[Git][security-tracker-team/security-tracker][master] ffmpeg triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Jun 15 14:12:20 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ee606b8c by Moritz Muehlenhoff at 2024-06-15T15:11:47+02:00
ffmpeg triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -18543,7 +18543,6 @@ CVE-2024-0740 (Eclipse Target Management: Terminal and Remote System Explorer (R
 CVE-2023-51794 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.1.x)
 	NOTE: https://trac.ffmpeg.org/ticket/10746
@@ -19829,7 +19828,6 @@ CVE-2024-0671 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver
 CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
 	NOTE: https://trac.ffmpeg.org/ticket/10758
@@ -19845,16 +19843,14 @@ CVE-2023-51797 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al
 CVE-2023-51796 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
+	[bookworm] - ffmpeg <not-affected> (Vulnerable code not present)
 	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
 	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://trac.ffmpeg.org/ticket/10753
 	NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/61e73851a33f0b4cb7662f8578a4695e77bd3c19 (n7.0)
-	NOTE: Introduced in https://github.com/FFmpeg/FFmpeg/commit/45dc668aea0edac34969b5a1ff76cf9ad3a09be1 (n5.0)
 CVE-2023-51795 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
 	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://trac.ffmpeg.org/ticket/10749
@@ -19863,7 +19859,6 @@ CVE-2023-51795 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al
 CVE-2023-51793 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
 	NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/0ecc1f0e48930723d7a467761b66850811c23e62 (n7.0)
@@ -19878,9 +19873,9 @@ CVE-2023-51792 (Buffer Overflow vulnerability in libde265 v1.0.12 allows a local
 CVE-2023-51791 (Buffer Overflow vulenrability in Ffmpeg v.N113007-g8d24a28d06 allows a ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
-	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
+	[bookworm] - ffmpeg <not-affected> (Vulnerable code not present)
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://trac.ffmpeg.org/ticket/10738
 	NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/fb54c89a0df3d63198678b17d64aef4dbb599109 (n7.0)
 CVE-2023-50260 (Wazuh is a free and open source platform used for threat prevention, d ...)
@@ -19888,7 +19883,6 @@ CVE-2023-50260 (Wazuh is a free and open source platform used for threat prevent
 CVE-2023-50010 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a  ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
 	NOTE: https://trac.ffmpeg.org/ticket/10702
@@ -20402,7 +20396,6 @@ CVE-2024-32130 (Improper Neutralization of Input During Web Page Generation ('Cr
 CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-one Er ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
 	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0)
@@ -20422,9 +20415,9 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over
 CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
-	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+	[bookworm] - ffmpeg <not-affected> (Vulnerable code not present)
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0)
 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...)
 	- pytorch <unfixed> (bug #1070379)


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ dnsdist (jmm)
 --
 dnsmasq
 --
+ffmpeg/stable (jmm)
+--
 frr
   Tobias Frost (tobi) proposed to work on preparing an update, but discussion
   with Debian maintainer for status on bullseye + updates



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee606b8c4d03d8678225fcd45687afa18109164d

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee606b8c4d03d8678225fcd45687afa18109164d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240615/52b0fb19/attachment.htm>

More information about the debian-security-tracker-commits mailing list