Hello guys see the URL/CVEs for the issues. The fixed version is in cvs. If you decide to go stable it needs following packages: media-video/libav-0.8.3 media-libs/libpostproc-0.8.0.20120229 media-plugins/gst-plugins-ffmpeg-0.10.13-r2(the 0.10.13-r2 is first with unbundled ffmpeg the older use libav-0.7 which is affected) The libpostproc has one known bug/build failure: bug#416451.
Ok arches please try these: =media-video/libav-0.8.3 =media-video/libpostproc-0.8.0.20120229 =media-plugins/gst-plugins-ffmpeg-0.10.13-r2 Please pay extra attention to gst-plugins-ffmpeg as it first unbundled ffmpeg/libav version after 3 years.
Thanks for the report. arches, go ahead (acked by lu_zero)
(In reply to comment #1) > =media-video/libpostproc-0.8.0.20120229 Typo, is media-libs/libpostproc
amd64 stable
(In reply to comment #4) > amd64 stable Check again. Stable for HPPA.
(In reply to comment #5) > (In reply to comment #4) > > amd64 stable > > Check again. done
(In reply to comment #1) > Please pay extra attention to gst-plugins-ffmpeg as it first unbundled > ffmpeg/libav version after 3 years. See Bug 423829
arm stable
x86 stable
alpha/ia64/sparc stable
CVE-2012-0852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0852): The adpcm_decode_frame function in adpcm.c in libavcodec in FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an ADPCM file with the number of channels not equal to two. CVE-2012-0851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0851): The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted H.264 file, related to the chroma_format_idc value.
ppc stable.
ppc64 stable, last arch done
Rerating B2 based on CVE descriptions which include code exec. Added to existing GLSA draft.
This issue was resolved and addressed in GLSA 201210-06 at http://security.gentoo.org/glsa/glsa-201210-06.xml by GLSA coordinator Sean Amoss (ackle).