Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 422537 (CVE-2011-3937)

Summary: <media-video/libav-0.8.3 : two Denial of Service vulnerabilities (CVE-2011-3937,CVE-2012-{0851,0852})
Product: Gentoo Security Reporter: Tomáš Chvátal (RETIRED) <scarabeus>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://libav.org/releases/libav-0.8.3.changelog
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Tomáš Chvátal (RETIRED) gentoo-dev 2012-06-20 11:24:42 UTC
Hello guys

see the URL/CVEs for the issues.

The fixed version is in cvs.

If you decide to go stable it needs following packages:

media-video/libav-0.8.3
media-libs/libpostproc-0.8.0.20120229
media-plugins/gst-plugins-ffmpeg-0.10.13-r2(the 0.10.13-r2 is first with unbundled ffmpeg the older use libav-0.7 which is affected)

The libpostproc has one known bug/build failure: bug#416451.
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2012-06-22 09:10:56 UTC
Ok arches please try these:

=media-video/libav-0.8.3
=media-video/libpostproc-0.8.0.20120229
=media-plugins/gst-plugins-ffmpeg-0.10.13-r2

Please pay extra attention to gst-plugins-ffmpeg as it first unbundled ffmpeg/libav version after 3 years.
Comment 2 Agostino Sarubbo gentoo-dev 2012-06-22 09:30:22 UTC
Thanks for the report. arches, go ahead (acked by lu_zero)
Comment 3 Agostino Sarubbo gentoo-dev 2012-06-22 09:34:34 UTC
(In reply to comment #1)
> =media-video/libpostproc-0.8.0.20120229

Typo, is media-libs/libpostproc
Comment 4 Agostino Sarubbo gentoo-dev 2012-06-22 11:07:53 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-06-23 05:13:13 UTC
(In reply to comment #4)
> amd64 stable

Check again.

Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2012-06-23 08:44:38 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > amd64 stable
> 
> Check again.
done
Comment 7 Andreas Schürch gentoo-dev 2012-06-27 12:56:34 UTC
(In reply to comment #1)

> Please pay extra attention to gst-plugins-ffmpeg as it first unbundled
> ffmpeg/libav version after 3 years.

See Bug 423829
Comment 8 Markus Meier gentoo-dev 2012-07-19 20:07:49 UTC
arm stable
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-08-01 07:11:28 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-08-19 14:07:39 UTC
alpha/ia64/sparc stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-08-20 23:22:13 UTC
CVE-2012-0852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0852):
  The adpcm_decode_frame function in adpcm.c in libavcodec in FFmpeg before
  0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before
  0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of
  service (application crash) and possibly execute arbitrary code via an ADPCM
  file with the number of channels not equal to two.

CVE-2012-0851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0851):
  The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in
  FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6,
  0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause
  a denial of service (application crash) and possibly execute arbitrary code
  via a crafted H.264 file, related to the chroma_format_idc value.
Comment 12 Michael Weber (RETIRED) gentoo-dev 2012-08-23 08:46:19 UTC
ppc stable.
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-20 12:49:34 UTC
ppc64 stable, last arch done
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:31:40 UTC
Rerating B2 based on CVE descriptions which include code exec. Added to existing GLSA draft.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-10-20 01:15:27 UTC
This issue was resolved and addressed in
 GLSA 201210-06 at http://security.gentoo.org/glsa/glsa-201210-06.xml
by GLSA coordinator Sean Amoss (ackle).