Bug#773626: Available fixes for some of the issues

Sebastian Ramacher sramacher at debian.org
Sat Jan 17 12:40:38 UTC 2015 

On 2015-01-17 12:27:20, Neil Williams wrote:
> Just to update the bug for others scanning the RC bug list...
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8545
> - libav <not-affected> (Vulnerable code not present)
> CVE-2014-8545[5]:
> | libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
> | monochrome-black format without verifying that the bits-per-pixel
> | value is 1, which allows remote attackers to cause a denial of service
> | (out-of-bounds access) or possibly have unspecified other impact via
> | crafted PNG data.
> 
> So this one can be discounted from the list.
> 
> Other patches exist as upstream commits linked from the security
> tracker:
> 
> CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
> CVE-2014-8548, CVE-2014-8549
> 
> https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
> https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
> https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
> https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
> https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
> https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686
> 
> Five CVEs therefore remain without upstream patches in libav:
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8544
> https://security-tracker.debian.org/tracker/CVE-2014-8546
> https://security-tracker.debian.org/tracker/CVE-2014-9316
> https://security-tracker.debian.org/tracker/CVE-2014-9318
> https://security-tracker.debian.org/tracker/CVE-2014-9319 
> 
> Each of these has fixes upstream in ffmpeg but it'll need someone with
> more familiarity with the mpeg source code than me to investigate
> whether the fixes in ffmpeg can become fixes in libav.

Thanks for taking the time for investigating the issue. We are currently
waiting for 11.2 tarballs to appear. They have been taged already and
tarball just needs to be released.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150117/db873b54/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list