Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization
Marc Deslauriers
marc.deslauriers at canonical.com
Sun Nov 1 02:20:34 UTC 2009
On Sat, 2009-10-31 at 09:12 +0100, Reinhard Tartler wrote:
> One problem, it breaks build. Therefore, I had to backport svn r18016
> aka 'MOV-Support-stz2-Compact-Sample-Size-Box' to fix FTBFS. without
> this patch, libavformat/mov.c won't compile, as field_size is introduced
> with this commit. While this patch is strictly speaking not in scope of
> an security update, it is easier to stick with upstream and backport
> this patch in addition.
Agreed.
>
> How to proceed now? In any case, I'll prepare an upload for lucid once
> it opens. Will you prepare uploads for stable ubuntu security pockets?
The next step, IMO, is to get CVE numbers assigned. Since CVE numbers
aren't usually given to client application crashes, someone needs to
analyze each issue to see if it is exploitable or not.
Marc.
More information about the pkg-multimedia-maintainers
mailing list