Bug#504977: ffmpeg-debian: Several security issues

Ben Hutchings ben at decadent.org.uk
Sun Jan 4 18:45:50 UTC 2009


On Thu, 2008-12-04 at 22:41 +0100, Reinhard Tartler wrote:
> Mark Purcell <msp at debian.org> writes:
> 
> > On Wednesday 12 November 2008 19:23:18 Reinhard Tartler wrote:
> >> Summary: the only issue this bug is about is actually CVE-2008-4869,
> >> where I have committed a patch, but would really need some help with
> >> verifying the patch.

Don't you mean -4866?

> > Reinhard,
> >
> > This RC bug has been sitting idle for the last couple of weeks are you in a 
> > position to upload a package to experimental/ unstable to assist with 
> > verification of your fix?
> 
> Test packages are available at
> http://pkg-multimedia.alioth.debian.org/ffmpeg-test/
> 
> I'll upload it as soon as someone can confirm me that these packages
> actually fix the problem.

Based on inspection of the original code and patch for -4866 in this
test package, I am confident that this will be fixed.

Please also include the fix for -4867 (#496612) as it sounds like the
bug could be used for code injection and the change looks low-risk.

-4868 apparently doesn't apply to lenny or sid; the original leak might
but it appears to be extremely limited and probably not controllable by
an attacker.

-4869 is not clearly defined so seems impossible to address.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had thought.
... I realized that a large part of my life from then on was going to be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20090104/39898d27/attachment.pgp 


More information about the pkg-multimedia-maintainers mailing list