[Secure-testing-commits] r23093 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Thu Jul 25 21:15:04 UTC 2013 

Author: jmm
Date: 2013-07-25 21:15:04 +0000 (Thu, 25 Jul 2013)
New Revision: 23093

Modified:
   data/CVE/list
Log:
libav/ffmpeg triage


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-07-25 21:14:24 UTC (rev 23092)
+++ data/CVE/list	2013-07-25 21:15:04 UTC (rev 23093)
@@ -1556,7 +1556,6 @@
 	RESERVED
 	- bitcoin <unfixed> (bug #717828)
 	NOTE: https://github.com/bitcoin/bitcoin/issues/2838
-	TODO: check
 CVE-2013-4164
 	RESERVED
 CVE-2013-4163 [linux: panic while appending data to a corked IPv6 socket in ip6_append_data_mtu]
@@ -3277,11 +3276,11 @@
 CVE-2013-3442
 	RESERVED
 CVE-2013-3441 (Cisco Aironet 3600 access points allow remote attackers to cause a ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2013-3440 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
 	TODO: check
 CVE-2013-3439 (Cross-site scripting (XSS) vulnerability in Cisco Unified Operations ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2013-3438 (The web framework in the server in Cisco Unified MeetingPlace Web ...)
 	NOT-FOR-US: Cisco
 CVE-2013-3437 (SQL injection vulnerability in the management application in Cisco ...)
@@ -10226,26 +10225,25 @@
 	RESERVED
 	- ffmpeg <not-affected> (IFF PBM/ILBM bitmap decoder not present in 0.5 ffmpeg)
 	- libav <unfixed> (bug #717009)
-	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05
+	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05
+	NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=7d65e960c72f36b73ae7fe84f8e427d758e61da9
 CVE-2013-0856 [libavcodec/alac.c]
 	RESERVED
 	- ffmpeg <removed>
 	- libav <unfixed> (bug #717009)
-	NOTE: checked - seems valid
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594
 CVE-2013-0855 [libavcodec/alac.c out of array accesses]
 	RESERVED
 	- ffmpeg <removed>
 	- libav <unfixed> (bug #717009)
-	NOTE: looks invalid as the problem is checked in alac_set_info - but doublecheck please
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd
 CVE-2013-0854 [libavcodec/mjpegdec.c]
 	RESERVED
 	- ffmpeg <removed>
-	- libav <unfixed> (bug #717009)
-	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1f41cffe1e3e79620f587545bdfcbd7e6e68ed29
+	- libav 6:0.8.8-1 (bug #717009)
+	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1f41cffe1e3e79620f587545bdfcbd7e6e68ed29
 	NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=cfbd98abe82cfcb9984a18d08697251b72b110c8
-	NOTE: fixed in experimental
+	NOTE: Needed in ffmpeg 0.5
 CVE-2013-0853 [libavcodec/wavpack.c out of array access]
 	RESERVED
 	- ffmpeg <removed>
@@ -10279,19 +10277,20 @@
 	- ffmpeg <removed>
 	- libav <unfixed> (bug #717009)
 	NOTE: fixed in experimental
-	NOTE: No roqvideo-related changes in libav git so far
-	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ae610451170cd5a28b33950006ff0bd23036845
+        NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ae610451170cd5a28b33950006ff0bd23036845
+        NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=488f87be873506abb01d67708a67c10a4dd29283
+	NOTE: Needed in ffmpeg 0.5
 CVE-2013-0848 [libavcodec/huffyuv.c out of array accesses]
 	RESERVED
 	- ffmpeg <removed>
 	- libav <unfixed> (bug #717009)
 	NOTE: No related changes in libav git so far
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba
+	NOTE: Needed in ffmpeg 0.5
 CVE-2013-0847 [libavformat/id3v2.c out of array accesses]
 	RESERVED
-	- ffmpeg <removed>
-	- libav <unfixed> (bug #717009)
-	NOTE: vim '+/while (avio_tell(s->pb) < end' libavformat/id3v2.c # this looks like the equivalent position in libav, and the problem looks solved to me
+	- ffmpeg <not-affected> (Affected code not present in ffmpeg 0.5)
+	- libav <not-affected> (Code in libav is different, read_ttag)
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=10416a4d56fa8a89784e4fb62099c3cab17a9952
 CVE-2013-0846 [libavcodec/qdm2.c out of array accesses]
 	RESERVED
@@ -10299,6 +10298,7 @@
 	- libav <unfixed> (bug #717009)
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed
 	NOTE: libav commit: http://git.libav.org/?p=libav.git;a=commit;h=39bec05ed42e505d17877b0c23f16322f9b5883b
+	NOTE: Needed for ffmpeg 0.5
 CVE-2013-0845 [libavcodec/alsdec.c]
 	RESERVED
 	- ffmpeg <not-affected> (MPEG-4 ALS decoder not present in ffmpeg/0.5)

More information about the Secure-testing-commits mailing list