Debian Bug report logs -
#524799
ffmpeg-debian: CVE-2009-0385 integer signedness error
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Mon, 20 Apr 2009 01:18:01 UTC
Severity: important
Tags: security
Found in versions 0.cvs20060823-1, 0.svn20080206-1
Fixed in versions 0.cvs20060823-8+etch4, 0.svn20080206-17+lenny1, 3:0.svn20090303-1
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#524799; Package ffmpeg-debian.
(Mon, 20 Apr 2009 01:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Mon, 20 Apr 2009 01:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: ffmpeg-debian
severity: important
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for ffmpeg-debian.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| attackers to execute arbitrary code via a malformed 4X movie file with
| a large current_track value, which triggers a NULL pointer
| dereference.
See fedora security announcement for more details [1].
Please coordinate with the security team to prepare updated packages
for the stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385
http://security-tracker.debian.net/tracker/CVE-2009-0385
[1] http://lwn.net/Articles/328039/
Bug marked as found in version 0.cvs20060823-1.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Sat, 02 May 2009 08:30:04 GMT) (full text, mbox, link).
Bug marked as found in version 0.svn20080206-1.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Sat, 02 May 2009 08:30:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.cvs20060823-8+etch4.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Sat, 02 May 2009 08:30:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.svn20080206-17+lenny1.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Sat, 02 May 2009 08:30:06 GMT) (full text, mbox, link).
Bug marked as fixed in version 3:0.svn20090303-1.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Sat, 02 May 2009 08:30:07 GMT) (full text, mbox, link).
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Sat, 02 May 2009 08:30:11 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sat, 02 May 2009 08:30:12 GMT) (full text, mbox, link).
Message #20 received at 524799-done@bugs.debian.org (full text, mbox, reply):
found 524799 0.cvs20060823-1
found 524799 0.svn20080206-1
fixed 524799 0.cvs20060823-8+etch4
fixed 524799 0.svn20080206-17+lenny1
fixed 524799 3:0.svn20090303-1
stop
"Michael S. Gilbert" <michael.s.gilbert@gmail.com> writes:
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for ffmpeg-debian.
>
> CVE-2009-0385[0]:
> | Integer signedness error in the fourxm_read_header function in
> | libavformat/4xm.c in FFmpeg before revision 16846 allows remote
> | attackers to execute arbitrary code via a malformed 4X movie file with
> | a large current_track value, which triggers a NULL pointer
> | dereference.
>
> See fedora security announcement for more details [1].
>
> Please coordinate with the security team to prepare updated packages
> for the stable releases.
Thanks for your report. I'm closing this bug with this email with
hopefully the correct version information.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Reply sent
to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(Sat, 02 May 2009 20:03:05 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sat, 02 May 2009 20:03:06 GMT) (full text, mbox, link).
Message #25 received at 524799-close@bugs.debian.org (full text, mbox, reply):
Source: ffmpeg
Source-Version: 0.cvs20060823-8+etch4
We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive:
ffmpeg_0.cvs20060823-8+etch4.diff.gz
to pool/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch4.diff.gz
ffmpeg_0.cvs20060823-8+etch4.dsc
to pool/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch4.dsc
ffmpeg_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch4_i386.deb
libavcodec-dev_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/libavcodec-dev_0.cvs20060823-8+etch4_i386.deb
libavcodec0d_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/libavcodec0d_0.cvs20060823-8+etch4_i386.deb
libavformat-dev_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/libavformat-dev_0.cvs20060823-8+etch4_i386.deb
libavformat0d_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/libavformat0d_0.cvs20060823-8+etch4_i386.deb
libpostproc-dev_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/libpostproc-dev_0.cvs20060823-8+etch4_i386.deb
libpostproc0d_0.cvs20060823-8+etch4_i386.deb
to pool/main/f/ffmpeg/libpostproc0d_0.cvs20060823-8+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 524799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated ffmpeg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 26 Apr 2009 11:19:49 +0000
Source: ffmpeg
Binary: libavformat-dev libavformat0d ffmpeg libavcodec-dev libpostproc0d libpostproc-dev libavcodec0d
Architecture: source i386
Version: 0.cvs20060823-8+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
ffmpeg - multimedia player, server and encoder
libavcodec-dev - development files for libavcodec
libavcodec0d - ffmpeg codec library
libavformat-dev - development files for libavformat
libavformat0d - ffmpeg file format library
libpostproc-dev - development files for libpostproc
libpostproc0d - ffmpeg video postprocessing library
Closes: 489965 524799
Changes:
ffmpeg (0.cvs20060823-8+etch4) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix integer signedness error in libavformat/4xm.c (Closes: #524799)
Fixes: CVE-2009-0385
* Fix buffer overflow in libavformat/psxstr.c (Closes: #489965)
Fixes: CVE-2008-3162
Files:
9ec2715aea4be5b91b1ed1e694d71e72 1271 libs optional ffmpeg_0.cvs20060823-8+etch4.dsc
12e2e5d9e46ebfd08851b05665ecce25 2309921 libs optional ffmpeg_0.cvs20060823.orig.tar.gz
acab6c61a1f82caa6e44da962f40db41 37279 libs optional ffmpeg_0.cvs20060823-8+etch4.diff.gz
9d62aa8fb06c00a61d5db5e03c4e02b6 182312 graphics optional ffmpeg_0.cvs20060823-8+etch4_i386.deb
8843e529305e25fd5977562d319ad12e 1528278 libs optional libavcodec0d_0.cvs20060823-8+etch4_i386.deb
c47391aec564ebc180adca1513828074 37560 libs optional libpostproc0d_0.cvs20060823-8+etch4_i386.deb
f731a6c8377ee91feab474f4d5aaa8e8 286526 libs optional libavformat0d_0.cvs20060823-8+etch4_i386.deb
e232e7971b6a1ce0a25c5b5c5535a2cd 1582552 libdevel optional libavcodec-dev_0.cvs20060823-8+etch4_i386.deb
72ed15718afa2d3903fc38d4e4959276 37934 libdevel optional libpostproc-dev_0.cvs20060823-8+etch4_i386.deb
131f13f9e09a437f6db3375c07756f2d 329760 libdevel optional libavformat-dev_0.cvs20060823-8+etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn0kQsACgkQ62zWxYk/rQfveQCfVXU01eh9PW3U1CyKZzAqsE35
pWsAnRXRE8N5c4k0sPOrVJMzLc2qVb0s
=TFvm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 May 2009 07:38:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:13:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon