From ${URL} : FFmpeg 2.6.2 Fixes following vulnerabilities: CVE-2015-3395, dfce316c12d867400fb132ff5094163e3d2634a3 / f7e1367f58263593e6cee3c282f7277d7ee9d553 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
from $url: 2.2.15 Fixes following vulnerabilities: CVE-2015-3395, 33877cd276f99fc234b5269d9d158ce71e50d363 / f7e1367f58263593e6cee3c282f7277d7ee9d553 that can go stable (some arches already have 2.2.14, see bug #538798 ) ps: whiteboard is wrong
1.2.6 and 2.2.14 both need to be removed from stable.
CVE-2015-3395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3395): The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access.
Fixed in 2.0.7, 2.2.15, 2.4.8, 2.5.6, 2.6.2, 2.7 0.10.16 & 1.0.10 - Vulnerable (Not fixed as per ffmpeg page) Could not find fixes for 1.2.X Need to stabilize: 2.2.15 - in Tree 2.6.3 - Is stabilized as part of 547462 Setting to stable? for 2.2.15
Everything below 2.6.3 was cleaned up from tree. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06 by GLSA coordinator Kristian Fiskerstrand (K_F).