Summary: | <media-video/libav-0.8.3 : two Denial of Service vulnerabilities (CVE-2011-3937,CVE-2012-{0851,0852}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomáš Chvátal (RETIRED) <scarabeus> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://libav.org/releases/libav-0.8.3.changelog | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tomáš Chvátal (RETIRED)
2012-06-20 11:24:42 UTC
Ok arches please try these: =media-video/libav-0.8.3 =media-video/libpostproc-0.8.0.20120229 =media-plugins/gst-plugins-ffmpeg-0.10.13-r2 Please pay extra attention to gst-plugins-ffmpeg as it first unbundled ffmpeg/libav version after 3 years. Thanks for the report. arches, go ahead (acked by lu_zero) (In reply to comment #1) > =media-video/libpostproc-0.8.0.20120229 Typo, is media-libs/libpostproc amd64 stable (In reply to comment #4) > amd64 stable Check again. Stable for HPPA. (In reply to comment #5) > (In reply to comment #4) > > amd64 stable > > Check again. done (In reply to comment #1) > Please pay extra attention to gst-plugins-ffmpeg as it first unbundled > ffmpeg/libav version after 3 years. See Bug 423829 arm stable x86 stable alpha/ia64/sparc stable CVE-2012-0852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0852): The adpcm_decode_frame function in adpcm.c in libavcodec in FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an ADPCM file with the number of channels not equal to two. CVE-2012-0851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0851): The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted H.264 file, related to the chroma_format_idc value. ppc stable. ppc64 stable, last arch done Rerating B2 based on CVE descriptions which include code exec. Added to existing GLSA draft. This issue was resolved and addressed in GLSA 201210-06 at http://security.gentoo.org/glsa/glsa-201210-06.xml by GLSA coordinator Sean Amoss (ackle). |