Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 420305 (CVE-2012-0947) - <media-video/ffmpeg-0.10.3: Multiple vulnerabilities (CVE-2012-{0947,2771,2773,2778,2780,2781,2805})
Summary: <media-video/ffmpeg-0.10.3: Multiple vulnerabilities (CVE-2012-{0947,2771,277...
Status: RESOLVED FIXED
Alias: CVE-2012-0947
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-08 18:59 UTC by Alexis Ballier
Modified: 2013-10-25 19:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis Ballier gentoo-dev 2012-06-08 18:59:26 UTC
1 month has passed, bugfix release of 0.10.2, same api, thanks!
Comment 1 Alexis Ballier gentoo-dev 2012-06-09 16:37:04 UTC
btw:

diff -u ffmpeg-0.10.2/Changelog ffmpeg-0.10.3/Changelog 
--- ffmpeg-0.10.2/Changelog	2012-03-16 21:45:47.000000000 -0300
+++ ffmpeg-0.10.3/Changelog	2012-05-05 19:51:35.000000000 -0400
@@ -3,6 +3,25 @@
 
 version next:
 
+
+version 0.10.3:
+
+- Security fixes in the 4xm demuxer, avi demuxer, cook decoder,
+  mm demuxer, mpegvideo decoder, vqavideo decoder (CVE-2012-0947) and
+  xmv demuxer.
+
+- Several bugs and crashes have been fixed in the following codecs: AAC,
+  APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW,
+  TTA, VC1, VQA, WMA Voice, vqavideo.
+
+- Several bugs and crashes have been fixed in the following formats:
+  ASF, ID3v2, MOV, xWMA
+
+- This release additionally updates the following codecs to the
+  bytestream2 API, and therefore benefit from additional overflow
+  checks: truemotion2, utvideo, vqavideo
+
+


the first item might interest security team
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 23:23:54 UTC
(In reply to comment #1)
> 
> the first item might interest security team

Thanks, Alexis. 

http://ffmpeg.org/security.html lists these CVEs as fixed in 0.10.3:

CVE-2012-0947, CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, CVE-2012-2780,
CVE-2012-2781, CVE-2012-2805
Comment 3 Agostino Sarubbo gentoo-dev 2012-06-11 13:11:01 UTC
amd64 stable
Comment 4 Andreas Schürch gentoo-dev 2012-06-13 16:17:03 UTC
x86 stable, thanks
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-06-13 16:47:53 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2012-06-17 20:00:17 UTC
arm stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-06-23 17:10:33 UTC
alpha/ia64/sparc stable
Comment 8 Michael Weber (RETIRED) gentoo-dev 2012-07-09 05:18:47 UTC
ppc stable
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-20 12:03:53 UTC
ppc64 stable, last arch done
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-20 13:17:46 UTC
Thanks, everyone.

Adding to existing GLSA draft.
Comment 11 Alexis Ballier gentoo-dev 2013-08-14 21:16:29 UTC
nothing left to do for media-video@
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:52 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).