from ${URL}: The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.) Upstream Patch 2/2: (https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2) (https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.html)
---------------------------- Daj Uan (jmbailey/mbailey_j) Gentoo Security Padawan
this should be fixed in 3.3.4
@maintainer(s), please let us know when you are ready to stabilize.
(In reply to Aaron Bauman from comment #3) > @maintainer(s), please let us know when you are ready to stabilize. as noted in bug #630148, yes :)
(In reply to Alexis Ballier from comment #4) > > as noted in bug #630148, yes :) Great, we will handle stabilization here. @Maintainers please verify if SLOT 54.56.56 is vulnerable, if that's the case, it's your decision to call sparc to the stabilization request. @Arches, please test and mark stable. Gentoo Security Padawan ChrisADR
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): > dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6'] > dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6'] > dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
(In reply to Christopher Díaz from comment #5) > @Maintainers please verify if SLOT 54.56.56 is vulnerable, if that's the > case, it's your decision to call sparc to the stabilization request. if not this bug, that's another one, but I don't expect much on the sparc side
ia64 stable
hppa stable
amd64 stable
x86 stable
arm stable
An automated check of this bug failed - repoman reported dependency errors (17 lines truncated): > dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6'] > dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6'] > dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
alpha is o. @ppc/ppc64, please proceed.
ppc/ppc64 stable
GLSA Vote: No @maintainers, please clean the vulnerable versions.
cleanup will occur in bug #639698 GLSA Vote: No