Bug 4147 - [Update Request] Updated ffmpeg package to fix CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895
Summary: [Update Request] Updated ffmpeg package to fix CVE-2011-3892, CVE-2011-3893, ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks: 4146
  Show dependency treegraph
 
Reported: 2012-01-16 08:28 CET by Funda Wang
Modified: 2012-01-21 18:15 CET (History)
5 users (show)

See Also:
Source RPM: ffmpeg-0.6.5-0.1.mga1
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Funda Wang 2012-01-16 08:28:16 CET 
Several security issues have been found in ffmpeg 0.6.4 shipped in Mageia 1 updates:

* CVE-2011-3892: fixes for the VP3 decoder 
* CVE-2011-3893, CVE-2011-3895: vorbis decoder, and matroska demuxer

The updated packages solve the problem by upgrading to latest stable version of ffmpeg.
Comment 1 David GEIGER 2012-01-16 09:52:54 CET 
(1) Testing complete for the new update srpm ffmpeg-0.6.5-0.1.mga1.src.rpm ,on Mageia release 1 (Official) for x86_64 ,works fine for me.

I used it to convert an :
->.wmv video file to a .avi video file =Ok
->.wmv video file to a .mkv video file =Ok
->.wmv video file to a .flv video file =Ok
->.wmv video file to a .mov video file =Not Ok (Need the Tainted)

->.mkv video file to a .avi video file =Ok
->.mkv video file to a .flv video file =Ok
->.mkv video file to a .wmv video file =Ok
->.mkv video file to a .mov video file =Not Ok (Need the Tainted)

(2) Testing complete for the new update srpm ffmpeg-0.6.5-0.1.mga1.tainted.src.rpm ,on Mageia release 1 (Official) for x86_64 ,works fine for me too.

I used it to convert an :
->.wmv video file to a .avi video file =Ok
->.wmv video file to a .mkv video file =Ok
->.wmv video file to a .flv video file =Ok
->.wmv video file to a .mov video file =Ok

->.mkv video file to a .avi video file =Ok
->.mkv video file to a .flv video file =Ok
->.mkv video file to a .wmv video file =Ok
->.mkv video file to a .mov video file =Ok

CC: (none) => geiger.david68210

David Walser 2012-01-16 15:53:07 CET

Blocks: (none) => 4146

David Walser 2012-01-16 15:55:43 CET

CC: (none) => luigiwalser
Summary: [Update Request] Updated ffmpeg package to fix several CVE issues => [Update Request] Updated ffmpeg package to fix CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895

David Walser 2012-01-16 16:05:21 CET

Blocks: 4146 => (none)

David Walser 2012-01-16 16:05:38 CET

Blocks: (none) => 4146

Comment 2 David Walser 2012-01-16 16:47:36 CET 
Funda, are any of these issues still relevant?

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54
Comment 3 Funda Wang 2012-01-16 17:41:48 CET 
(In reply to comment #2)
> Funda, are any of these issues still relevant?
> 
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54
Those issues should already be fixed in 0.6.4.
Comment 4 Dave Hodgins 2012-01-16 22:34:29 CET 
Testing complete on i586, converting and playing various video formats.

Could someone from the sysadmin team push the srpm
ffmpeg-0.6.5-0.1.mga1.src.rpm
from Core Updates Testing to Core Updates and the srpm
ffmpeg-0.6.5-0.1.mga1.tainted.src.rpm
from Tainted Updates Testing to Tainted Updates.

Advisory:  This security update for ffmpeg corrects the following CVEs.
* CVE-2011-3892: fixes for the VP3 decoder 
* CVE-2011-3893, CVE-2011-3895: vorbis decoder, and matroska demuxer

https://bugs.mageia.org/show_bug.cgi?id=4147

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Thomas Backlund 2012-01-21 18:15:30 CET 
update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.