From ${URL} : [$2000][427266] High CVE-2014-7933: Use-after-free in FFmpeg. Credit to Aki Helin of OUSPG. [$1500][419060] High CVE-2014-7937: Use-after-free in FFmpeg. Credit to Atte Kettunen of OUSPG. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in 2.0.7, 2.1.6, 2.2.9, 2.3.5, 2.4.2, 2.5 0.10.16 & 1.0.10 - Vulnerable (Not fixed as per ffmpeg page) Could not find fixes for 1.2.X [$2000][427266] High CVE-2014-7933: Use-after-free in FFmpeg. Credit to Aki Helin of OUSPG. - Google Chrome Vulnerability 2.2.14 is being stabilized bug #538798, but it is vulnerable. Setting dependency on bug #548006 - which needs to stabilize 2.2.15
(In reply to Yury German from comment #1) > 0.10.16 & 1.0.10 - Vulnerable (Not fixed as per ffmpeg page) > Could not find fixes for 1.2.X yes, upstream dropped maintainance of them some time ago
CVE-2014-7937 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7937): Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data.
This issue was resolved and addressed in GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06 by GLSA coordinator Kristian Fiskerstrand (K_F).
