Bug#688847: libav: multiple CVEs in ffmpeg/libav
Moritz Muehlenhoff
jmm at inutil.org
Mon Oct 15 07:39:39 UTC 2012
On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote:
> On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez <corsac at debian.org> wrote:
> > Source: libav
> > Severity: grave
> > Justification: user security hole
> >
> > Hi,
> >
> > it seems that a huge pile of CVE were allocated for ffmpeg/libav
>
> short status update:
>
> Most/all of the CVEs have now been backported upstream. Before
> releaseing 0.8.4, I need to review the list to ensure that nothing was
> forgotten. You can help with this by reviewing the list here:
>
> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8
Hi Reinhard,
I double-checked the list and the following CVE IDs fixed in the ffmpeg
0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific
I suppose):
CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
d462949974668ffb013467d12dc4934b9106fe19
CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
2a7063de547b1d8fb1cef523469390fb59fb2c50
b3a43515827f3d22a881c33b87384f01c86786fd
CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04
None of these are merged into 0.5.x, has the code diverged so much?
Cheers,
Moritz
More information about the pkg-multimedia-maintainers
mailing list