CVE-2013-7024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7024): The jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not consider the component number in certain calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVE-2013-7023 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7023): The ff_combine_frame function in libavcodec/parser.c in FFmpeg before 2.1 does not properly handle certain memory-allocation errors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. CVE-2013-7022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7022): The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before 2.1 does not properly allocate memory for tiles, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Go2Webinar data. CVE-2013-7021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7021): The filter_frame function in libavfilter/vf_fps.c in FFmpeg before 2.1 does not properly ensure the availability of FIFO content, which allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact via crafted data. CVE-2013-7020 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7020): The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not properly enforce certain bit-count and colorspace constraints, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data. CVE-2013-7019 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7019): The get_cox function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not properly validate the reduction factor, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVE-2013-7018 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7018): libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the use of valid code-block dimension values, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVE-2013-7017 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7017): libavcodec/jpeg2000.c in FFmpeg before 2.1 allows remote attackers to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via crafted JPEG2000 data. CVE-2013-7016 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7016): The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the expected sample separation, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVE-2013-7015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7015): The flashsv_decode_frame function in libavcodec/flashsv.c in FFmpeg before 2.1 does not properly validate a certain height value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Flash Screen Video data. CVE-2013-7014 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7014): Integer signedness error in the add_bytes_l2_c function in libavcodec/pngdsp.c in FFmpeg before 2.1 allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted PNG data. CVE-2013-7013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7013): The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before 2.1 uses an incorrect ordering of arithmetic operations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Go2Webinar data. CVE-2013-7012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7012): The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not prevent attempts to use non-zero image offsets, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVE-2013-7011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7011): The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not prevent changes to global parameters, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data. CVE-2013-7010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7010): Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg before 2.1 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. CVE-2013-7009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7009): The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before 2.1 does not properly maintain a pointer to pixel data, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Apple RPZA data. CVE-2013-7008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7008): The decode_slice_header function in libavcodec/h264.c in FFmpeg before 2.1 incorrectly relies on a certain droppable field, which allows remote attackers to cause a denial of service (deadlock) or possibly have unspecified other impact via crafted H.264 data. Please note that this does affect all current stable versions, including the 0.10 slot. @maintainers: what are your plans for FFmpeg 2 going unmasked and stable?
Why is it still masked? Any particular reason?
I am wondering the same thing.
(In reply to piruthiviraj natarajan from comment #1) > Why is it still masked? > > Any particular reason? (In reply to salamanderrake from comment #2) > I am wondering the same thing. Because of this bug, https://bugs.gentoo.org/show_bug.cgi?id=476490 , ffmpeg-2 breaks compatibility with several packages
Setting 476490 as Blocker.
http://ffmpeg.org/security.html marks it as fixed in 2.1, 2.2.12+ is thus enough.
Since 1.1.X and 1.2.X is no longer maintained and 2.2.14 is being stabilized, but higher version without bugs is 2.2.15. Once stabilized we can clean up 1.1.x and 1.2.x Setting dependency on: 548006
This issue was resolved and addressed in GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06 by GLSA coordinator Kristian Fiskerstrand (K_F).