From ${URL} : CVE-2016-7562 ff_draw_pc_font in ffmpeg before 3.1.4 uses incorrect font_height value ,which allows remote attackers to cause ffmpeg service a out-of-bounds array write fault when it uses 'ansi' to decode a AVI file which has a crafted 'strf' struct. fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804 CVE-2016-7122 avi_read_nikon in ffmpeg before 3.1.4 is vulnerable to infinite loop when it decode an AVI file which has a crafted 'nctg' struct. fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ed38046c5c2e3b310980be32287179895c83e0d8 CVE-2016-7450 i2f in ffmpeg before 3.1.4 uses incorrect re_signal value ,which results in an out-of-bounds array read . fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ac8ac46641adef208485baebc3734463bf0bd266 CVE-2016-7502 cavs_idct8_add_c in ffmpeg before 3.1.4 uses incorrect block value ,which results in an out-of-bounds array read . fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9d738e6968757d4e70c8e07e0b720ac0004accc4 CVE-2016-7555 avi_read_header in ffmpeg before 3.1.4 is vulnerable to a memory leakage issue when it decodes an AVI file which has a crafted 'strh' struct. fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8834e080c20d3d23c3ffe779371359f9b9b835ec CVE-2016-7785 avi_read_seek in ffmpeg before 3.1.4 uses incorrect scale value , which allows remote attackers to cause a assert fault of service via an AVI file which has a craft 'strh' struct. fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c8c5f66b42edc37474baa5cb51460cbf6f33075b CVE-2016-7905 read_gab2_sub in ffmpeg before 3.1.4 is vulnerable to a null-point-exception when it decodes an AVI file which has a crafted 'gab2' struct. fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/622ccbd8ab894e3ac6cdf607e3d4f39e406786e9 Reported by LianYihan in Qihoo 360 Gear Team. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From http://ffmpeg.org/security.html: FFmpeg 2.8 2.8.9 Fixes following vulnerabilities: CVE-2016-7502, 69b00a7fb6faa1b19b5687a5762ff4f94d5ff9aa / 0e318f110bcd6bb8e7de9127f2747272e60f48d7 CVE-2016-7785, a772613100514842008271c8d0e5d63a6979f9bf / 14bac7e00d72eac687612d9b125e585011a56d4f CVE-2016-7905, 239f75d6c3dfbe4def80a12913d5737dd5a5bbcc / 2679ad4773aa356e7c3da5c68bc81f02a194617f CVE-2016-7562, ab737ab31d4f126ed5a13a6a0498824141925108 / 69449da436169e7facaa6d1f3bcbc41cf6ce275 2.8.8 Fixes following vulnerabilities: CVE-2016-6164, 054db631200c9940bc72e4dec2cb3c75e613abaf / 8a3221cc67a516dfc1700bdae3566ec52c7ee823 CVE-2016-6881, e965fedf7e94b7e50cd11be00fa729ee8faeb21b / a453bbb68f3eec202673728988bba3bc76071761 CVE-2016-7122, 8ddeae57ae727966ac7588cf34ff56558fe3ffd1 / e4e4a9cad7f21593d4bcb1f2404ea0d373c36c43 CVE-2016-7450, f8dcc9e7189709c68829b0fa7a98941fdf916d68 / a5af1240fce845f645440364c1335e0f8e44ee6c What's left: CVE-2016-6164/CVE-2016-6881: Fixed upstream but I can't find them in your report. CVE-2016-7555: Only mention of it upstream is in 3.0+, my bet would be 2.8 is unaffected.
(In reply to Alexis Ballier from comment #1) > CVE-2016-7555: Only mention of it upstream is in 3.0+, my bet would be 2.8 > is unaffected. Yep, 2.8 is unaffected: CVE-2016-7555, fb7617df4eb13659fa20cb535888c10eac0fdb77 / b98dafe04564d5fe3e5bf5073d871dd93a4a62de The fields freed by this commit are either already freed in 2.8.10 current code or fields that were not present in 2.8. So we can proceed to stabilizing ffmpeg-2.8.10 I think.
@ Arches, please test and mark stable: =media-video/ffmpeg-2.8.10
amd64 stable
x86 stable
sparc stable
arm stable
ppc stable
Stable for HPPA.
Stable on alpha.
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
This issue was resolved and addressed in GLSA 201701-71 at https://security.gentoo.org/glsa/201701-71 by GLSA coordinator Thomas Deutschmann (whissi).
