Michael S Gilbert <[email protected]> writes: > ffmpeg has been found to be vulnerable to many crashers [0],[1]. this > may enable remote compromise of a system. > > please coordinate with upstream and the security team to push out > updates for these issues. > > mike > > [0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240 > [1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245
Issue 1240 is as such not usable, as the submitter refused to split out his findings by single issues. Instead, he insisted on providing a huge tarball with 73(!) test files that demonstrate crashes. Many of these file seem to trigger very similar (if not identical) bugs. Issue 1245 is one of the issues that has been split out. I've imported [2] that patch already to our packaging branch, and will be part of the next upload. [2] http://git.debian.org/?p=pkg-multimedia/ffmpeg-debian.git;a=blob;f=debian/patches/issue1245.patch;h=23e180a0972146f650c0254d8677f8a1a4a371eb;hb=c1bc30d1370dab75f103bc6dce0bbe95f482099e The upstream thread can be read at [3]. After reading the thread it seems that many of these issues are not exactly security relevant but merely crashers without potential for remote code execution. Still, the relevant revision should probably backported to 0.5. [3] http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/97154 Please note that there is an upstream 0.5 branch (and we are tracking that branch), but there is not really much activity there. However AFAIUI, security relevant patches are within submission policy of that branch. So any security patches we can do within Debian can be proposed for that branch. As for this bug, I'm inclined to close this bug with the upload of [2]. The reason is that this report is way to inprecise. This report currently reads "the package has been found crashers that might compromise the system". Sorry, this is just not helpful. We'd really need at least a list of concrete issues, ideally with reference to the relevant svn commits (so that commit messages can be reviewed) that can be processed and backported. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

