Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2019-9718 CVE-2019-9721

Related Vulnerabilities: CVE-2019-9718   CVE-2019-9721   CVE-2019-11338   CVE-2019-11339  

Source

Debian Bug report logs - #926666
CVE-2019-9718 CVE-2019-9721

version graph

Package: ffmpeg; Maintainer for ffmpeg is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for ffmpeg is src:ffmpeg (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 8 Apr 2019 18:33:07 UTC

Severity: important

Tags: security

Found in version ffmpeg/7:4.1.1-1

Fixed in version ffmpeg/7:4.1.3-1

Done: Sebastian Ramacher <sramacher@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#926666; Package ffmpeg. (Mon, 08 Apr 2019 18:33:10 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Mon, 08 Apr 2019 18:33:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2019-9718 CVE-2019-9721
Date: Mon, 08 Apr 2019 20:31:43 +0200
Package: ffmpeg
Version: 7:4.1.1-1
Severity: important
Tags: security

https://security-tracker.debian.org/tracker/CVE-2019-9718
https://security-tracker.debian.org/tracker/CVE-2019-9721

Both a fixed in the 4.1.3 release, which also fixes a number of
additional issues without a CVE ID.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#926666; Package ffmpeg. (Sat, 20 Apr 2019 21:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Sat, 20 Apr 2019 21:39:03 GMT) (full text, mbox, link).

Message #10 received at 926666@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: 926666@bugs.debian.org
Subject: Re: CVE-2019-9718 CVE-2019-9721
Date: Sat, 20 Apr 2019 23:35:23 +0200
On Mon, Apr 08, 2019 at 08:31:43PM +0200, Moritz Muehlenhoff wrote:
> Package: ffmpeg
> Version: 7:4.1.1-1
> Severity: important
> Tags: security
> 
> https://security-tracker.debian.org/tracker/CVE-2019-9718
> https://security-tracker.debian.org/tracker/CVE-2019-9721
> 
> Both a fixed in the 4.1.3 release, which also fixes a number of
> additional issues without a CVE ID.

Also these were assigned and are fixed in 4.1.3:
https://security-tracker.debian.org/tracker/CVE-2019-11338
https://security-tracker.debian.org/tracker/CVE-2019-11339

Cheers,
        Moritz

Reply sent to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility. (Sun, 19 May 2019 16:21:04 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 19 May 2019 16:21:04 GMT) (full text, mbox, link).

Message #15 received at 926666-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: 926666-close@bugs.debian.org
Subject: Bug#926666: fixed in ffmpeg 7:4.1.3-1
Date: Sun, 19 May 2019 16:18:43 +0000
Source: ffmpeg
Source-Version: 7:4.1.3-1

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926666@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 19 May 2019 17:22:10 +0200
Source: ffmpeg
Architecture: source
Version: 7:4.1.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 926666
Changes:
 ffmpeg (7:4.1.3-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release. (Closes: #926666)
     - Fix bug in subtitle decoder enabling DoS attacks (CVE-2019-9718,
       CVE-2019-9721)
     - Fix bug in studio profile decoder enabling DoS attacks (CVE-2019-11339)
     - Fix bug mishandling HEVC data enabling DoS attacks (CVE-2019-11338)
Checksums-Sha1:
 fbbe8dfce895ec10ea1d317696e9c0623359d755 5179 ffmpeg_4.1.3-1.dsc
 1c99bfe0323477fc302baec4c825f2e49634c466 8895988 ffmpeg_4.1.3.orig.tar.xz
 df69f4eff63cc54ec03e9a2e414998f6e28156f4 473 ffmpeg_4.1.3.orig.tar.xz.asc
 7fe65dec4a3de0a51575e738672623bbc93930d5 47504 ffmpeg_4.1.3-1.debian.tar.xz
Checksums-Sha256:
 91840eaa390e1fdb3c089ccda6de9d23ad840a5a69b2d75391d8fcee440209dc 5179 ffmpeg_4.1.3-1.dsc
 0c3020452880581a8face91595b239198078645e7d7184273b8bcc7758beb63d 8895988 ffmpeg_4.1.3.orig.tar.xz
 8e88fe42e57d9375a7848c03d5d5a0421dcfe5efade401cda13851bbbfe59a72 473 ffmpeg_4.1.3.orig.tar.xz.asc
 eb0c9fa87a695a883f57e37efaa5a352405751aa53060da06d7fb4add0ac8220 47504 ffmpeg_4.1.3-1.debian.tar.xz
Files:
 ac7612538434cb6a26938e3222053817 5179 video optional ffmpeg_4.1.3-1.dsc
 dcc20dd2682ea01c678b7b8324339d43 8895988 video optional ffmpeg_4.1.3.orig.tar.xz
 be36a4412f6ff92b3b5781b6ec829c6f 473 video optional ffmpeg_4.1.3.orig.tar.xz.asc
 da216ff4b5dbd023a47a4f15a051133f 47504 video optional ffmpeg_4.1.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlzhezwACgkQafL8UW6n
GZN8chAAiC14gaxRqppfpQXyGpKMuCok5gI+HPx9cFIcxDTo0hI8J51omztQV0rm
+D0+KpZbjrA3CFIwNgQFPaYeI7ag5tJspAACpP93N0ecR8JTlVeIuV0zFh8W0ziu
+LhXxEphPEXmsgrqei/F8v1qC1klTck9S2DHtGrIC6FUKYO4lOuEpqSQkfmOqTVO
kDhqUjEJYF31LMUqwX+RCKr/XZQC27Hrd54yZRbYcteJmSvToo4mMJx0eOFRqVz/
OsvvI+s7g3N8m507On7fto0cYJPfb2eHYmqbIhiL8RBbpC9QYWImQ6sQlKTZAVtr
23XcZaTtb2YS+aslopKouNI4ZEnnDEbkwKHyR9MhVVm5sw1op0gBemf9uBVaPNKl
T7AqHb2qMnigOnjQGFHrxGLE0Ozq//cQoFq4lF/UcFazTS53A8XNlSfWbyGyAXwX
efMeQQfSAvV4IWlBHt2HCqqOkYoYhdw82rVHXQ/duRbs8Ssb4QJNgV0xDcot7W4E
PgY0o1YA7D/qkzo6wIGYZjLEcLNlj9H8WihxsB+FYEIztFNyfG4Tk2FaWiFzXxU3
ehqtDdvc3bCGajanWxnTWpsKvWFcG1OpfSfdBO69OjTvye/m0ijrR7D+12jQ5ePI
uUkn1jVYkHojDfFY3SOc1x8JXcUFNVC8C8hs5VRkofEamA2ULK4=
=B/wf
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 19 Jun 2019 07:27:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 12:58:46 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started