2_0.8.4-1_all.deb
 18f8b686451ed3cc1bed6b0382b04c22 3680 libs optional libav_0.8.4-1.dsc
 b6b4f930d387039c2e920a51e97a977e 5449993 libs optional libav_0.8.4.orig.tar.gz
 34641429c4108bd0dd7b9a05f0403eaa 42497 libs optional libav_0.8.4-1.debian.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAlCGO/0ACgkQmAg1RJRTSKTlwACeLfThoWKl8ZHqne6EnduTyYNN
MWAAn2e7d2loA8+Jznc/bGAuLoNOmhAY
=qmV8
-----END PGP SIGNATURE-----

Message #41 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 688847@bugs.debian.org, team@security.debian.org

Subject: Unclear status of CVE-2012-2774 CVE-2012-2783 CVE-2012-2791 CVE-2012-2797 CVE-2012-2803 CVE-2012-2804

Date: Mon, 26 Nov 2012 20:01:03 +0100

[Message part 1 (text/plain, inline)]

I just had a look at the above mentioned problems and I am a bit unsure
about their status. As far as I can see the fixes are not applied, the
status in http://security-tracker.debian.org/tracker/source-package/libav
still lists these issues as open, but the bug is closed.

Are these problems real? Are they fixed?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Arne Wichmann <aw@anhrefn.saar.de>

Cc: 688847@bugs.debian.org, team@security.debian.org

Subject: Re: Unclear status of CVE-2012-2774 CVE-2012-2783 CVE-2012-2791 CVE-2012-2797 CVE-2012-2803 CVE-2012-2804

Date: Wed, 28 Nov 2012 17:10:20 +0100

On Mon, Nov 26, 2012 at 08:01:03PM +0100, Arne Wichmann wrote:
> I just had a look at the above mentioned problems and I am a bit unsure
> about their status. As far as I can see the fixes are not applied, the
> status in http://security-tracker.debian.org/tracker/source-package/libav
> still lists these issues as open, but the bug is closed.
> 
> Are these problems real? Are they fixed?

I had contacted the Google people, who discovered these issues and asked
for the reproducers, but I'm not sure if the libav developers have received
them. Reinhard?

Cheers,
        Moritz

Message #51 received at 688847@bugs.debian.org (full text, mbox, reply):

From: anton@khirnov.net

To: 688847@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Unclear status of CVE-2012-2774 CVE-2012-2783 CVE-2012-2791 CVE-2012-2797 CVE-2012-2803 CVE-2012-2804

Date: Wed, 28 Nov 2012 19:17:34 +0100

Hi,
I've been working on fixing those bugs in Libav, but I was lacking samples for
those remaining ones. Just yesterday I finally got a reply from the Google guy
who found the bugs (I suppose it was triggered by you, thanks for that) so there
is hope of seeing the samples soon. Then I might be able to do something about
the missing CVEs.

-- 
Anton Khirnov

Message #56 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Reinhard Tartler <siretart@gmail.com>

Cc: 688847@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#688847: libav: multiple CVEs in ffmpeg/libav

Date: Tue, 25 Dec 2012 11:31:42 +0100

On Mon, Oct 15, 2012 at 05:38:37AM -0400, Reinhard Tartler wrote:
> > None of these are merged into 0.5.x, has the code diverged so much?
> 
> I arrived only today from my two week trip and will work on backports
> for 0.7-0.5 this week. Sorry for the delay.

Merry christmas Reinhard,

did you have a chance to work on this in the mean time?

Cheers,
        Moritz

Message #61 received at 688847@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 688847@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#688847: libav: multiple CVEs in ffmpeg/libav

Date: Mon, 14 Jan 2013 14:37:20 +0100

On Tue, Dec 25, 2012 at 11:31 AM, Moritz Mühlenhoff <jmm@inutil.org> wrote:
> On Mon, Oct 15, 2012 at 05:38:37AM -0400, Reinhard Tartler wrote:
>> > None of these are merged into 0.5.x, has the code diverged so much?
>>
>> I arrived only today from my two week trip and will work on backports
>> for 0.7-0.5 this week. Sorry for the delay.
>
> Merry christmas Reinhard,
>
> did you have a chance to work on this in the mean time?


Later than anticipated, but 0.8.5-1 is now finally in unstable.
Moritz, last time you did some extensive testing and reported the
results to the RMs. Can you do so this time again?

Thanks,
Reinhard


-- 
regards,
    Reinhard

Send a report that this bug log contains spam.