On mer., 2011-11-02 at 21:57 +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
>
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
>
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
>
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?I'm not too sure since I don't know who assigned it. Maybe mailing someone at Mitre? > > As for 3362 & 3973, I believe both have been fixed by this commit: > http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78 > > This commit has also been merged into FFmpeg. That imported commit is > also referenced in the CVE description of CVE-2011-3973, so I assume > that this is the correct fix. Looks like that, yes. > > For CVE-2011-3362, FFmpeg changed the signedness of two variables in the > function decode_residual_block(). I'd be curious to see a sample that > still exploits Libav's cavs decoder without that signedness > change. Until I'm presented an exploit that demonstrates this issue, I'm > going to assume that CVE-2011-3362 is fixed by the same patch that fixed > CVE-2011-3973. Shouldn't it be safe to still fix the signed-ness? > > Now for CVE-2011-3504, which concerns an allocation error in the > matroska decoder. I strongly believe that this has been fixed by this > commit: > http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec > > Unlike the CVE Report, the commit message refers to MSVR-11-0080, which > does not seem to exist in bing at all. I currently assume that the CVE > is right and the commit message (which was imported from FFmpeg without > further checking) should have referenced MSVR11-011 instead. > > In any case, I've just backported both patches to the 0.5 branch: > http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5 Thanks. > > Feedback and tests welcome. > > If nobody disagrees and nothing else pops up until let's say Friday, > I'm going to roll 0.5.5 tarballs. > > Does this work for everyone? > Works for me at least, notwithstanding the 3362 fix. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
