Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 548006 (CVE-2015-3395)

Summary: <media-video/ffmpeg-2.6.3: out of array access (CVE-2015-3395)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://ffmpeg.org/security.html
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 547462    
Bug Blocks: 485228    

Description Agostino Sarubbo gentoo-dev 2015-04-28 13:03:17 UTC 
From ${URL} :

FFmpeg 2.6.2 Fixes following vulnerabilities:

CVE-2015-3395, dfce316c12d867400fb132ff5094163e3d2634a3 / f7e1367f58263593e6cee3c282f7277d7ee9d553


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2015-04-28 14:07:07 UTC 
from $url:
2.2.15
Fixes following vulnerabilities:

CVE-2015-3395, 33877cd276f99fc234b5269d9d158ce71e50d363 / f7e1367f58263593e6cee3c282f7277d7ee9d553


that can go stable (some arches already have 2.2.14, see bug #538798 )

ps: whiteboard is wrong
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-18 11:58:54 UTC 
1.2.6 and 2.2.14 both need to be removed from stable.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 00:37:31 UTC 
CVE-2015-3395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3395):
  The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x
  before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before
  2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to
  have unspecified impact via a crafted image, related to a pixel pointer,
  which triggers an out-of-bounds array access.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-07-01 12:27:55 UTC 
Fixed in 2.0.7, 2.2.15, 2.4.8, 2.5.6, 2.6.2, 2.7

0.10.16 & 1.0.10 - Vulnerable (Not fixed as per ffmpeg page)
Could not find fixes for 1.2.X

Need to stabilize: 
2.2.15 - in Tree
2.6.3  - Is stabilized as part of 547462

Setting to stable? for 2.2.15
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-08-14 14:37:43 UTC 
Everything below 2.6.3 was cleaned up from tree.

New GLSA Request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:21:46 UTC 
This issue was resolved and addressed in
 GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06
by GLSA coordinator Kristian Fiskerstrand (K_F).