Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 183145
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matt Drew <aetius@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 183145 depends on: Show dependency tree
Bug 183145 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-06-25 13:52 0000 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3329

The xvid library is vulnerable to some array indexing problems when processing
Avi, H.263, or MPEG files.

As of 25 June there's no patch, it may be that the maintainers don't even know
about this yet.

------- Comment #1 From Matt Drew 2007-06-25 13:55:49 0000 ------- 
setting status.

------- Comment #2 From Carsten Lohrke 2007-06-27 15:15:21 0000 ------- 
head is patched: 

http://cvs.xvid.org/cvs/viewvc.cgi/xvidcore/src/bitstream/mbcoding.c

------- Comment #3 From Kai 2007-06-28 19:55:15 0000 ------- 
xvid-1.1.3 was released today w/this fix

------- Comment #4 From Jakub Moc (RETIRED) 2007-06-30 23:58:46 0000 ------- 
*** Bug 183786 has been marked as a duplicate of this bug. ***

------- Comment #5 From Samuli Suominen 2007-07-03 15:27:26 0000 ------- 
Bumped but temp. masked for testing. Security, don't do anything yet..

Applications in tree using xvid:

media-tv/xdtv:xvid
media-video/avidemux:xvid
media-video/ffmpeg:xvid 
media-video/gpac:xvid
media-video/mpeg4ip:xvid
media-video/mplayer:xvid
media-video/transcode:xvid

Reporting back here when it's tested and unmasked.

------- Comment #6 From Samuli Suominen 2007-07-03 16:09:46 0000 ------- 
Text relocation from bug 135326 is still present at version 1.1.3 which is now
unmasked, it's NOT a regression to current stable 1.1.0-r3. I've tested mplayer
and ffmpeg with multiple video files and they are fine.

Proceed and let arch teams test[1] and stable it.

[1] Would be nice to have input from arch testers about other applications
listed in this bug.

------- Comment #7 From Matt Drew 2007-07-12 13:17:40 0000 ------- 
ok moving to stable.  Arches, please stabilize:

media-libs/xvid-1.1.3

Sorry about the delay.

------- Comment #8 From Gustavo Zacarias (RETIRED) 2007-07-12 13:46:29 0000 ------- 
sparc stable.

------- Comment #9 From Jeroen Roovers 2007-07-12 18:07:19 0000 ------- 
Stable for HPPA.

------- Comment #10 From Markus Rothe 2007-07-12 18:31:54 0000 ------- 
ppc64 stable

------- Comment #11 From Raúl Porcel 2007-07-12 21:18:34 0000 ------- 
alpha/x86 stable

------- Comment #12 From Steve Dibb 2007-07-13 00:27:26 0000 ------- 
amd64 stable

------- Comment #13 From Raúl Porcel 2007-07-13 13:47:59 0000 ------- 
ia64 stable, thanks drac for fixing this :)

------- Comment #14 From Tobias Scherbaum 2007-07-15 21:17:26 0000 ------- 
ppc stable

------- Comment #15 From Matt Drew 2007-07-30 10:37:45 0000 ------- 
arm folks, any progress?  I'm going ahead with the glsa-request on this, since
we're already late.

------- Comment #16 From Pierre-Yves Rofes 2007-07-30 11:28:00 0000 ------- 
arm is not security supported, and the glsa has already been drafted by
Dercorny, you may review it, and others drafts too actually :)

------- Comment #17 From Mr. Bones. 2007-07-31 21:49:18 0000 ------- 
xvid-1.0.2.ebuild:KEYWORDS="~mips"
xvid-1.0.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
xvid-1.1.0-r1.ebuild:KEYWORDS="alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86
~x86-fbsd"
xvid-1.1.0-r3.ebuild:KEYWORDS="alpha amd64 arm ~hppa ia64 ~ppc ppc64 sparc x86
~x86-fbsd"
xvid-1.1.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
~x86-fbsd"

Looks done to me except for ~mips at xvid-1.0.2

------- Comment #18 From Pierre-Yves Rofes 2007-08-08 21:58:55 0000 ------- 
GLSA 200708-02, thanks everybody.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug