Bug 4147

Summary: [Update Request] Updated ffmpeg package to fix CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, luigiwalser, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ffmpeg-0.6.5-0.1.mga1 CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 4146    

Description Funda Wang 2012-01-16 08:28:16 CET 
Several security issues have been found in ffmpeg 0.6.4 shipped in Mageia 1 updates:

* CVE-2011-3892: fixes for the VP3 decoder 
* CVE-2011-3893, CVE-2011-3895: vorbis decoder, and matroska demuxer

The updated packages solve the problem by upgrading to latest stable version of ffmpeg.
Comment 1 David GEIGER 2012-01-16 09:52:54 CET 
(1) Testing complete for the new update srpm ffmpeg-0.6.5-0.1.mga1.src.rpm ,on Mageia release 1 (Official) for x86_64 ,works fine for me.

I used it to convert an :
->.wmv video file to a .avi video file =Ok
->.wmv video file to a .mkv video file =Ok
->.wmv video file to a .flv video file =Ok
->.wmv video file to a .mov video file =Not Ok (Need the Tainted)

->.mkv video file to a .avi video file =Ok
->.mkv video file to a .flv video file =Ok
->.mkv video file to a .wmv video file =Ok
->.mkv video file to a .mov video file =Not Ok (Need the Tainted)

(2) Testing complete for the new update srpm ffmpeg-0.6.5-0.1.mga1.tainted.src.rpm ,on Mageia release 1 (Official) for x86_64 ,works fine for me too.

I used it to convert an :
->.wmv video file to a .avi video file =Ok
->.wmv video file to a .mkv video file =Ok
->.wmv video file to a .flv video file =Ok
->.wmv video file to a .mov video file =Ok

->.mkv video file to a .avi video file =Ok
->.mkv video file to a .flv video file =Ok
->.mkv video file to a .wmv video file =Ok
->.mkv video file to a .mov video file =Ok

CC: (none) => geiger.david68210

David Walser 2012-01-16 15:53:07 CET

Blocks: (none) => 4146

David Walser 2012-01-16 15:55:43 CET

CC: (none) => luigiwalser
Summary: [Update Request] Updated ffmpeg package to fix several CVE issues => [Update Request] Updated ffmpeg package to fix CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895

David Walser 2012-01-16 16:05:21 CET

Blocks: 4146 => (none)

David Walser 2012-01-16 16:05:38 CET

Blocks: (none) => 4146

Comment 2 David Walser 2012-01-16 16:47:36 CET 
Funda, are any of these issues still relevant?

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54
Comment 3 Funda Wang 2012-01-16 17:41:48 CET 
(In reply to comment #2)
> Funda, are any of these issues still relevant?
> 
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54
Those issues should already be fixed in 0.6.4.
Comment 4 Dave Hodgins 2012-01-16 22:34:29 CET 
Testing complete on i586, converting and playing various video formats.

Could someone from the sysadmin team push the srpm
ffmpeg-0.6.5-0.1.mga1.src.rpm
from Core Updates Testing to Core Updates and the srpm
ffmpeg-0.6.5-0.1.mga1.tainted.src.rpm
from Tainted Updates Testing to Tainted Updates.

Advisory:  This security update for ffmpeg corrects the following CVEs.
* CVE-2011-3892: fixes for the VP3 decoder 
* CVE-2011-3893, CVE-2011-3895: vorbis decoder, and matroska demuxer

https://bugs.mageia.org/show_bug.cgi?id=4147

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Thomas Backlund 2012-01-21 18:15:30 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED