libav: CVE-2014-{8544,8546,9316,9318,9319}

Debian Bug report logs - #775593
libav: CVE-2014-{8544,8546,9316,9318,9319}

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libav: multiple security issues

Date: Sat, 20 Dec 2014 23:31:11 -0500

package: src:libav
version: 6:0.8.16-1
severity: serious
tags: security

Hi,

the following vulnerabilities were published for libav.

CVE-2014-8541[0]:
| libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension
| differences, and not bits-per-pixel differences, when determining
| whether an image size has changed, which allows remote attackers to
| cause a denial of service (out-of-bounds access) or possibly have
| unspecified other impact via crafted MJPEG data.

CVE-2014-8542[1]:
| libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID
| during enforcement of alignment, which allows remote attackers to
| cause a denial of service (out-of-bounds access) or possibly have
| unspecified other impact via crafted JV data.

CVE-2014-8543[2]:
| libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all
| lines of HHV Intra blocks during validation of image height, which
| allows remote attackers to cause a denial of service (out-of-bounds
| access) or possibly have unspecified other impact via crafted MM video
| data.

CVE-2014-8543[3]:
| libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all
| lines of HHV Intra blocks during validation of image height, which
| allows remote attackers to cause a denial of service (out-of-bounds
| access) or possibly have unspecified other impact via crafted MM video
| data.

CVE-2014-8544[4]:
| libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
| bits-per-pixel fields, which allows remote attackers to cause a denial
| of service (out-of-bounds access) or possibly have unspecified other
| impact via crafted TIFF data.

CVE-2014-8545[5]:
| libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
| monochrome-black format without verifying that the bits-per-pixel
| value is 1, which allows remote attackers to cause a denial of service
| (out-of-bounds access) or possibly have unspecified other impact via
| crafted PNG data.

CVE-2014-8546[6]:
| Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
| allows remote attackers to cause a denial of service (out-of-bounds
| access) or possibly have unspecified other impact via crafted Cinepak
| video data.

CVE-2014-8547[7]:
| libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute
| image heights, which allows remote attackers to cause a denial of
| service (out-of-bounds access) or possibly have unspecified other
| impact via crafted GIF data.

CVE-2014-8548[8]:
| Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows
| remote attackers to cause a denial of service (out-of-bounds access)
| or possibly have unspecified other impact via crafted Quicktime
| Graphics (aka SMC) video data.

CVE-2014-8549[9]:
| libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the
| number of channels to at most 2, which allows remote attackers to
| cause a denial of service (out-of-bounds access) or possibly have
| unspecified other impact via crafted On2 data.

CVE-2014-9316[10]:
| The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
| before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
| remote attackers to cause a denial of service (out-of-bounds heap
| access) and possibly have other unspecified impact via vectors related
| to LJIF tags in an MJPEG file.

CVE-2014-9318[11]:
| The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
| 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
| cause a denial of service (out-of-bounds heap access) and possibly
| have other unspecified impact via a crafted .cine file that triggers
| the avpicture_get_size function to return a negative frame size.

CVE-2014-9319[12]:
| The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
| before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
| remote attackers to cause a denial of service (out-of-bounds access)
| via a crafted .bit file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8541
[1] https://security-tracker.debian.org/tracker/CVE-2014-8542
[2] https://security-tracker.debian.org/tracker/CVE-2014-8543
[3] https://security-tracker.debian.org/tracker/CVE-2014-8543
[4] https://security-tracker.debian.org/tracker/CVE-2014-8544
[5] https://security-tracker.debian.org/tracker/CVE-2014-8545
[6] https://security-tracker.debian.org/tracker/CVE-2014-8546
[7] https://security-tracker.debian.org/tracker/CVE-2014-8547
[8] https://security-tracker.debian.org/tracker/CVE-2014-8548
[9] https://security-tracker.debian.org/tracker/CVE-2014-8549
[10] https://security-tracker.debian.org/tracker/CVE-2014-9316
[11] https://security-tracker.debian.org/tracker/CVE-2014-9318
[12] https://security-tracker.debian.org/tracker/CVE-2014-9319

Please adjust the affected versions in the BTS as needed.

Message #18 received at 773626@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 773626@bugs.debian.org

Subject: Available fixes for some of the issues

Date: Sat, 17 Jan 2015 12:27:20 +0000

[Message part 1 (text/plain, inline)]

Just to update the bug for others scanning the RC bug list...

https://security-tracker.debian.org/tracker/CVE-2014-8545
- libav <not-affected> (Vulnerable code not present)
CVE-2014-8545[5]:
| libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
| monochrome-black format without verifying that the bits-per-pixel
| value is 1, which allows remote attackers to cause a denial of service
| (out-of-bounds access) or possibly have unspecified other impact via
| crafted PNG data.

So this one can be discounted from the list.

Other patches exist as upstream commits linked from the security
tracker:

CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
CVE-2014-8548, CVE-2014-8549

https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686

Five CVEs therefore remain without upstream patches in libav:

https://security-tracker.debian.org/tracker/CVE-2014-8544
https://security-tracker.debian.org/tracker/CVE-2014-8546
https://security-tracker.debian.org/tracker/CVE-2014-9316
https://security-tracker.debian.org/tracker/CVE-2014-9318
https://security-tracker.debian.org/tracker/CVE-2014-9319 

Each of these has fixes upstream in ffmpeg but it'll need someone with
more familiarity with the mpeg source code than me to investigate
whether the fixes in ffmpeg can become fixes in libav.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Message #23 received at 773626@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Neil Williams <codehelp@debian.org>, 773626@bugs.debian.org

Subject: Re: Bug#773626: Available fixes for some of the issues

Date: Sat, 17 Jan 2015 13:40:38 +0100

[Message part 1 (text/plain, inline)]

On 2015-01-17 12:27:20, Neil Williams wrote:
> Just to update the bug for others scanning the RC bug list...
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8545
> - libav <not-affected> (Vulnerable code not present)
> CVE-2014-8545[5]:
> | libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
> | monochrome-black format without verifying that the bits-per-pixel
> | value is 1, which allows remote attackers to cause a denial of service
> | (out-of-bounds access) or possibly have unspecified other impact via
> | crafted PNG data.
> 
> So this one can be discounted from the list.
> 
> Other patches exist as upstream commits linked from the security
> tracker:
> 
> CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
> CVE-2014-8548, CVE-2014-8549
> 
> https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
> https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
> https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
> https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
> https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
> https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686
> 
> Five CVEs therefore remain without upstream patches in libav:
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8544
> https://security-tracker.debian.org/tracker/CVE-2014-8546
> https://security-tracker.debian.org/tracker/CVE-2014-9316
> https://security-tracker.debian.org/tracker/CVE-2014-9318
> https://security-tracker.debian.org/tracker/CVE-2014-9319 
> 
> Each of these has fixes upstream in ffmpeg but it'll need someone with
> more familiarity with the mpeg source code than me to investigate
> whether the fixes in ffmpeg can become fixes in libav.

Thanks for taking the time for investigating the issue. We are currently
waiting for 11.2 tarballs to appear. They have been taged already and
tarball just needs to be released.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #28 received at 773626@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Michael Gilbert <mgilbert@debian.org>, 773626@bugs.debian.org

Subject: Re: Bug#773626: libav: multiple security issues

Date: Sat, 17 Jan 2015 20:56:02 +0100

[Message part 1 (text/plain, inline)]

Control: clone -1 -2
Control: retitle -2 libav: CVE-2014-{8544,8546,9316,9318,9319}
Control: tags -1 + fixed-upstream pending

On 2014-12-20 23:31:11, Michael Gilbert wrote:
> CVE-2014-8544[4]:
> | libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
> | bits-per-pixel fields, which allows remote attackers to cause a denial
> | of service (out-of-bounds access) or possibly have unspecified other
> | impact via crafted TIFF data.

> CVE-2014-8546[6]:
> | Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
> | allows remote attackers to cause a denial of service (out-of-bounds
> | access) or possibly have unspecified other impact via crafted Cinepak
> | video data.

> CVE-2014-9316[10]:
> | The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
> | remote attackers to cause a denial of service (out-of-bounds heap
> | access) and possibly have other unspecified impact via vectors related
> | to LJIF tags in an MJPEG file.

> CVE-2014-9318[11]:
> | The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
> | 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
> | cause a denial of service (out-of-bounds heap access) and possibly
> | have other unspecified impact via a crafted .cine file that triggers
> | the avpicture_get_size function to return a negative frame size.

> CVE-2014-9319[12]:
> | The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
> | remote attackers to cause a denial of service (out-of-bounds access)
> | via a crafted .bit file.

> [4] https://security-tracker.debian.org/tracker/CVE-2014-8544
> [6] https://security-tracker.debian.org/tracker/CVE-2014-8546
> [10] https://security-tracker.debian.org/tracker/CVE-2014-9316
> [11] https://security-tracker.debian.org/tracker/CVE-2014-9318
> [12] https://security-tracker.debian.org/tracker/CVE-2014-9319

I'm cloning this bug report to keep track of the unfixed CVEs.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 775593@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Sebastian Ramacher <sramacher@debian.org>, 775593@bugs.debian.org

Cc: Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#773626: libav: multiple security issues

Date: Sun, 18 Jan 2015 14:41:34 -0500

Control: severity -1 important

On Sat, Jan 17, 2015 at 2:56 PM, Sebastian Ramacher
<sramacher@debian.org> wrote:
> On 2014-12-20 23:31:11, Michael Gilbert wrote:
>> CVE-2014-8544[4]:
>> | libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
>> | bits-per-pixel fields, which allows remote attackers to cause a denial
>> | of service (out-of-bounds access) or possibly have unspecified other
>> | impact via crafted TIFF data.
>
>> CVE-2014-8546[6]:
>> | Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
>> | allows remote attackers to cause a denial of service (out-of-bounds
>> | access) or possibly have unspecified other impact via crafted Cinepak
>> | video data.
>
>> CVE-2014-9316[10]:
>> | The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
>> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
>> | remote attackers to cause a denial of service (out-of-bounds heap
>> | access) and possibly have other unspecified impact via vectors related
>> | to LJIF tags in an MJPEG file.
>
>> CVE-2014-9318[11]:
>> | The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
>> | 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
>> | cause a denial of service (out-of-bounds heap access) and possibly
>> | have other unspecified impact via a crafted .cine file that triggers
>> | the avpicture_get_size function to return a negative frame size.
>
>> CVE-2014-9319[12]:
>> | The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
>> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
>> | remote attackers to cause a denial of service (out-of-bounds access)
>> | via a crafted .bit file.
>
>> [4] https://security-tracker.debian.org/tracker/CVE-2014-8544
>> [6] https://security-tracker.debian.org/tracker/CVE-2014-8546
>> [10] https://security-tracker.debian.org/tracker/CVE-2014-9316
>> [11] https://security-tracker.debian.org/tracker/CVE-2014-9318
>> [12] https://security-tracker.debian.org/tracker/CVE-2014-9319
>
> I'm cloning this bug report to keep track of the unfixed CVEs.

It seems to me that non of the above five entries have neither
publicly accessible samples nor any public discussion on neither
oss-sec nor fulldisc. It remains unclear whether or not they affect
libav at all.

While I agree that these issues should be investigated in more detail,
the lack of instructions how to confirm and reproduce the issue makes
working on this bug unreasonably hard. I'm therefore downgrading the
severity of this issue to the non-RC severity "important"; this bug
does not seem release critical to me at all.

-- 
regards,
    Reinhard

Message #44 received at 775593@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Reinhard Tartler <siretart@gmail.com>, 775593@bugs.debian.org

Cc: Sebastian Ramacher <sramacher@debian.org>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#775593: Bug#773626: libav: multiple security issues

Date: Mon, 19 Jan 2015 14:42:48 +0100

2015-01-18 20:41 GMT+01:00 Reinhard Tartler <siretart@gmail.com>:
> Control: severity -1 important
>
> On Sat, Jan 17, 2015 at 2:56 PM, Sebastian Ramacher
> <sramacher@debian.org> wrote:
>> On 2014-12-20 23:31:11, Michael Gilbert wrote:
>>> CVE-2014-8544[4]:
>>> | libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
>>> | bits-per-pixel fields, which allows remote attackers to cause a denial
>>> | of service (out-of-bounds access) or possibly have unspecified other
>>> | impact via crafted TIFF data.
>>
>>> CVE-2014-8546[6]:
>>> | Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
>>> | allows remote attackers to cause a denial of service (out-of-bounds
>>> | access) or possibly have unspecified other impact via crafted Cinepak
>>> | video data.
>>
>>> CVE-2014-9316[10]:
>>> | The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
>>> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
>>> | remote attackers to cause a denial of service (out-of-bounds heap
>>> | access) and possibly have other unspecified impact via vectors related
>>> | to LJIF tags in an MJPEG file.
>>
>>> CVE-2014-9318[11]:
>>> | The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
>>> | 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
>>> | cause a denial of service (out-of-bounds heap access) and possibly
>>> | have other unspecified impact via a crafted .cine file that triggers
>>> | the avpicture_get_size function to return a negative frame size.
>>
>>> CVE-2014-9319[12]:
>>> | The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
>>> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
>>> | remote attackers to cause a denial of service (out-of-bounds access)
>>> | via a crafted .bit file.
>>
>>> [4] https://security-tracker.debian.org/tracker/CVE-2014-8544
>>> [6] https://security-tracker.debian.org/tracker/CVE-2014-8546
>>> [10] https://security-tracker.debian.org/tracker/CVE-2014-9316
>>> [11] https://security-tracker.debian.org/tracker/CVE-2014-9318
>>> [12] https://security-tracker.debian.org/tracker/CVE-2014-9319
>>
>> I'm cloning this bug report to keep track of the unfixed CVEs.
>
> It seems to me that non of the above five entries have neither
> publicly accessible samples nor any public discussion on neither
> oss-sec nor fulldisc. It remains unclear whether or not they affect
> libav at all.
>
> While I agree that these issues should be investigated in more detail,
> the lack of instructions how to confirm and reproduce the issue makes
> working on this bug unreasonably hard. I'm therefore downgrading the
> severity of this issue to the non-RC severity "important"; this bug
> does not seem release critical to me at all.
Probably asking FFmpeg upstream would help, maybe Libav upstream also
have been notified about the details.

Cheers,
Balint

Message #49 received at 775593@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Bálint Réczey <balint@balintreczey.hu>

Cc: 775593@bugs.debian.org, Sebastian Ramacher <sramacher@debian.org>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#775593: Bug#773626: libav: multiple security issues

Date: Mon, 19 Jan 2015 11:13:14 -0500

Control: forwarded -1 https://bugzilla.libav.org/show_bug.cgi?id=805

On Mon, Jan 19, 2015 at 8:42 AM, Bálint Réczey <balint@balintreczey.hu> wrote:
> Probably asking FFmpeg upstream would help, maybe Libav upstream also
> have been notified about the details.

Great idea.

I've forwarded this bug to libav upstream. Please go ahead and ask
FFmpeg for more information where to obtain those samples.

Thanks,
Reinhard

-- 
regards,
    Reinhard

Message #56 received at 775593@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Reinhard Tartler <siretart@gmail.com>

Cc: 775593@bugs.debian.org, Sebastian Ramacher <sramacher@debian.org>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#775593: Bug#773626: libav: multiple security issues

Date: Mon, 19 Jan 2015 17:28:57 +0100

Hi Reinhard,

2015-01-19 17:13 GMT+01:00 Reinhard Tartler <siretart@gmail.com>:
> Control: forwarded -1 https://bugzilla.libav.org/show_bug.cgi?id=805
>
> On Mon, Jan 19, 2015 at 8:42 AM, Bálint Réczey <balint@balintreczey.hu> wrote:
>> Probably asking FFmpeg upstream would help, maybe Libav upstream also
>> have been notified about the details.
>
> Great idea.
>
> I've forwarded this bug to libav upstream. Please go ahead and ask
> FFmpeg for more information where to obtain those samples.
I think proxying between the two upstreams is very inefficient thus I
let Libav devs contact FFmpeg devs directly instead.
Thank you for opening the bug upstream I think they can handle the
issues from there.
For the record I sponsored the ffmpeg 7:2.5.3-1 upload yesterday thus
those packages are already fixed.

Cheers,
Balint

Message #61 received at 775593@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Neil Williams <codehelp@debian.org>

Cc: 775593@bugs.debian.org

Subject: Re: Available fixes for some of the issues

Date: Tue, 20 Jan 2015 17:07:05 +0100

> Five CVEs therefore remain without upstream patches in libav:
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8544
> https://security-tracker.debian.org/tracker/CVE-2014-8546
> https://security-tracker.debian.org/tracker/CVE-2014-9316
> https://security-tracker.debian.org/tracker/CVE-2014-9318
> https://security-tracker.debian.org/tracker/CVE-2014-9319 

Hi,
in addition these three issues are a still open:
https://security-tracker.debian.org/tracker/CVE-2014-9603
https://security-tracker.debian.org/tracker/CVE-2014-9604

use after free in seg_write_packet() (no CVE yet):
http://www.openwall.com/lists/oss-security/2015/01/04/10
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=169065fbfb3da1ab776379c333aebc54bb1f1bc4

Cheers,
        Moritz

Message #66 received at 775593@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 775593@bugs.debian.org

Subject: Re: Bug#773626: libav: multiple security issues

Date: Sat, 14 Mar 2015 21:18:52 +0100

[Message part 1 (text/plain, inline)]

Version: 11.3-1

On 2015-01-17 20:56:02, Sebastian Ramacher wrote:
> Control: clone -1 -2
> Control: retitle -2 libav: CVE-2014-{8544,8546,9316,9318,9319}
> Control: tags -1 + fixed-upstream pending
> 
> On 2014-12-20 23:31:11, Michael Gilbert wrote:
> > CVE-2014-8544[4]:
> > | libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
> > | bits-per-pixel fields, which allows remote attackers to cause a denial
> > | of service (out-of-bounds access) or possibly have unspecified other
> > | impact via crafted TIFF data.
> 
> > CVE-2014-8546[6]:
> > | Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
> > | allows remote attackers to cause a denial of service (out-of-bounds
> > | access) or possibly have unspecified other impact via crafted Cinepak
> > | video data.
> 
> > CVE-2014-9316[10]:
> > | The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
> > | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
> > | remote attackers to cause a denial of service (out-of-bounds heap
> > | access) and possibly have other unspecified impact via vectors related
> > | to LJIF tags in an MJPEG file.
> 
> > CVE-2014-9318[11]:
> > | The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
> > | 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
> > | cause a denial of service (out-of-bounds heap access) and possibly
> > | have other unspecified impact via a crafted .cine file that triggers
> > | the avpicture_get_size function to return a negative frame size.
> 
> > CVE-2014-9319[12]:
> > | The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
> > | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
> > | remote attackers to cause a denial of service (out-of-bounds access)
> > | via a crafted .bit file.
> 
> > [4] https://security-tracker.debian.org/tracker/CVE-2014-8544
> > [6] https://security-tracker.debian.org/tracker/CVE-2014-8546
> > [10] https://security-tracker.debian.org/tracker/CVE-2014-9316
> > [11] https://security-tracker.debian.org/tracker/CVE-2014-9318
> > [12] https://security-tracker.debian.org/tracker/CVE-2014-9319
> 
> I'm cloning this bug report to keep track of the unfixed CVEs.

CVE-2014-8544 has been fixed in 11.3-1, the others are marked as not affecting
libav.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.