On 2015-05-16 15:28:44, Arne Wichmann wrote: > begin quotation from Sebastian Ramacher (in > <20150516130757.ga21...@ramacher.at>): > > On 2015-05-15 15:22:28, Alessandro Ghedini wrote: > > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: > > > > Version: 6:11.3-1 > > > > > > > > On 2015-05-14 20:41:15, Arne Wichmann wrote: > > > > > Package: libavcodec56 > > > > > Version: 6:11.3-2 > > > > > Severity: grave > > > > > Tags: security > > > > > Justification: user security hole > > > > > > > > > > Hi, as far as I can see this has not yet been reported or fixed: > > > > > > > > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c > > > > > in > > > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, > > > > > allow > > > > > remote attackers to cause a denial of service (use-after-free) or > > > > > possibly > > > > > have unspecified other impact via crafted Vorbis I data [1] > > > > > > > > > > I marked this as grave as the impact is unclear and might include > > > > > arbitrary > > > > > code execution. Feel free do downgrade if this can be ruled out. > > > > > > > > > > (Actually I would like to have a look at the test case to check a bit > > > > > more > > > > > thoroughly, but AFAICS I would need to talk to google for this.) > > > > > > > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 > > > > > > > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html > > > > > > > > A similar commit to the one maintained in this mailing list post was > > > > applied to > > > > 11.3. So closing with that version. > > > > > > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg > > > patch at > > > all, and the commit message doesn't even mention the bug fix. How can you > > > be so > > > sure that the bug is fixed? > > > > I might have read the commit wrong. Do you have a sample for this CVE? > > There is one referenced in various messages relating to CVE-2014-7937: > asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg > unfortunately it is not publicly available AFAICS. You might ask upstream > about it.
I did. libav developers do not seem to have it. So please provide a sample. Cheers -- Sebastian Ramacher
signature.asc
Description: Digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
