[Git][security-tracker-team/security-tracker][master] ffmpeg triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jun 17 15:21:31 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
87c07f62 by Moritz Muehlenhoff at 2024-06-17T16:20:58+02:00
ffmpeg triage

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -18673,7 +18673,6 @@ CVE-2023-51794 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al
 	{DSA-5712-1}
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.1.x)
 	NOTE: https://trac.ffmpeg.org/ticket/10746
 	NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07 (n7.0)
@@ -19959,7 +19958,6 @@ CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al
 	{DSA-5712-1}
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
 	NOTE: https://trac.ffmpeg.org/ticket/10758
 	NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/68146f06f852078866b3ef1564556e3a272920c7 (n7.0)
@@ -19992,7 +19990,6 @@ CVE-2023-51793 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al
 	{DSA-5712-1}
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
 	NOTE: Fixed in https://github.com/FFmpeg/FFmpeg/commit/0ecc1f0e48930723d7a467761b66850811c23e62 (n7.0)
 	NOTE: https://trac.ffmpeg.org/ticket/10743
@@ -20017,7 +20014,6 @@ CVE-2023-50010 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 all
 	{DSA-5712-1}
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
 	NOTE: https://trac.ffmpeg.org/ticket/10702
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/e4d2666bdc3dbd177a81bbf428654a5f2fa3787a (n7.0)
@@ -20033,16 +20029,16 @@ CVE-2023-50008 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 all
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
-	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/5f87a68cf70dafeab2fb89b42e41a4c29053b89b (n7.0)
 	NOTE: https://trac.ffmpeg.org/ticket/10701
 CVE-2023-50007 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a  ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
-	[buster] - ffmpeg <postponed> (Pick up when fixed in most related branch)
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/b1942734c7cbcdc9034034373abcc9ecb9644c47 (n7.0)
 	NOTE: https://trac.ffmpeg.org/ticket/10700
 CVE-2023-49963 (DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-c ...)
@@ -20544,8 +20540,8 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
-	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
-	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.1.x)
+	[bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+	[buster] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0)
 CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...)
 	[experimental] - ffmpeg 7:7.0-1
@@ -90993,7 +90989,6 @@ CVE-2023-1691 (Vulnerability of failures to capture exceptions in the communicat
 	NOT-FOR-US: Huawei
 CVE-2022-48434 (libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and  ...)
 	- ffmpeg 7:5.1.2-1
-	[bullseye] - ffmpeg <postponed> (Wait until it lands in 4.3.x)
 	[buster] - ffmpeg <postponed> (Wait until the backport to 4.x)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 (n6.1-dev)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda (n5.1.2)
@@ -135873,7 +135868,6 @@ CVE-2022-3342 (The Jetpack CRM plugin for WordPress is vulnerable to PHAR deseri
 CVE-2022-3341 (A null pointer dereference issue was discovered in 'FFmpeg' in decode_ ...)
 	{DLA-3454-1}
 	- ffmpeg 7:5.1-1
-	[bullseye] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.3.x)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2157054
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e (n5.1)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/08f0a18c3488b2fb8297ebba3684792da8a6606e (n4.1.11)


=====================================
data/DSA/list
=====================================
@@ -1162,7 +1162,7 @@
 	{CVE-2023-23920}
 	[bullseye] - nodejs 12.22.12~dfsg-1~deb11u4
 [30 Apr 2023] DSA-5394-1 ffmpeg - security update
-	{CVE-2022-3109}
+	{CVE-2022-3109 CVE-2022-3341}
 	[bullseye] - ffmpeg 7:4.3.6-0+deb11u1
 [22 Apr 2023] DSA-5393-1 chromium - security update
 	{CVE-2023-2133 CVE-2023-2134 CVE-2023-2135 CVE-2023-2136 CVE-2023-2137}


=====================================
data/dsa-needed.txt
=====================================
@@ -18,7 +18,7 @@ dnsdist (jmm)
 --
 dnsmasq
 --
-ffmpeg/stable (jmm)
+ffmpeg/oldstable (jmm)
 --
 frr
   Tobias Frost (tobi) proposed to work on preparing an update, but discussion



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c07f6212ea5e6787f399183a39e179aa22a3aa

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c07f6212ea5e6787f399183a39e179aa22a3aa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240617/8562a008/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list