Summary: | <media-video/ffmpeg-{2.8.10,3.1.4}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | media-video |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/10/08/1 | ||
Whiteboard: | A2 [glsa cve cleanup] | ||
Package list: |
=media-video/ffmpeg-2.8.10
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-10-10 10:37:25 UTC
From http://ffmpeg.org/security.html: FFmpeg 2.8 2.8.9 Fixes following vulnerabilities: CVE-2016-7502, 69b00a7fb6faa1b19b5687a5762ff4f94d5ff9aa / 0e318f110bcd6bb8e7de9127f2747272e60f48d7 CVE-2016-7785, a772613100514842008271c8d0e5d63a6979f9bf / 14bac7e00d72eac687612d9b125e585011a56d4f CVE-2016-7905, 239f75d6c3dfbe4def80a12913d5737dd5a5bbcc / 2679ad4773aa356e7c3da5c68bc81f02a194617f CVE-2016-7562, ab737ab31d4f126ed5a13a6a0498824141925108 / 69449da436169e7facaa6d1f3bcbc41cf6ce275 2.8.8 Fixes following vulnerabilities: CVE-2016-6164, 054db631200c9940bc72e4dec2cb3c75e613abaf / 8a3221cc67a516dfc1700bdae3566ec52c7ee823 CVE-2016-6881, e965fedf7e94b7e50cd11be00fa729ee8faeb21b / a453bbb68f3eec202673728988bba3bc76071761 CVE-2016-7122, 8ddeae57ae727966ac7588cf34ff56558fe3ffd1 / e4e4a9cad7f21593d4bcb1f2404ea0d373c36c43 CVE-2016-7450, f8dcc9e7189709c68829b0fa7a98941fdf916d68 / a5af1240fce845f645440364c1335e0f8e44ee6c What's left: CVE-2016-6164/CVE-2016-6881: Fixed upstream but I can't find them in your report. CVE-2016-7555: Only mention of it upstream is in 3.0+, my bet would be 2.8 is unaffected. (In reply to Alexis Ballier from comment #1) > CVE-2016-7555: Only mention of it upstream is in 3.0+, my bet would be 2.8 > is unaffected. Yep, 2.8 is unaffected: CVE-2016-7555, fb7617df4eb13659fa20cb535888c10eac0fdb77 / b98dafe04564d5fe3e5bf5073d871dd93a4a62de The fields freed by this commit are either already freed in 2.8.10 current code or fields that were not present in 2.8. So we can proceed to stabilizing ffmpeg-2.8.10 I think. @ Arches, please test and mark stable: =media-video/ffmpeg-2.8.10 amd64 stable x86 stable sparc stable arm stable ppc stable Stable for HPPA. Stable on alpha. ia64 stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. This issue was resolved and addressed in GLSA 201701-71 at https://security.gentoo.org/glsa/201701-71 by GLSA coordinator Thomas Deutschmann (whissi). |