More info at $URL Libav is also affected, but haven't stable keyword atm.
go for 0.7.3 that I just added
Arches, please test and mark stable: =media-video/ffmpeg-0.7.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
*** Bug 376921 has been marked as a duplicate of this bug. ***
tested also: media-libs/x264-0.0.20110426 both ok on amd64
+ 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> x264-0.0.20110426.ebuild: + Marked stable on AMD64 as a dependency of media-video/ffmpeg based on arch + testing by Agostino "ago" Sarubbo in security bug #378801. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> ffmpeg-0.7.3.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in + security bug #378801.
Since x264-0.0.20110426 is stabilized please don't forget to stabilize media-video/x264-encoder-0.0.20110426.
(In reply to comment #6) > Since x264-0.0.20110426 is stabilized please don't forget to stabilize > media-video/x264-encoder-0.0.20110426. The dependency tree does not require this. Keep in mind that this is a security stabling, which happens on the fast track and should be minimally invasive. Please file a separate bug.
ppc/ppc64 stable
(In reply to comment #7) > (In reply to comment #6) > > Since x264-0.0.20110426 is stabilized please don't forget to stabilize > > media-video/x264-encoder-0.0.20110426. > > The dependency tree does not require this. Keep in mind that this is a security > stabling, which happens on the fast track and should be minimally invasive. > Please file a separate bug. it does require it because by not doing it you're making ffmpeg and x264-encoder uninstallable at the same time in the stable tree...
@x86 Works for me with following USE. Not tried more combination, Just installed on my laptop and works. [ebuild R ~] media-video/ffmpeg-0.7.3 USE="3dnow 3dnowext X aac alsa bzip2 custom-cflags encode hardcoded-tables jpeg2k mmx mmxext mp3 pic ssse3 threads x264 zlib"
x86 stable. Thanks
(In reply to comment #9) > it does require it because by not doing it you're making ffmpeg and > x264-encoder uninstallable at the same time in the stable tree... P.S. I did include the following packages =media-video/ffmpeg-0.7.3 =media-libs/x264-0.0.20110426 =media-video/x264-encoder-0.0.20110426
Am I understanding correctly that these packages all need to be stabilized at the same time? =media-video/ffmpeg-0.7.3 =media-libs/x264-0.0.20110426 =media-video/x264-encoder-0.0.20110426
(In reply to comment #13) > Am I understanding correctly that these packages all need to be stabilized at > the same time? > > =media-video/ffmpeg-0.7.3 > =media-libs/x264-0.0.20110426 > =media-video/x264-encoder-0.0.20110426 =media-libs/x264-0.0.20110426 is a dependency of ffmpeg. The consequence of not stabilizing =media-video/x264-encoder-0.0.20110426 is that users installing it will probably have their package manager downgrade ffmpeg and x264 to the insecure versions.
(In reply to comment #14) > =media-libs/x264-0.0.20110426 is a dependency of ffmpeg. > The consequence of not stabilizing =media-video/x264-encoder-0.0.20110426 is > that users installing it will probably have their package manager downgrade > ffmpeg and x264 to the insecure versions. Ok, thanks, Thomas. Arches, the complete list of targets is: =media-video/ffmpeg-0.7.3 =media-libs/x264-0.0.20110426 =media-video/x264-encoder-0.0.20110426 Readding amd64, ppc and ppc64. Please also stabilize =media-video/x264-encoder-0.0.20110426. Thanks.
19 Aug 2011; Kacper Kowalik <xarthisius@gentoo.org> x264-encoder-0.0.20110426.ebuild: ppc/ppc64 stable wrt #378801
amd64 done
*** Bug 379719 has been marked as a duplicate of this bug. ***
Stable for HPPA.
arm stable
alpha/ia64/sparc stable
thanks all, adding glsa request.
Thanks, everyone. (In reply to comment #22) > thanks all, adding glsa request. Thanks a lot for helping with these bugs. Please let the security team change from [stable] to [glsa]. We have to add the GLSA request into another tool. Once you are officially part of the security team you will have access to that tool too. Thanks! GLSA request added in GLSAmaker.
CVE-2011-3362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3362): Integer signedness error in the decode_residual_block function in cavsdec.c in libavcodec in FFmpeg before 0.7.3 and 0.8.x before 0.8.2, and libav through 0.7.1, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Chinese AVS video (aka CAVS) file.
nothing left to do for media-video@
This issue was resolved and addressed in GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml by GLSA coordinator Sean Amoss (ackle).