Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
Arne Wichmann
aw at anhrefn.saar.de
Tue May 19 09:38:26 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
[reformatted]
begin quotation from Sebastian Ramacher (in <20150518184906.GA22617 at ramacher.at>):
> On 2015-05-18 20:01:47, Alessandro Ghedini wrote:
> > On Sat, May 16, 2015 at 03:43:37PM +0200, Alessandro Ghedini wrote:
> > > On Sat, May 16, 2015 at 03:07:57PM +0200, Sebastian Ramacher wrote:
> > > > On 2015-05-15 15:22:28, Alessandro Ghedini wrote:
> > > > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote:
> > > > > > On 2015-05-14 20:41:15, Arne Wichmann wrote:
> > > > > > > Hi, as far as I can see this has not yet been reported or fixed:
> > > > > > >
> > > > > > > CVE-2014-7937 : Multiple off-by-one errors in
> > > > > > > libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in
> > > > > > > Google Chrome before 40.0.2214.91, allow remote attackers to
> > > > > > > cause a denial of service (use-after-free) or possibly
> > > > > > > have unspecified other impact via crafted Vorbis I data [1]
> > > > > > >
> > > > > > > I marked this as grave as the impact is unclear and might
> > > > > > > include arbitrary code execution. Feel free do downgrade if
> > > > > > > this can be ruled out.
> > > > > > >
> > > > > > > (Actually I would like to have a look at the test case to
> > > > > > > check a bit more thoroughly, but AFAICS I would need to talk
> > > > > > > to google for this.)
> > > > > > >
> > > > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937
> > > > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html
> > > > > >
> > > > > > A similar commit to the one maintained in this mailing list
> > > > > > post was applied to 11.3. So closing with that version.
> > > > >
> > > > > Do you mean the patch at [0]? Honestly it doesn't look like the
> > > > > ffmpeg patch at all, and the commit message doesn't even mention
> > > > > the bug fix. How can you be so sure that the bug is fixed?
> > > >
> > > > I might have read the commit wrong. Do you have a sample for this CVE?
> > >
> > > Unfortunately the reproducer isn't public. I contacted
> > > ffmpeg-security about it, I'll keep you posted.
> >
> > I got the reproducer from ffmpeg and it seems that libav in sid isn't
> > affected like Sebastian said. So yeah, this bug should stay closed. I
> > don't know if the patch linked above is what fixed the issue though.
>
> Great!
Thank you for checking. I am not amused about the closedness with that
this was handled - but I am very sure that you are not to blame for this.
cu
AW
- --
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw at linux.de)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVWwSMAAoJEENYfBy4DUs+lIEP+wQPZB4LPpuc9IfA94jAfEuy
4NY3lGOcF7EZmMKqD0Ha2xhrO1IINTwT7Ifkz/cseJMnqaibP+7FHC2dFoPgQNYR
AabT7oGvT3nsWidFJhlnWS2UlRu2oq2MAS2cvCy4bD98EyOl6CGs+Bnv6ZlUVClM
qadtfa+s+xGIfrLVntRP5ZGp+pkcYYQcVFCKnR5KVIuYzA0iryw2tORB4bEV56Bi
xwEFFXvCta9z8VQs4D6dnmSvIvLBhcyP5zzSQFrqRNXIxbNHSDNyWxQHy5ACzm8Z
9vAL0wZPv6tpCkjrfYlF6pkewtlcUdlnU7pZObpfXfOnc3qS6SJHLnPe77KSWMQ8
TOqneKXtLH2Py0Vt0PxE/vAP5O6rcDl5ixIsDwcdkYQMBNgUTBTlaFCuK3zVSr0Q
s4y7fNoMQ/ruff9L3CNuWLvTtMgzM5HwY+krNvl70ctXj0ah2WZatNvF8D0BQ85C
O+p79rxfwNWN5pwL7KxkarppwGktZDF7ekjQeNutZwZ+NccCJaaxOGpUbWPFEcya
m4ceYsU3tp+QufOCGv9kGrvuxeI6Hz17xN3+bF2uc6A76/nj3gtjRjghnYtzOPzX
Fr6y5Ecd44rxy74nkRYCpcvxfSe63GR7/u4VJwCGJ1D3wygnEAloJxFJHIq3UjEJ
xn5UfNHp+Ho4XMVSHUfP
=3job
-----END PGP SIGNATURE-----
More information about the pkg-multimedia-maintainers
mailing list