From ${URL}: Hi, I would like to request CVEs for the following issues: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=52b81ff4635c077b2bc8b8d3637d933b6629d803 fixes asseration failure in prores_ks encoder https://trac.ffmpeg.org/ticket/2760 Found-by: MarkZV http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3539d6c63a16e1b2874bb037a86f317449c58770 fixes out of array access in iff decoder Found-by: Piotr Bandurski
CVE-2014-5272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5272): libavcodec/iff.c in FFMpeg before 1.1.14, 1.2.x before 1.2.8, 2.2.x before 2.2.7, and 2.3.x before 2.3.2 allows remote attackers to have unspecified impact via a crafted iff image, which triggers an out-of-bounds array access, related to the rgb8 and rgbn formats. CVE-2014-5271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5271): Heap-based buffer overflow in the encode_slice function in libavcodec/proresenc_kostya.c in FFMpeg before 1.1.14, 1.2.x before 1.2.8, 2.x before 2.2.7, and 2.3.x before 2.3.3 and Libav before 10.5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors.
http://ffmpeg.org/security.html marks it as fixed in 2.2.7 for the 2.2 branch, we'll go with 2.2.12+ since 1.2 (current stable) is not maintained anymore
Highest Version of Fixes for CVE's - 1.1.14, 1.2.8, 2.1.6, 2.2.7 Since 1.1.X and 1.2.X is no longer maintained and 2.2.14 is being stabilized, but higher version without bugs is 2.2.15. Once stabilized we can clean up 1.1.x and 1.2.x Setting dependency on: 548006
This issue was resolved and addressed in GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06 by GLSA coordinator Kristian Fiskerstrand (K_F).