[Git][security-tracker-team/security-tracker][master] [libav LTS triaging] Finish triaging 2016 issues for libav in jessie.

Thu Dec 6 08:09:20 GMT 2018

Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a2f5e984 by Mike Gabriel at 2018-12-06T08:09:00Z
[libav LTS triaging] Finish triaging 2016 issues for libav in jessie.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -101205,7 +101205,8 @@ CVE-2016-9821 (Integer overflow in libavcodec/mpegvideo_parser.c in libav 11.8 a
 	NOTE: https://git.libav.org/?p=libav.git;a=commit;h=15e1af0006354d6bbf0e433c5d1e8ef13c93d6d0 (pre 11.9)
 CVE-2016-9820 (libavcodec/mpegvideo_motion.c in libav 11.8 allows remote attackers to ...)
 	{DLA-791-1}
-	- libav <removed> (unimportant)
+	- libav <removed>
+	[jessie] - libav <not-affected> (The fixing patches are included in the upstream version)
 	NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
 	NOTE: https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=980
@@ -101213,7 +101214,8 @@ CVE-2016-9820 (libavcodec/mpegvideo_motion.c in libav 11.8 allows remote attacke
 	NOTE: https://git.libav.org/?p=libav.git;a=commit;h=f106f74206e69e9056130da8bddffc39f3878ac3 (pre 11.9)
 CVE-2016-9819 (libavcodec/mpegvideo.c in libav 11.8 allows remote attackers to cause ...)
 	{DLA-791-1}
-	- libav <removed> (unimportant)
+	- libav <removed>
+	[jessie] - libav <not-affected> (The fixing patches are included in the upstream version)
 	NOTE: https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
 	NOTE: https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=980
@@ -122672,7 +122674,8 @@ CVE-2016-5199 (An off by one error resulting in an allocation of zero size in FF
 	- chromium-browser 44.0.2403.157-1
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
 	- ffmpeg 7:3.2-1
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (Vulnerable code not present)
 	NOTE: https://chromium-review.googlesource.com/383956
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/347cb14b7cba7560e53f4434b419b9d8800253e7
 CVE-2016-5198 (V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 ...)


=====================================
data/dla-needed.txt
=====================================
@@ -65,6 +65,13 @@ libav (Markus Koschany, Mike Gabriel)
   NOTE: 20181130: CVE-2016-10191: patch available, issue untested (no PoC), vulnerable
   NOTE: 20181130: CVE-2016-10192: vulnerable code not present (only in ffmpeg)
   NOTE: 20181130: CVE-2016-5115: patch unavailable (needs revisiting), issue reproducible, no-dsa (needs revisiting)
+  NOTE: 20181206: CVE-2016-5199: vulnerable code (QuickTime Metadata Keys support) not present
+  NOTE: 20181206: CVE-2016-9819: fix included, PoC available (needs testing), <not-affected>
+  NOTE: 20181206: CVE-2016-9820: fix included, PoC available (needs testing), <not-affected>
+  NOTE: 20181206: CVE-2016-9823: no patch available, PoC available (needs testing), currently <no-dsa>
+  NOTE: 20181206: CVE-2016-9824: no patch available, PoC available (needs testing), currently <no-dsa>
+  NOTE: 20181206: CVE-2016-9825: no patch available, PoC available (needs testing), currently <ignored>
+  NOTE: 20181206: CVE-2016-9826: no patch available, PoC available (needs testing), currently <ignored>
 --
 libsndfile (Hugo Lefeuvre)
   NOTE: 20181123: CVE-2018-19432 minor but several older CVEs triaged no-dsa (such as CVE-2017-8361)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2f5e984c8c82c0a77e9acb750586fd6b76913f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2f5e984c8c82c0a77e9acb750586fd6b76913f1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181206/7ab9f3be/attachment-0001.html>
