Summary: | <media-video/ffmpeg-0.7.8 multiple vulnerabilities (CVE-2011-{4351,4352,4353}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://ffmpeg.org/#pr7dot8and8dot7 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sean Amoss (RETIRED)
2011-11-22 19:04:30 UTC
0.7.8 is in the tree now Thanks. Is =media-video/ffmpeg-0.7.8 ready for stabilization? (In reply to comment #2) > Thanks. Is =media-video/ffmpeg-0.7.8 ready for stabilization? Yes, as usually =) Arches, please test and mark stable: =media-video/ffmpeg-0.7.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 ok @aballier, I guess that x11-libs/libXfixes is missing as RDEP. amd64: pass + 28 Nov 2011; Tony Vroon <chainsaw@gentoo.org> ffmpeg-0.7.8.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah "Armageddon" El Lazkani in security bug #391421. Stable for HPPA. x86 stable alpha/arm/ia64/sh/sparc stable ppc/ppc64 done Thanks folks. Added to existing GLSA request. CVE-2011-4353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4353): The (1) av_image_fill_pointers, (2) vp5_parse_coeff, and (3) vp6_parse_coeff functions in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9, and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allow remote attackers to cause a denial of service (out-of-bounds read) via a crafted VP5 or VP6 stream. CVE-2011-4352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4352): Integer overflow in the vp3_dequant function in the VP3 decoder (vp3.c) in libavcodec in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9, and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VP3 stream, which triggers a buffer overflow. nothing left to do for media-video@ This issue was resolved and addressed in GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml by GLSA coordinator Sean Amoss (ackle). |