Summary: | media-video/ffmpeg: "field_end()" Denial of Service Vulnerability (CVE-2013-0869) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/54826/ | ||
Whiteboard: | B3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-09-14 07:00:15 UTC
CVE-2013-0869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0869): The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted H.264 data, related to an SPS and slice mismatch and an out-of-bounds array access. http://ffmpeg.org/security.html lists 1.1.2 and 0.11.4 as fixing this; current stable 1.2.6 is unaffected. With the verification, going to cleanup directly. Two version needs cleanup: 1.0.10, 0.10.15 Maintainer(s), Please drop the vulnerable versions. Security please vote on GLSA. GLSA Vote: No (In reply to Yury German from comment #3) > With the verification, going to cleanup directly. Two version needs cleanup: > 1.0.10, 0.10.15 > Maintainer(s), Please drop the vulnerable versions. have you checked that nothing depends on these slots ? (In reply to Alexis Ballier from comment #4) > (In reply to Yury German from comment #3) > > With the verification, going to cleanup directly. Two version needs cleanup: > > 1.0.10, 0.10.15 > > Maintainer(s), Please drop the vulnerable versions. > > have you checked that nothing depends on these slots ? That would be part of the maintainer's responsibility. If packages in fact depend on versions expected to be vulnerable fixed would have to be backported to them. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Maintainer(s), Thank you for you for cleanup. Thank you all. Closing as noglsa. |