[Secure-testing-commits] r25507 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Tue Feb 4 15:27:02 UTC 2014 

Author: jmm
Date: 2014-02-04 15:27:02 +0000 (Tue, 04 Feb 2014)
New Revision: 25507

Modified:
   data/CVE/list
Log:
libav triage


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-02-04 11:55:02 UTC (rev 25506)
+++ data/CVE/list	2014-02-04 15:27:02 UTC (rev 25507)
@@ -3712,8 +3712,8 @@
 	NOTE: https://trac.ffmpeg.org/ticket/2921
 	NOTE: Only present in libav trunk
 CVE-2013-7023 (The ff_combine_frame function in libavcodec/parser.c in FFmpeg before ...)
-	- ffmpeg <removed>
-	- libav <unfixed>
+	- ffmpeg <not-affected> (max_alloc not present in old ffmpeg/libav)
+	- libav <not-affected> (max_alloc not present in old ffmpeg/libav)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/f31011e9abfb2ae75bb32bc44e2c34194c8dc40a
 	NOTE: https://trac.ffmpeg.org/ticket/2982
 CVE-2013-7022 (The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before ...)
@@ -3796,7 +3796,7 @@
 	NOTE: https://trac.ffmpeg.org/ticket/2850
 CVE-2013-7008 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...)
 	- ffmpeg <not-affected> (Vulnerable code not present)
-	- libav <unfixed>
+	- libav <not-affected> (Crash not reproducable, libav code is different)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/29ffeef5e73b8f41ff3a3f2242d356759c66f91f
 	NOTE: https://trac.ffmpeg.org/ticket/2927
 CVE-2013-7002 (Cross-site scripting (XSS) vulnerability in ...)
@@ -43404,10 +43404,11 @@
 	- ffmpeg <removed>
 	NOTE: Seems needed for libav in cmdutils.c
 CVE-2011-3934 (Double free vulnerability in the vp3_update_thread_context function in ...)
-	- libav <unfixed>
-	- ffmpeg <removed>
+	- libav <unfixed> (unimportant)
+	- ffmpeg <removed> (unimportant)
 	NOTE: Fixed in libav trunk http://git.libav.org/?p=libav.git;a=commit;h=759001c534287a96dc96d1e274665feb7059145d
-	NOTE: Fixes for 0.8.x and 0.9.x still needed
+	NOTE: Fixes for 0.8.x and 0.9.x still needed, backport too intrusive
+	NOTE: only a crasher
 CVE-2011-3933
 	RESERVED
 CVE-2011-3932

More information about the Secure-testing-commits mailing list