CVE-2014-9319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9319): The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file. CVE-2014-9318 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9318): The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via a crafted .cine file that triggers the avpicture_get_size function to return a negative frame size. CVE-2014-9317 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9317): The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via an IDAT before an IHDR in a PNG file. CVE-2014-9316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9316): The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via vectors related to LJIF tags in an MJPEG file. CVE-2014-8549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8549): libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the number of channels to at most 2, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted On2 data. CVE-2014-8548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8548): Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Quicktime Graphics (aka SMC) video data. CVE-2014-8547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8547): libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute image heights, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted GIF data. CVE-2014-8546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8546): Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Cinepak video data. CVE-2014-8545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8545): libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-black format without verifying that the bits-per-pixel value is 1, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted PNG data. CVE-2014-8544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8544): libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate bits-per-pixel fields, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted TIFF data. CVE-2014-8543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8543): libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data. CVE-2014-8542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8542): libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID during enforcement of alignment, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted JV data. CVE-2014-8541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8541): libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension differences, and not bits-per-pixel differences, when determining whether an image size has changed, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MJPEG data. CVE-2014-2263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2263): The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write. CVE-2014-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2098): libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data. CVE-2014-2097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2097): The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data.
I guess 1.2.11 fixes these CVEs, could we proceed?
(In reply to Agostino Sarubbo from comment #1) > I guess 1.2.11 fixes these CVEs, could we proceed? it should, but we're going with 2.2; upstream is dropping maintainance on the 1.2 branch anyway
> it should, but we're going with 2.2; upstream is dropping maintainance on > the 1.2 branch anyway So with stabilization of 2.2.14, did you backport the patches, a few CVE's state version 2.2.X to 2.3.X?
(In reply to Yury German from comment #3) > > it should, but we're going with 2.2; upstream is dropping maintainance on > > the 1.2 branch anyway > > So with stabilization of 2.2.14, did you backport the patches, a few CVE's > state version 2.2.X to 2.3.X? i didnt backport anything; upstream does it: http://ffmpeg.org/security.html unless i missed something, 2.2.11 already fixes them all please consider the above upstream link as the only authoritative one, I've seen way too much wrong CVEs and such...
Thank you for replying.
Highest Version of Fixes for CVE's - 2.1.6, 2.2.11, 2.3.6, 2.4.4, 2.5 2.2.14 is being stabilized, but higher version without bugs is 2.2.15 Setting dependency on: 548006
This issue was resolved and addressed in GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06 by GLSA coordinator Kristian Fiskerstrand (K_F).
