Bug#504977: ffmpeg-debian: Several security issues
Moritz Muehlenhoff
jmm at inutil.org
Sat Nov 15 00:43:17 UTC 2008
Reinhard Tartler wrote:
>
> >> CVE-2008-4869[0]:
> >> | FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers
> >> | to cause a denial of service (memory consumption) via unknown vectors,
> >> | aka a "Tcp/udp memory leak."
> >
> > you asked me later to ignore this. ok.
>
> I'm sorry but I misread you. Investigating the issue further, it seems
> to me that this issue is exactly the same as CVE-2008-4866. At least the
> references seem to point to the same svn commits.
The only references in here are the rather dubious Pardus advisory and a
request for more information from Mandriva, it misses a concrete reference
to the actual "Tcp/udp memory leak." Anyway, this isn't something we would
fix in a DSA and since we're very close to release we can skip this for
Lenny.
> I take that CVE-2008-4866 and CVE-2008-4869 are actually dupes.
>
> Summary: the only issue this bug is about is actually CVE-2008-4869,
> where I have committed a patch, but would really need some help with
> verifying the patch.
050_CVE-2008-4866.patch seems correct (although I assume this rather a mere
crasher). I don't know about 050_CVE-2008-4866-2.patch, that's a H264 interna
I don't know anything about.
> As for CVE-2008-4867, see bug #496612. Please raise the severity if you
> think that should be fixed in lenny, but please not that I could really
> need help with that bug as well.
If you prepare an update, please include it, but it wouldn't warrant an
update on its own.
Cheers,
Moritz
More information about the pkg-multimedia-maintainers
mailing list