Bug#688847: libav: multiple CVEs in ffmpeg/libav

Reinhard Tartler siretart at gmail.com
Mon Oct 15 09:38:37 UTC 2012


On Mon, Oct 15, 2012 at 3:39 AM, Moritz Muehlenhoff <jmm at inutil.org> wrote:
> On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote:
>> On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez <corsac at debian.org> wrote:
>> > Source: libav
>> > Severity: grave
>> > Justification: user security hole
>> >
>> > Hi,
>> >
>> > it seems that a huge pile of CVE were allocated for ffmpeg/libav
>>
>> short status update:
>>
>> Most/all of the CVEs have now been backported upstream. Before
>> releaseing 0.8.4, I need to review the list to ensure that nothing was
>> forgotten. You can help with this by reviewing the list here:
>>
>> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8
>
> Hi Reinhard,
> I double-checked the list and the following CVE IDs fixed in the ffmpeg
> 0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific
> I suppose):
>
> CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
> CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
> CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
> CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
>                d462949974668ffb013467d12dc4934b9106fe19
> CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
> CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
> CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
> CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
>                2a7063de547b1d8fb1cef523469390fb59fb2c50
>                b3a43515827f3d22a881c33b87384f01c86786fd
> CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
> CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
> CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
> CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
> CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04

Those are commits from ffmpeg, and do not necessarily apply to libav
as well. Our current working list looks like this:

fixed:
    CVE-2012-2772 (cb7190cd2c691fd93e4d3664f3fce6c19ee001dd)
    CVE-2012-2775 (9853e41aa0a6cfff629ff7009685eb8bf8d64e7f)
    CVE-2012-2777 (c20a69630619d14ae92c5541d52c579d7c8f3e94)
    CVE-2012-2779 (891918431db628db17885ed947ee387b29826a64)
    CVE-2012-2784 (same as CVE-2012-2777)
    CVE-2012-2785 (326f7a68bbd429c63fd2f19f4050658982b5b081
d462949974668ffb013467d12dc4934b9106fe19)
    CVE-2012-2786 (ee715f49a06bf3898246d01b056284a9bb1bcbb9)
    CVE-2012-2787 (b146d74730ab9ec5abede9066f770ad851e45fbc)
    CVE-2012-2788 (0af49a63c7f87876486ab09482d5b26b95abce60)
    CVE-2012-2789 (99f392a584dd10b553facc8e819f2c7e982e176d)
    CVE-2012-2790 (66197988b1ee914825afbc3084e6da63f862068a)
    CVE-2012-2792 (065b3a1cfa3f23aedf76244b3f3883ba913173ff)
    CVE-2012-2793 (b631e4ed64f7d1b9ca8f897fda31140e8d1fad81)
    CVE-2012-2796 (1100acbab26883007898c53efeb289f562c6e514)
    CVE-2012-2776 (e4d4044339b9c3b0f45f7203cd026eda3c0414c0)
    CVE-2012-2794 (2d09cdbaf2f449ba23d54e97e94bd97ca22208c6)
    CVE-2012-2800 (ae3da0ae5550053583a6f281ea7fd940497ea0d1)
    CVE-2012-2795 (607f57152c59bcec26caaf2060a86d96f76c4e8b
f48fbf2eb5ba7015c65b31c266edf399dd6a82b1
6a99310fce49f51773ab7d8ffa4f4748bbf58db9)
    CVE-2012-2798 (d05f72c75445969cd7bdb1d860635c9880c67fb6)
    CVE-2012-2799 (d65d8347314b645051e336aed141aaf32a6c0d02)
    CVE-2012-2801 (85f477935cd6b34e6ec2716b20e15ce748277a89)

submitted:
    CVE-2012-2783 (has been oked, but looks shady)

invalid?:
CVE-2012-2774 -- ffmpeg fix is not a fix, it's unclear what real issue
it is supposed to fix
CVE-2012-2804 -- same as above
CVE-2012-2782 -- Ronald says it does not apply to us
CVE-2012-2797 -- Justin says it's completely wrong
CVE-2012-2803 -- looks very shady

other:
CVE-2012-2791 (0846719dd11ab3f7a7caee13e7af71f71d913389) -- needs
input from kostya
CVE-2012-2802 -- Justin said he'd fix it differently

>
> None of these are merged into 0.5.x, has the code diverged so much?

I arrived only today from my two week trip and will work on backports
for 0.7-0.5 this week. Sorry for the delay.

Cheers,
Reinhard

-- 
regards,
    Reinhard



More information about the pkg-multimedia-maintainers mailing list