| Summary: | ffmpeg new security issues fixed upstream in 0.10.7 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | fundawang, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/534672/ | ||
| Whiteboard: | has_procedure mga2-64-ok mga2-32-ok | ||
| Source RPM: | ffmpeg-0.10.6-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-01-29 02:02:39 CET
David Walser
2013-01-29 02:02:45 CET
CC:
(none) =>
fundawang ffmpeg 0.10.7 has been released on April 10. Additional CVEs they've fixed since I posted this bug: CVE-2012-2882 CVE-2013-0894 CVE-2013-2277 CVE-2013-2495 Updated packages uploaded for Mageia 2. Note to QA: previous ffmpeg update was Bug 8065. Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: ivi_common: check that scan pattern is set before using it (CVE-2012-2791). vp56: release frames on error (CVE-2012-2783). mpeg12: do not decode extradata more than once (CVE-2012-2803). mp3: properly forward mp_decode_frame errors (CVE-2012-2797). vp6: properly fail on unsupported feature (CVE-2012-2783). aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN (CVE-2012-5144). indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder; when freeing buffers, set pointers referencing them to NULL as well; initialise pixel planes on allocation (CVE-2012-2804). oggdec: make sure the private parse data is cleaned up (CVE-2012-2882). vorbisdec: Error on bark_map_size equal to 0 (CVE-2013-0894). h264: check for luma and chroma bit depth being equal (CVE-2013-2277). iff: validate CMAP palette size (CVE-2013-2495). This updates ffmpeg to version 0.10.7 which contains the security fixes above as well as other bug fixes. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2495 http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10 ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-0.10.7-1.mga2 libavcodec53-0.10.7-1.mga2 libpostproc52-0.10.7-1.mga2 libavformat53-0.10.7-1.mga2 libavutil51-0.10.7-1.mga2 libswscaler2-0.10.7-1.mga2 libavfilter2-0.10.7-1.mga2 libswresample0-0.10.7-1.mga2 libffmpeg-devel-0.10.7-1.mga2 libffmpeg-static-devel-0.10.7-1.mga2 from ffmpeg-0.10.7-1.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2013-05-03 14:50:01 CEST
Summary:
ffmpeg new security issues fixed upstream =>
ffmpeg new security issues fixed upstream in 0.10.7 Testing ideas: http://rodrigopolo.com/ffmpeg/cheats.php#FFmpeg_Encoding Also see: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 Also there are 2 srpm's ffmpeg-0.10.7-1.mga2.src.rpm ffmpeg-0.10.7-1.mga2.tainted.src.rpm Testing complete mga2 64 Whiteboard:
(none) =>
has_procedure mga2-64-ok Testing complete mga2 32 Validating Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0136 Status:
NEW =>
RESOLVED |