Bug#740967: mplayer: depends on obsolete libav packages, which have security bugs

Vincent Lefevre vincent at vinc17.net
Thu Mar 6 18:45:18 UTC 2014 

Package: mplayer
Version: 2:1.0~rc4.dfsg1+svn34540-1+b2
Severity: grave
Tags: security

mplayer depends on obsolete packages libavcodec53, libavutil51 and
libavformat53, which have known security bugs that will never be fixed
(since the packages are no longer in unstable). According to debsecan:

CVE-2012-6618 The av_probe_input_buffer function in...
  <http://security-tracker.debian.org/tracker/CVE-2012-6618>
  - libavcodec53, ffmpeg, libavfilter2, libavutil51, libavformat53
    (obsolete)

CVE-2013-0856 The lpc_prediction function in libavcodec/alac.c in...
  <http://security-tracker.debian.org/tracker/CVE-2013-0856>
  - libavcodec53, ffmpeg, libavfilter2, libavutil51, libavformat53
    (obsolete)

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mplayer depends on:
ii  libaa1                    1.4p5-41
ii  libasound2                1.0.27.2-3
ii  libavcodec53              6:0.8.10-1
ii  libavformat53             6:0.8.10-1
ii  libavutil51               6:0.8.10-1
ii  libbluray1                1:0.5.0-2
ii  libc6                     2.18-4
ii  libcaca0                  0.99.beta18-1.1
ii  libcdparanoia0            3.10.2+debian-11
ii  libdca0                   0.0.5-6
ii  libdirectfb-1.2-9         1.2.10.0-5
ii  libdvdnav4                4.2.1-3
ii  libdvdread4               4.2.1-2
ii  libenca0                  1.15-2
ii  libesd0                   0.2.41-11
ii  libfaad2                  2.7-8
ii  libfontconfig1            2.11.0-5
ii  libfreetype6              2.5.2-1
ii  libfribidi0               0.19.6-1
ii  libgcc1                   1:4.8.2-16
ii  libgif4                   4.1.6-11
ii  libgl1-mesa-glx [libgl1]  9.2.2-1
ii  libjack0 [libjack-0.116]  1:0.124.1+20140122git5013bed0-2+b1
ii  libjpeg8                  8d-2
ii  liblircclient0            0.9.0~pre1-1
ii  liblzo2-2                 2.06-1.2
ii  libmp3lame0               3.99.5+repack1-3
ii  libmpeg2-4                0.5.1-5
ii  libncurses5               5.9+20140118-1
ii  libogg0                   1.3.1-1
ii  libopenal1                1:1.14-4
ii  libpng12-0                1.2.50-1
ii  libpostproc52             6:0.git20120821-4
ii  libpulse0                 4.0-6+b1
ii  libsdl1.2debian           1.2.15-8
ii  libsmbclient              2:4.1.5+dfsg-1
ii  libspeex1                 1.2~rc1.1-1
ii  libstdc++6                4.8.2-16
ii  libsvga1                  1:1.4.3-33
ii  libswscale2               6:9.11-3
ii  libtheora0                1.1.1+dfsg.1-3.1
ii  libtinfo5                 5.9+20140118-1
ii  libvdpau1                 0.7-1
ii  libx11-6                  2:1.6.2-1
ii  libx264-123               2:0.123.2189+git35cf912-1
ii  libxext6                  2:1.3.2-1
ii  libxinerama1              2:1.1.3-1
ii  libxv1                    2:1.0.10-1
ii  libxvidcore4              2:1.3.2-9
ii  libxvmc1                  2:1.0.8-1
ii  libxxf86dga1              2:1.1.4-1
ii  libxxf86vm1               1:1.1.3-1
ii  zlib1g                    1:1.2.8.dfsg-1

mplayer recommends no packages.

Versions of packages mplayer suggests:
ii  bzip2                              1.0.6-5
ii  fontconfig                         2.11.0-5
ii  fonts-freefont-ttf [ttf-freefont]  20120503-4
ii  mplayer-doc                        2:1.0~rc4.dfsg1+svn34540-1
pn  netselect | fping                  <none>

-- no debconf information

More information about the pkg-multimedia-maintainers mailing list