[Secure-testing-commits] r28181 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Sun Aug 10 09:44:16 UTC 2014


Author: jmm
Date: 2014-08-10 09:44:16 +0000 (Sun, 10 Aug 2014)
New Revision: 28181

Modified:
   data/CVE/list
Log:
libav fixes


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-08-10 05:28:30 UTC (rev 28180)
+++ data/CVE/list	2014-08-10 09:44:16 UTC (rev 28181)
@@ -7308,6 +7308,7 @@
 CVE-2014-2263 (The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
 	- libav <unfixed>
+        NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=addbaf134836aea4e14f73add8c6d753a1373257
 CVE-2014-2262 (Buffer overflow in the client application in Base SAS 9.2 TS2M3, SAS ...)
 	NOT-FOR-US: Base SAS
 CVE-2014-2261
@@ -22573,17 +22574,17 @@
 	- libav <not-affected> (Smush codec not present in libav)
 CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg ...)
 	- ffmpeg <not-affected> (CD Graphics Video Decoder not present in 0.5 ffmpeg)
-	- libav <undetermined>
+	- libav <unfixed>
 	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd
-	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
+        NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812
 CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg ...)
 	- ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 	- libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <undetermined>
+	- libav <unfixed>
 	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330
-	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
+        NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=70cd3b8e659c3522eea5c16a65d14b8658894a94
 CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before 1.2.1 ...)
 	- ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 	- libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
@@ -30410,10 +30411,10 @@
 	NOTE: Needed in ffmpeg 0.5
 CVE-2013-0848 (The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <undetermined>
+	- libav <unfixed>
 	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba
+        NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a7153444df9040bf6ae103e0bbf6104b66f974cb
 	NOTE: Needed in ffmpeg 0.5
-	NOTE: Unclear if this really affects libav due to different code, need to find a test case in form of a sample 
 CVE-2013-0847 (The ff_id3v2_parse function in libavformat/id3v2.c in FFmpeg before ...)
 	- ffmpeg <not-affected> (Affected code not present in ffmpeg 0.5)
 	- libav <not-affected> (Code in libav is different, read_ttag)
@@ -53005,10 +53006,9 @@
 	- ffmpeg <not-affected> (vuln. code not present, introduced later)
 	NOTE: [Diego] applies to 0.8 and 9 only, cherrypicked fixes on ML
 CVE-2011-3934 (Double free vulnerability in the vp3_update_thread_context function in ...)
-	- libav <unfixed> (unimportant)
+	- libav 6:10-1 (unimportant)
 	- ffmpeg <removed> (unimportant)
-	NOTE: Fixed in libav trunk http://git.libav.org/?p=libav.git;a=commit;h=759001c534287a96dc96d1e274665feb7059145d
-	NOTE: Fixes for 0.8.x and 0.9.x still needed, backport too intrusive
+	NOTE: Fixed in libav trunk: http://git.libav.org/?p=libav.git;a=commit;h=759001c534287a96dc96d1e274665feb7059145d
 	NOTE: only a crasher
 CVE-2011-3933
 	RESERVED




More information about the Secure-testing-commits mailing list