Debian Bug report logs -
#688849
ffmpeg/squeeze/stable: multiple CVEs that need further investigation
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 26 Sep 2012 08:27:01 UTC
Severity: grave
Tags: security
Fixed in version ffmpeg/4:0.5.10-1
Done: Reinhard Tartler <siretart@tauware.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#688847; Package src:libav.
(Wed, 26 Sep 2012 08:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Wed, 26 Sep 2012 08:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libav
Severity: grave
Justification: user security hole
Hi,
it seems that a huge pile of CVE were allocated for ffmpeg/libav and are
supposed to be fixed in 0.11:
CVE-2012-2772
CVE-2012-2774
CVE-2012-2775
CVE-2012-2776
CVE-2012-2777
CVE-2012-2779
CVE-2012-2782
CVE-2012-2783
CVE-2012-2784
CVE-2012-2785
CVE-2012-2786
CVE-2012-2787
CVE-2012-2788
CVE-2012-2789
CVE-2012-2790
CVE-2012-2791
CVE-2012-2792
CVE-2012-2793
CVE-2012-2794
CVE-2012-2795
CVE-2012-2796
CVE-2012-2797
CVE-2012-2798
CVE-2012-2799
CVE-2012-2800
CVE-2012-2801
CVE-2012-2802
CVE-2012-2803
CVE-2012-2804
As far as I can tell you're already aware of that, but so it's just a
tracking bug.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Bug 688847 cloned as bug 688849
Request was from Yves-Alexis Perez <corsac@debian.org>
to control@bugs.debian.org.
(Wed, 26 Sep 2012 08:48:02 GMT) (full text, mbox, link).
Bug reassigned from package 'src:libav' to 'src:ffmpeg'.
Request was from Yves-Alexis Perez <corsac@debian.org>
to control@bugs.debian.org.
(Wed, 26 Sep 2012 08:51:03 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Yves-Alexis Perez <corsac@debian.org>
to control@bugs.debian.org.
(Wed, 26 Sep 2012 09:09:11 GMT) (full text, mbox, link).
Changed Bug title to 'ffmpeg/squeeze/stable: multiple CVEs that need further investigation' from 'libav: multiple CVEs in ffmpeg/libav'
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Wed, 16 Jan 2013 07:03:03 GMT) (full text, mbox, link).
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Sat, 16 Feb 2013 20:51:03 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Feb 2013 20:51:04 GMT) (full text, mbox, link).
Message #18 received at 688849-close@bugs.debian.org (full text, mbox, reply):
Source: ffmpeg
Source-Version: 4:0.5.10-1
We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 688849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated ffmpeg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Feb 2013 10:16:46 +0100
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavutil49 libavcodec52 libavdevice52 libavformat52 libavfilter0 libpostproc51 libswscale0 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: source amd64 all
Version: 4:0.5.10-1
Distribution: stable-security
Urgency: low
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
ffmpeg - multimedia player, server and encoder
ffmpeg-dbg - Debug symbols for ffmpeg related packages
ffmpeg-doc - documentation of the ffmpeg API
libavcodec-dev - development files for libavcodec
libavcodec52 - ffmpeg codec library
libavdevice-dev - development files for libavdevice
libavdevice52 - ffmpeg device handling library
libavfilter-dev - development files for libavfilter
libavfilter0 - ffmpeg video filtering library
libavformat-dev - development files for libavformat
libavformat52 - ffmpeg file format library
libavutil-dev - development files for libavutil
libavutil49 - ffmpeg utility library
libpostproc-dev - development files for libpostproc
libpostproc51 - ffmpeg video postprocessing library
libswscale-dev - development files for libswscale
libswscale0 - ffmpeg video scaling library
Closes: 688849
Changes:
ffmpeg (4:0.5.10-1) stable-security; urgency=low
.
* New upstream release. New release fixes: (Closes: #688849)
- mpeg12: do not decode extradata more than once (CVE-2012-2803)
- vp6: properly fail on unsupported feature (CVE-2012-2783)
- vp56: release frames on error (CVE-2012-2783)
- shorten: Use separate pointers for the allocated memory for decoded samples (CVE-2012-0858)
- cavsdec: check for changing w/h (CVE-2012-2777 and CVE-2012-2784)
- avidec: use actually read size instead of requested size CVE-2012-2788
- avsdec: Set dimensions instead of relying on the demuxer (CVE-2012-2801)
Checksums-Sha1:
cf31dbcacc4e7eb8b20cb74dee0492b00ea17cb4 2249 ffmpeg_0.5.10-1.dsc
d227677fb6ff545827ed74c62d5358ae17092b1e 3261191 ffmpeg_0.5.10.orig.tar.gz
eea420306bc2b38c49843aeddd4be8d8c9c59808 59871 ffmpeg_0.5.10-1.diff.gz
9a4ac92ee254dca85f15e3f79784148904144ea4 243652 ffmpeg_0.5.10-1_amd64.deb
0b866a1ca1c27eb5c00fcbdae17ea95ca542726d 5136242 ffmpeg-dbg_0.5.10-1_amd64.deb
bf6c569f3c5550a6da7f8319d4d64edea261f3e6 13985368 ffmpeg-doc_0.5.10-1_all.deb
3afe42b619e1aa90c341051afa972c7b3e1cdc91 65274 libavutil49_0.5.10-1_amd64.deb
e14ef413b53f31aba527a05df674962f5a28f5ae 2207602 libavcodec52_0.5.10-1_amd64.deb
2a683433179509324b2d1000ffc5a42800f10ce4 58552 libavdevice52_0.5.10-1_amd64.deb
1f99fb052cd64718162b67548aaf7c655f88e961 368720 libavformat52_0.5.10-1_amd64.deb
40c1cead7b60e5e548d1b08feb7d865110982c4b 48424 libavfilter0_0.5.10-1_amd64.deb
fd5a18a95c9babdedd6fa9ad504269b0eba0306a 124268 libpostproc51_0.5.10-1_amd64.deb
579b6d1159f41db3432ba5cc92d7ef8e4010e8de 174560 libswscale0_0.5.10-1_amd64.deb
cd4335eb737b1bac8207eefbcfc95cc9f589b53e 82610 libavutil-dev_0.5.10-1_amd64.deb
3fa42f7ff312f62ec015194b1fdac5ceb9ae54ca 2487428 libavcodec-dev_0.5.10-1_amd64.deb
c617cfee7aeb134d7e9cfcf4f4226613187817cf 59760 libavdevice-dev_0.5.10-1_amd64.deb
1218d8b6cac7017b0218cad79bbb5cac0d8fea65 471698 libavformat-dev_0.5.10-1_amd64.deb
d34f497bbe1363b350b787c56ab42d4914cbb0fc 56768 libavfilter-dev_0.5.10-1_amd64.deb
d2a72a44b103f20a2c67a098053a3de2fe1a7af6 124946 libpostproc-dev_0.5.10-1_amd64.deb
f5797866b637723c3b47ba78d6b54a2aacad13fd 182898 libswscale-dev_0.5.10-1_amd64.deb
Checksums-Sha256:
763c7cdc93cb29b00366ee9ba077644c0f335ffbecf9f492dac4c0fa8cdaa754 2249 ffmpeg_0.5.10-1.dsc
e8d39f57e2c033c003bddce820684c1e26e1db7730d1d3e26c29765d7927b612 3261191 ffmpeg_0.5.10.orig.tar.gz
ddb0d74a96aae11b863895c1a4030bf1fa70c8fff3b0e16bc69d67451058975c 59871 ffmpeg_0.5.10-1.diff.gz
6a0905f1e778865f7ff82bcc624d12d1699666d375ccd71032fceb3e4def7635 243652 ffmpeg_0.5.10-1_amd64.deb
58f3ca99b8a413ec327f87211b5aa187a2fc29d5a1a5e39b3d642635d912a0d1 5136242 ffmpeg-dbg_0.5.10-1_amd64.deb
ccac50f107086b0fbf8b45873672ce4abf5b28c68f399db9822e8d7173914652 13985368 ffmpeg-doc_0.5.10-1_all.deb
952a7c2a576567560c47c80bda90649e06407814d118025f07d1c632b339edfa 65274 libavutil49_0.5.10-1_amd64.deb
7d56940992e545c8c55f32f250577e0771d5f16dc90240e065bd186a5347c989 2207602 libavcodec52_0.5.10-1_amd64.deb
f4c92ae8819d67860beb15820bad2d2f4719e6f61b8865fd470630dba9517ab6 58552 libavdevice52_0.5.10-1_amd64.deb
126baa429021e9287a49c3513dce876f22f3da96f664e9b25a660c1b1e74b521 368720 libavformat52_0.5.10-1_amd64.deb
0f8a71da9fd39e2ad34fa899ef17b9d2b9e4a52684ca0129bbcb55595baa70e7 48424 libavfilter0_0.5.10-1_amd64.deb
936364cc320bb93c329b242694f9b727b5809816d23f8fce10fe0420f24e7c17 124268 libpostproc51_0.5.10-1_amd64.deb
f4030105c5dd4e16d9eb3332e8c138a33d0cf1d913bd10e1004a053b456ea5cb 174560 libswscale0_0.5.10-1_amd64.deb
6b63e92177f87adaf5be5dd1557e3351764be32d1454a97f2270880be9fa1743 82610 libavutil-dev_0.5.10-1_amd64.deb
a516c56e7967b5c153ab12723c9f3a8c7fe42bbbc81d323304bf259b7f53326f 2487428 libavcodec-dev_0.5.10-1_amd64.deb
656c0519999705ad31efeb634a109600e0b720253d3b0be22fa31624723d89ba 59760 libavdevice-dev_0.5.10-1_amd64.deb
b0abf7fd81842eeac95dba81b9fb5bf180f0afac869b6dfc1ca8aa0a956b5c5e 471698 libavformat-dev_0.5.10-1_amd64.deb
1218f29a327bcc223f27f51f80a0247a3396581ec5857cd7a1eb16b656ac88db 56768 libavfilter-dev_0.5.10-1_amd64.deb
7f5e00d5ff09e815b29d7d85e3192ff996d0e94dd7294fd0849368f7c3f4914c 124946 libpostproc-dev_0.5.10-1_amd64.deb
4cdc7063f6aedca5bcfbe3b26faf935dcb971eacc2bffca190c1b6f5c4050767 182898 libswscale-dev_0.5.10-1_amd64.deb
Files:
bcb21fd2c5cda008894d4069b97ce6b9 2249 libs optional ffmpeg_0.5.10-1.dsc
a556faf9be2570ad8140dfcea64227df 3261191 libs optional ffmpeg_0.5.10.orig.tar.gz
f479c003b588dd040190919b6480fced 59871 libs optional ffmpeg_0.5.10-1.diff.gz
54e9257c05cdc3aeaf84031818e17d01 243652 video optional ffmpeg_0.5.10-1_amd64.deb
6721f84d825ac5653f3cf3d01b702027 5136242 debug extra ffmpeg-dbg_0.5.10-1_amd64.deb
d031b4f1d662af1232c52e2f742a423d 13985368 doc optional ffmpeg-doc_0.5.10-1_all.deb
8fb6dc3e6b14419fa9e13e4f6f74d4e5 65274 libs optional libavutil49_0.5.10-1_amd64.deb
81d691491dcd1f6e6dd0c400fb5b0b82 2207602 libs optional libavcodec52_0.5.10-1_amd64.deb
ba3af01b710e1ff3d02e14ff73d60ff0 58552 libs optional libavdevice52_0.5.10-1_amd64.deb
751092fa9cfc3f1ffbc49eb5ac3472af 368720 libs optional libavformat52_0.5.10-1_amd64.deb
899d38172f4e4d28434692cebbd3cccf 48424 libs optional libavfilter0_0.5.10-1_amd64.deb
48283b9438d8e3320c539cdd06f13c21 124268 libs optional libpostproc51_0.5.10-1_amd64.deb
b5393b22428de932a3fda68014f6a095 174560 libs optional libswscale0_0.5.10-1_amd64.deb
657eb8afc2fe8c88c638da3a918d61d7 82610 libdevel optional libavutil-dev_0.5.10-1_amd64.deb
66f20a45480838f80e1217f413f64d3c 2487428 libdevel optional libavcodec-dev_0.5.10-1_amd64.deb
485feff010cd3319addd59fe4e8179f5 59760 libdevel optional libavdevice-dev_0.5.10-1_amd64.deb
f1c336eec50a6d53b05e756d8cc81977 471698 libdevel optional libavformat-dev_0.5.10-1_amd64.deb
12c95d1417f249ac3c96bc8de4b42d3e 56768 libdevel optional libavfilter-dev_0.5.10-1_amd64.deb
d35720aefd1895e6a3385a69250dc282 124946 libdevel optional libpostproc-dev_0.5.10-1_amd64.deb
3e48fef1296940cefabf9dbfae77846d 182898 libdevel optional libswscale-dev_0.5.10-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Debian Powered!
iEYEARECAAYFAlEfUt4ACgkQmAg1RJRTSKQvjwCfXX3R9WPZ436whd+XpwNCLeMd
MmwAn1sbr2i4E3/AbxH2X0KAXvEZoKcQ
=T+az
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Mar 2013 07:26:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:19:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon