Your message dated Fri, 15 May 2015 11:05:17 +0200
with message-id <20150515090517.gg25...@ramacher.at>
and subject line Re: Bug#785326: libavcodec56: CVE-2014-7937 - Multiple
off-by-one errors in libavcodec/vorbisdec.c
has caused the Debian Bug report #785326,
regarding libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in
libavcodec/vorbisdec.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
785326: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libavcodec56
Version: 6:11.3-2
Severity: grave
Tags: security
Justification: user security hole
Hi, as far as I can see this has not yet been reported or fixed:
CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in
FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow
remote attackers to cause a denial of service (use-after-free) or possibly
have unspecified other impact via crafted Vorbis I data [1]
I marked this as grave as the impact is unclear and might include arbitrary
code execution. Feel free do downgrade if this can be ruled out.
(Actually I would like to have a look at the test case to check a bit more
thoroughly, but AFAICS I would need to talk to google for this.)
[1] https://security-tracker.debian.org/tracker/CVE-2014-7937
https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html
cu
AW
-- System Information:
Debian Release: stretch/sid
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.7-ckt9 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libavcodec56 depends on:
ii libavresample2 6:11.3-2
ii libavutil54 6:11.3-2
ii libc6 2.19-18
ii libgsm1 1.0.13-4
ii libmp3lame0 3.99.5+repack1-7
ii libopenjpeg5 1:1.5.2-3
ii libopus0 1.1-2
ii libschroedinger-1.0-0 1.0.11-2.1
ii libspeex1 1.2~rc1.2-1
ii libtheora0 1.1.1+dfsg.1-6
ii libva1 1.5.1-2
ii libvorbis0a 1.3.4-2
ii libvorbisenc2 1.3.4-2
ii libvpx1 1.3.0-3
ii libx264-142 2:0.142.2431+gita5831aa-1+b2
ii libx265-43 1.5-1
ii libxvidcore4 2:1.3.3-1
ii multiarch-support 2.19-18
ii zlib1g 1:1.2.8.dfsg-2+b1
libavcodec56 recommends no packages.
libavcodec56 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 6:11.3-1
On 2015-05-14 20:41:15, Arne Wichmann wrote:
> Package: libavcodec56
> Version: 6:11.3-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi, as far as I can see this has not yet been reported or fixed:
>
> CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in
> FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow
> remote attackers to cause a denial of service (use-after-free) or possibly
> have unspecified other impact via crafted Vorbis I data [1]
>
> I marked this as grave as the impact is unclear and might include arbitrary
> code execution. Feel free do downgrade if this can be ruled out.
>
> (Actually I would like to have a look at the test case to check a bit more
> thoroughly, but AFAICS I would need to talk to google for this.)
>
> [1] https://security-tracker.debian.org/tracker/CVE-2014-7937
> https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html
A similar commit to the one maintained in this mailing list post was applied to
11.3. So closing with that version.
Cheers
--
Sebastian Ramacher
signature.asc
Description: Digital signature
--- End Message ---
