Your message dated Sat, 10 Jan 2009 15:17:11 +0000
with message-id <[email protected]>
and subject line Bug#504977: fixed in ffmpeg-debian 0.svn20080206-15
has caused the Debian Bug report #504977,
regarding ffmpeg-debian: Several security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
504977: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504977
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ffmpeg-debian
Version: 0.svn20080206-14
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ffmpeg.
CVE-2008-4869[0]:
| FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers
| to cause a denial of service (memory consumption) via unknown vectors,
| aka a "Tcp/udp memory leak."
CVE-2008-4868[1]:
| Unspecified vulnerability in the avcodec_close function in
| libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
| has unknown impact and attack vectors, related to a free "on random
| pointers."
CVE-2008-4867[2]:
| Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as
| used by MPlayer, allows context-dependent attackers to have an unknown
| impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value.
CVE-2008-4866[3]:
| Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9
| before r14715, as used by MPlayer, allow context-dependent attackers
| to have an unknown impact via vectors related to execution of DTS
| generation code with a delay greater than MAX_REORDER_DELAY.
The last three issues are fixed in experimental. I lack information about
the first one, so I am not sure. Do you have any further information?
Also etch shouldn't be affected by the last three issues. We should
address them in lenny though. The upstream patches are here[4][5][6][7].
It would be great, if you could upload to unstable with high urgency
and ask the release team for an unblock.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4869
http://security-tracker.debian.net/tracker/CVE-2008-4869
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4868
http://security-tracker.debian.net/tracker/CVE-2008-4868
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4867
http://security-tracker.debian.net/tracker/CVE-2008-4867
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4866
http://security-tracker.debian.net/tracker/CVE-2008-4866
[4] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016011.html
[5] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016012.html
[6] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016352.html
[7] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016136.html
--- End Message ---
--- Begin Message ---
Source: ffmpeg-debian
Source-Version: 0.svn20080206-15
We believe that the bug you reported is fixed in the latest version of
ffmpeg-debian, which is due to be installed in the Debian FTP archive:
ffmpeg-dbg_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/ffmpeg-dbg_0.svn20080206-15_i386.deb
ffmpeg-debian_0.svn20080206-15.diff.gz
to pool/main/f/ffmpeg-debian/ffmpeg-debian_0.svn20080206-15.diff.gz
ffmpeg-debian_0.svn20080206-15.dsc
to pool/main/f/ffmpeg-debian/ffmpeg-debian_0.svn20080206-15.dsc
ffmpeg-doc_0.svn20080206-15_all.deb
to pool/main/f/ffmpeg-debian/ffmpeg-doc_0.svn20080206-15_all.deb
ffmpeg_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/ffmpeg_0.svn20080206-15_i386.deb
libavcodec-dev_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavcodec-dev_0.svn20080206-15_i386.deb
libavcodec51_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavcodec51_0.svn20080206-15_i386.deb
libavdevice-dev_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavdevice-dev_0.svn20080206-15_i386.deb
libavdevice52_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavdevice52_0.svn20080206-15_i386.deb
libavformat-dev_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavformat-dev_0.svn20080206-15_i386.deb
libavformat52_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavformat52_0.svn20080206-15_i386.deb
libavutil-dev_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavutil-dev_0.svn20080206-15_i386.deb
libavutil49_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libavutil49_0.svn20080206-15_i386.deb
libpostproc-dev_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libpostproc-dev_0.svn20080206-15_i386.deb
libpostproc51_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libpostproc51_0.svn20080206-15_i386.deb
libswscale-dev_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libswscale-dev_0.svn20080206-15_i386.deb
libswscale0_0.svn20080206-15_i386.deb
to pool/main/f/ffmpeg-debian/libswscale0_0.svn20080206-15_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated ffmpeg-debian
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Nov 2008 17:13:25 +0100
Source: ffmpeg-debian
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavutil49 libavcodec51 libavdevice52
libpostproc51 libavformat52 libswscale0 libavutil-dev libavcodec-dev
libavdevice-dev libpostproc-dev libavformat-dev libswscale-dev
Architecture: source i386 all
Version: 0.svn20080206-15
Distribution: unstable
Urgency: low
Maintainer: Debian multimedia packages maintainers
<[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Description:
ffmpeg - multimedia player, server and encoder
ffmpeg-dbg - Debug symbols for ffmpeg related packages
ffmpeg-doc - documentation of the ffmpeg API
libavcodec-dev - development files for libavcodec
libavcodec51 - ffmpeg codec library
libavdevice-dev - development files for libavdevice
libavdevice52 - ffmpeg device handling library
libavformat-dev - development files for libavformat
libavformat52 - ffmpeg file format library
libavutil-dev - development files for libavutil
libavutil49 - ffmpeg utility library
libpostproc-dev - development files for libpostproc
libpostproc51 - ffmpeg video postprocessing library
libswscale-dev - development files for libswscale
libswscale0 - ffmpeg video scaling library
Closes: 496612 504977
Changes:
ffmpeg-debian (0.svn20080206-15) unstable; urgency=low
.
* Security fix: Multiple buffer overflows in libavformat/utils.c.
CVE-2008-4866, Closes: #504977.
.
* Fetch fixes for the DCA Decoder from upstream. Closes: #496612. These
changes fix a crash on a crafted dca file, which are believed to be
exploitable in some way. Alongside with that, some correction fixed
from upstream have been included.
.
Thanks to Alexander E. Patrakov for reporting these, and to
Ben Hutchings for reminding me to actually apply them.
Checksums-Sha1:
07c03ce6c410ff654fab34a36e2b1d6c5a92aad1 2210
ffmpeg-debian_0.svn20080206-15.dsc
be107cb2a93eee2c2e03373ab4794c6edde2f4c2 35600
ffmpeg-debian_0.svn20080206-15.diff.gz
92fdb22614b2ec34b53f43f8a70be43c945b8b7f 235450
ffmpeg_0.svn20080206-15_i386.deb
e5b1f73c5732465b1e8144339ef7b937ba0e0a98 7998196
ffmpeg-dbg_0.svn20080206-15_i386.deb
f6f858ef5c0421808ad6add981e9dd3eaa4fb486 12115200
ffmpeg-doc_0.svn20080206-15_all.deb
a27d8c6dc02efdbadafdd09f99f81edc1b476051 76168
libavutil49_0.svn20080206-15_i386.deb
70d737bc38428f5090e3debcffb4c6e87fec1dcc 3498050
libavcodec51_0.svn20080206-15_i386.deb
db272bb21d5f6efc5d7eb05111a335487a68a043 61072
libavdevice52_0.svn20080206-15_i386.deb
03f6b285bc40c86df3704ea1ad4a5a8f9483ad0c 69472
libpostproc51_0.svn20080206-15_i386.deb
ca5d460f79c31a587eb7a4b6b9eb4e6919769616 623728
libavformat52_0.svn20080206-15_i386.deb
7ffe35e1678bc195be0d70705ef03b0aa2fd767f 156254
libswscale0_0.svn20080206-15_i386.deb
789ec631e0851c68e7e15908158bd5ca69f55bdf 67038
libavutil-dev_0.svn20080206-15_i386.deb
c88116e9d284c4134c4168c884b18c3cfcd16838 1957478
libavcodec-dev_0.svn20080206-15_i386.deb
76a2331d73b4945cd2980bc959a9d13a5dca3a06 47334
libavdevice-dev_0.svn20080206-15_i386.deb
f1e902610e3c72d3238b12c320c35230fae2ac30 51370
libpostproc-dev_0.svn20080206-15_i386.deb
fc4f3e3766959657d6dd1c21811ec97613869c1e 388338
libavformat-dev_0.svn20080206-15_i386.deb
2debe2e971877792de981cf6f725f4bdc2a4825c 99202
libswscale-dev_0.svn20080206-15_i386.deb
Checksums-Sha256:
2824c6d85fa1ebc3345e1b11bd5682274be41269897961b77f4868c2abb7f1ce 2210
ffmpeg-debian_0.svn20080206-15.dsc
295b23415a8eecb6429cf3e4fe0de36dccdf451eb443af4c9c9b16dda522ef81 35600
ffmpeg-debian_0.svn20080206-15.diff.gz
6c646a43ac3893abb857f51b647f30205c31b19e9469b2d15974e74bd96cf0ae 235450
ffmpeg_0.svn20080206-15_i386.deb
65b97b210dc30cee6f32f827bb09cf3bee5b150f3bc80371f9ecb16916c10bd2 7998196
ffmpeg-dbg_0.svn20080206-15_i386.deb
bf35f2ea0f98253ba01c913a48cc39507d35b51bd8d75a5cf7b9e2655f97f5ec 12115200
ffmpeg-doc_0.svn20080206-15_all.deb
4bb0c01aaefcc106ad52d727c6ec6fc84ad1803496491de5c04904e45de4935b 76168
libavutil49_0.svn20080206-15_i386.deb
0e9d61b82325d9b0b6c108b21fe10401a82f4f1d85518bf068839517de0cf0ee 3498050
libavcodec51_0.svn20080206-15_i386.deb
139be0f8bed774dd5efaacdd9625a618ded56de689bfb7374d8773b36f510dd7 61072
libavdevice52_0.svn20080206-15_i386.deb
05d54d523440bde8e10a91ed1e9d6e7e1f0f78c5aab527ce4ebf8299712f47d4 69472
libpostproc51_0.svn20080206-15_i386.deb
632ec5ac294c4d1ce69310da3bb0a962a5d6682a6f1e40d43a347b1c7c24e52f 623728
libavformat52_0.svn20080206-15_i386.deb
4ab7e356e94d1ca9040286f4239905d09738817373365b24d7682f7247be68ed 156254
libswscale0_0.svn20080206-15_i386.deb
d857a3bb5cc686fa6d1673a9fa416abd44a6c8bd55d11d5f1f435bb7a01aab42 67038
libavutil-dev_0.svn20080206-15_i386.deb
067ee5c02941af176182606767e58f2f96762f4d506552c571f9ed645867db30 1957478
libavcodec-dev_0.svn20080206-15_i386.deb
6f698855eae1e0dc49d86c1b4c183b32c4e3f41e35ac7f52642caa88a5ab4291 47334
libavdevice-dev_0.svn20080206-15_i386.deb
88a17b2afdd41b506421e151a8e742e6d6906b2cbac198d84468ebacbb0bf250 51370
libpostproc-dev_0.svn20080206-15_i386.deb
404f3803266c7ddea43db6feb9a3f89bd9b4dfda0bd467c811757eb9abc3a27a 388338
libavformat-dev_0.svn20080206-15_i386.deb
0aa609f0935059ef3cb287cf12f67e9dcd82579ee5f84359589ac6cd811eb268 99202
libswscale-dev_0.svn20080206-15_i386.deb
Files:
da011583d94ef58431f37c20daa8a853 2210 libs optional
ffmpeg-debian_0.svn20080206-15.dsc
8926a6c97edc68d79404c703b2268be2 35600 libs optional
ffmpeg-debian_0.svn20080206-15.diff.gz
84620fe8df89d6579d51c54e62eaff0d 235450 graphics optional
ffmpeg_0.svn20080206-15_i386.deb
437b9729e7791cbbe71e7e7a63d3ea8d 7998196 libs extra
ffmpeg-dbg_0.svn20080206-15_i386.deb
3de598db905cddbcbb3be66858820a17 12115200 doc optional
ffmpeg-doc_0.svn20080206-15_all.deb
4656e8254936c40512f21dec3a2748c5 76168 libs optional
libavutil49_0.svn20080206-15_i386.deb
916d707db6b5da3116b4025907e136c9 3498050 libs optional
libavcodec51_0.svn20080206-15_i386.deb
d1942fb9f6952db102880aeecaacc1e4 61072 libs optional
libavdevice52_0.svn20080206-15_i386.deb
06f6a1e91d423f681f184c88f40c9b40 69472 libs optional
libpostproc51_0.svn20080206-15_i386.deb
aa82415ca273a566542bdc466d164726 623728 libs optional
libavformat52_0.svn20080206-15_i386.deb
c50bd9955b339252d605aca5f539e547 156254 libs optional
libswscale0_0.svn20080206-15_i386.deb
7cbd6e9850b9854753c62c3b790af03c 67038 libdevel optional
libavutil-dev_0.svn20080206-15_i386.deb
99d881f130d18a20afe270dfe835f928 1957478 libdevel optional
libavcodec-dev_0.svn20080206-15_i386.deb
fa13ec67bdb23bc73861113d023c1d62 47334 libdevel optional
libavdevice-dev_0.svn20080206-15_i386.deb
6d69ec787321606c1b545189f4330203 51370 libdevel optional
libpostproc-dev_0.svn20080206-15_i386.deb
f4be23e40ad5bcee973bcc89c575a5e2 388338 libdevel optional
libavformat-dev_0.svn20080206-15_i386.deb
bbef4c76cad7f4c40cf488bd1cf5c0ab 99202 libdevel optional
libswscale-dev_0.svn20080206-15_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian Powered!
iJwEAQECAAYFAkloqEMACgkQ78RAoABp8o/2VQP7Bqjac+8lvGTVfWgFLGMPdjd9
ctwWE2xXOsJWehe763DkeCjVq9klvqOu/rpQb1u5M+jYOOOOmRKyJdoPO0JogByf
msPjS/k1Qz1HGKBfZnJqR7sx69BLBlnQFQXqBS/5y8GUZO84oHBfDhT38czm4IQp
4r6nDRweE18o9fjSD20=
=/nFd
-----END PGP SIGNATURE-----
--- End Message ---