Hi, On 18/08/17 03:46, Luciano Bello wrote: > Package: ffmpeg > X-Debbugs-CC: t...@security.debian.org secure-testing- > t...@lists.alioth.debian.org > Severity: grave > Tags: security > > Hi, > > the following vulnerability was published for libav (which is embed in > ffmpeg). > > CVE-2017-7206[0]: > | The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows > | remote attackers to cause a denial of service (heap-based buffer > | over-read) or obtain sensitive information from process memory via a > | crafted h264 video file. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-7206 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7206
The testcases from the libav bugreport don't seem to cause ffmpeg 3.3.3 or 3.2.5 to crash. However, the ffmpeg code looks very similar to the code in libav before the fix, so ffmpeg might be affected but require a slightly different testcase? Thanks, James
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
