From secunia advisory at $URL: Description Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to compromise an application using the library. 1) A format string error exists within the "srt_to_ass()" function (libavcodec/srtdec.c) when parsing certain parameters. 2) An integer overflow error exists within the "dirac_unpack_block_motion_data()" function (libavcodec/diracdec.c) when handling certain motion data. 3) An integer overflow error exists within the "sws_init_context()" function (libswscale/utils.c) when decoding certain scale data. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerabilities are reported in versions prior to 0.10.1. Solution Update to version 0.10.1 or later.
@aballier, is 0.10.2 ready to go to stable?
(In reply to comment #1) > @aballier, is 0.10.2 ready to go to stable? i'd say yes, the api/abi should be similar, however, to be on the safe side, a tinderbox run would be better you can revert http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/media-video/ffmpeg/ffmpeg-0.10.2.ebuild?r1=1.2&r2=1.3 if you wish, but then people may hit bug #405083
Arches, please test and mark stable: =media-video/ffmpeg-0.10.2 Target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
(In reply to comment #3) > Arches, please test and mark stable: > > =media-video/ffmpeg-0.10.2 How about virtual/ffmpeg-0.10.2?
(In reply to comment #5) > (In reply to comment #3) > > Arches, please test and mark stable: > > > > =media-video/ffmpeg-0.10.2 > > How about virtual/ffmpeg-0.10.2? only when it'll be needed, otherwise updating world will force libav users to go back to ffmpeg.
(In reply to comment #6) > > How about virtual/ffmpeg-0.10.2? > > only when it'll be needed, otherwise updating world will force libav users > to go back to ffmpeg. OK, removing amd64 again. Stable for HPPA.
Finally, x86 stable! Thanks all!!
alpha/arm/ia64/sparc stable
ppc/ppc64 done
Thanks, everyone. Added to existing GLSA request.
nothing left to do for media-video@
This issue was resolved and addressed in GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml by GLSA coordinator Sean Amoss (ackle).