Bug#773626: Available fixes for some of the issues

Neil Williams codehelp at debian.org
Sat Jan 17 12:27:20 UTC 2015 

Just to update the bug for others scanning the RC bug list...

https://security-tracker.debian.org/tracker/CVE-2014-8545
- libav <not-affected> (Vulnerable code not present)
CVE-2014-8545[5]:
| libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
| monochrome-black format without verifying that the bits-per-pixel
| value is 1, which allows remote attackers to cause a denial of service
| (out-of-bounds access) or possibly have unspecified other impact via
| crafted PNG data.

So this one can be discounted from the list.

Other patches exist as upstream commits linked from the security
tracker:

CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
CVE-2014-8548, CVE-2014-8549

https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686

Five CVEs therefore remain without upstream patches in libav:

https://security-tracker.debian.org/tracker/CVE-2014-8544
https://security-tracker.debian.org/tracker/CVE-2014-8546
https://security-tracker.debian.org/tracker/CVE-2014-9316
https://security-tracker.debian.org/tracker/CVE-2014-9318
https://security-tracker.debian.org/tracker/CVE-2014-9319 

Each of these has fixes upstream in ffmpeg but it'll need someone with
more familiarity with the mpeg source code than me to investigate
whether the fixes in ffmpeg can become fixes in libav.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150117/28015b4b/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list