Bug#773626: Available fixes for some of the issues

Sat, 17 Jan 2015 04:45:46 -0800 

On 2015-01-17 12:27:20, Neil Williams wrote:
> Just to update the bug for others scanning the RC bug list...
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8545
> - libav <not-affected> (Vulnerable code not present)
> CVE-2014-8545[5]:
> | libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
> | monochrome-black format without verifying that the bits-per-pixel
> | value is 1, which allows remote attackers to cause a denial of service
> | (out-of-bounds access) or possibly have unspecified other impact via
> | crafted PNG data.
> 
> So this one can be discounted from the list.
> 
> Other patches exist as upstream commits linked from the security
> tracker:
> 
> CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
> CVE-2014-8548, CVE-2014-8549
> 
> https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
> https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
> https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
> https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
> https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
> https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686
> 
> Five CVEs therefore remain without upstream patches in libav:
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8544
> https://security-tracker.debian.org/tracker/CVE-2014-8546
> https://security-tracker.debian.org/tracker/CVE-2014-9316
> https://security-tracker.debian.org/tracker/CVE-2014-9318
> https://security-tracker.debian.org/tracker/CVE-2014-9319 
> 
> Each of these has fixes upstream in ffmpeg but it'll need someone with
> more familiarity with the mpeg source code than me to investigate
> whether the fixes in ffmpeg can become fixes in libav.

Thanks for taking the time for investigating the issue. We are currently
waiting for 11.2 tarballs to appear. They have been taged already and
tarball just needs to be released.

Cheers
-- 
Sebastian Ramacher

Attachment: signature.asc
Description: Digital signature

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to