libav-9.17 was added to tree 12 Oct 2014, but latest stable is still version 9.14. A lot bugs were fixed since it including security problems: https://git.libav.org/?p=libav.git;a=blob;f=Changelog;h=355b7dc8e623f2780f91a288edfe215a745e8f8a;hb=606bbd50b1ebaa3c040fc7cab84f1d8bb5d3d248 $ git diff v9.14..v9.17 -- Changelog|grep CVE +- vp3: Copy all 3 frames for thread updates (CVE-2011-3934) +- mpegts: Do not try to write a PMT larger than SECTION_SIZE (CVE-2014-2263) +- error_concealment: avoid using the picture if not fully setup (CVE-2013-0860) +- cdgraphics: switch to bytestream2 (CVE-2013-3674) +- huffyuvdec: check width size for yuv422p (CVE-2013-0848) +- mmvideo: check horizontal coordinate too (CVE-2013-3672) +- wmalosslessdec: fix mclms_coeffs* array size (CVE-2014-2098) +- lavc: Check the image size before calling get_buffer (CVE-2011-3935) +- huffyuv: Check and propagate function return values (CVE-2013-0868) +- h264: prevent theoretical infinite loop in SEI parsing (CVE-2011-3946) +- pgssubdec: Check RLE size before copying (CVE-2013-0852) +- eamad: use the bytestream2 API instead of AV_RL (CVE-2013-0851)
Stabilise what and where? Plz?
amd64 stable
Stable for HPPA. Arch teams, please test and mark stable: =media-video/libav-9.17 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
ia64 stable
arm stable
alpha stable
ppc stable
ppc64 stable
sparc stable
Ping on x86 stabilization. New GLSA Request filed.
x86 is also done now. Thanks guys!
Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201502-08 at http://security.gentoo.org/glsa/glsa-201502-08.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
Reopening for cleanup. @maintainers: please close this bug once cleanup is done
@maintainers(s), please cleanup the vulnerable version.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b4cb637ee61d9f5bd51eaebc890bb04dbd38e03