From ${URL} : Description A vulnerability has been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. For more information: SA52093 (#8) The vulnerability is reported in versions prior to 0.11.4. Solution: Update to version 0.11.4. Original Advisory: http://ffmpeg.org/security.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-0869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0869): The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted H.264 data, related to an SPS and slice mismatch and an out-of-bounds array access.
http://ffmpeg.org/security.html lists 1.1.2 and 0.11.4 as fixing this; current stable 1.2.6 is unaffected.
With the verification, going to cleanup directly. Two version needs cleanup: 1.0.10, 0.10.15 Maintainer(s), Please drop the vulnerable versions. Security please vote on GLSA. GLSA Vote: No
(In reply to Yury German from comment #3) > With the verification, going to cleanup directly. Two version needs cleanup: > 1.0.10, 0.10.15 > Maintainer(s), Please drop the vulnerable versions. have you checked that nothing depends on these slots ?
(In reply to Alexis Ballier from comment #4) > (In reply to Yury German from comment #3) > > With the verification, going to cleanup directly. Two version needs cleanup: > > 1.0.10, 0.10.15 > > Maintainer(s), Please drop the vulnerable versions. > > have you checked that nothing depends on these slots ? That would be part of the maintainer's responsibility. If packages in fact depend on versions expected to be vulnerable fixed would have to be backported to them. GLSA Vote: No
Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), Thank you for you for cleanup. Thank you all. Closing as noglsa.
