Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548006 (CVE-2015-3395) - <media-video/ffmpeg-2.6.3: out of array access (CVE-2015-3395)
Summary: <media-video/ffmpeg-2.6.3: out of array access (CVE-2015-3395)
Status: RESOLVED FIXED
Alias: CVE-2015-3395
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://ffmpeg.org/security.html
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: ffmpeg-2.6-stable
Blocks: 485228
  Show dependency tree
 
Reported: 2015-04-28 13:03 UTC by Agostino Sarubbo
Modified: 2016-03-12 11:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-28 13:03:17 UTC
From ${URL} :

FFmpeg 2.6.2 Fixes following vulnerabilities:

CVE-2015-3395, dfce316c12d867400fb132ff5094163e3d2634a3 / f7e1367f58263593e6cee3c282f7277d7ee9d553


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2015-04-28 14:07:07 UTC
from $url:
2.2.15
Fixes following vulnerabilities:

CVE-2015-3395, 33877cd276f99fc234b5269d9d158ce71e50d363 / f7e1367f58263593e6cee3c282f7277d7ee9d553


that can go stable (some arches already have 2.2.14, see bug #538798 )

ps: whiteboard is wrong
Comment 2 stanley - Security Padawan 2015-06-18 11:58:54 UTC
1.2.6 and 2.2.14 both need to be removed from stable.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 00:37:31 UTC
CVE-2015-3395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3395):
  The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x
  before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before
  2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to
  have unspecified impact via a crafted image, related to a pixel pointer,
  which triggers an out-of-bounds array access.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-01 12:27:55 UTC
Fixed in 2.0.7, 2.2.15, 2.4.8, 2.5.6, 2.6.2, 2.7

0.10.16 & 1.0.10 - Vulnerable (Not fixed as per ffmpeg page)
Could not find fixes for 1.2.X

Need to stabilize: 
2.2.15 - in Tree
2.6.3  - Is stabilized as part of 547462

Setting to stable? for 2.2.15
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-14 14:37:43 UTC
Everything below 2.6.3 was cleaned up from tree.

New GLSA Request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:21:46 UTC
This issue was resolved and addressed in
 GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06
by GLSA coordinator Kristian Fiskerstrand (K_F).