Bug#694483: CVEs: CVE-2012-2882 CVE-2012-5359 CVE-2012-5360 CVE-2012-5361

Arne Wichmann aw at anhrefn.saar.de
Fri Jan 4 13:07:03 UTC 2013

begin  quotation  from Reinhard Tartler (in <CAJ0ccebL3xSmM+swoK3ocFxSOrE9nQ-yyy7r8_4zyazJT5mX1g at mail.gmail.com>):
> Thanks for caring about security in libav. Sorry for the delay. I
> tried hard to gather additional information about these issues, but
> was not successful.

Yeah, the information politics of the reporters could be more open.

> On Mon, Nov 26, 2012 at 8:30 PM, Arne Wichmann <aw at linux.de> wrote:
> > I have here another series of CVEs for ffmpeg/libav:
> >
> > CVE-2012-2882
> Libav's ogg decoder is a bit different to the one in FFmpeg. Can you
> please provide a testfile so that we can test if this issue affects
> Libav at all?

I dug around for a bit and found commit
9e1c55cfdec1e1e46fa39b92ea5c425ba9499c68 for ffmpeg, which seems to address
the issue. More effort will follow when I find the reserves for that.

> > CVE-2012-5359
> > CVE-2012-5360
> > CVE-2012-5361
> >
> > For the last 3 http://technet.microsoft.com/en-us/security/msvr/msvr12-017
> > claims that they are fixed in ffmpeg 0.11, but the available information on
> > all of them is a bit thin.
> Sorry, without proper information what's going on here, there is
> nothing that we can do about this. Again, please provide a sample that
> demonstrates the issue.


Same here.


[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw at linux.de)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20130104/f99bbf81/attachment.pgp>

More information about the pkg-multimedia-maintainers mailing list