ffmpeg 0.6.6 was released on June 9th, fixing several security issues. Patches for those issues were pulled from ffmpeg git and applied to mplayer. Advisory: ======================== Updated mplayer packages fix security vulnerabilities: * nsvdec: Fix use of uninitialized streams, Be more careful with av_malloc(), nsvdec: Propagate errors (CVE-2011-3940) * dv: Fix small stack overread, check stype, Fix null pointer dereference due to ach=0 (CVE-2011-3929 and CVE-2011-3936) * atrac3: Fix crash in tonal component decoding (CVE-2012-0853) * mjpegbdec: Fix overflow in SOS (CVE-2011-3947) * kgv1dec: Increase offsets array size so it is large enough (CVE-2011-3945) * vqavideo: return error if image size is not a multiple of block size (CVE-2012-0947) * dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) * aacsbr: prevent out of bounds memcpy() (CVE-2012-0850) * h264: Add check for invalid chroma_format_idc (CVE-2012-0851) * adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) * shorten: Use separate pointers for the allocated memory for decoded samples, check for realloc failure (CVE-2012-0858) * kmvc: Check palsize (CVE-2011-3952) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3945 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3952 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0853 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0947 ======================== Updated packages in {core,tainted}/updates_testing: ======================== mplayer-1.0-1.rc4.0.r32713.5.4.mga1 mplayer-doc-1.0-1.rc4.0.r32713.5.4.mga1 mplayer-gui-1.0-1.rc4.0.r32713.5.4.mga1 mencoder-1.0-1.rc4.0.r32713.5.4.mga1 from mplayer-1.0-1.rc4.0.r32713.5.4.mga1.src.rpm
Blocks: (none) => 6427
I don't see any poc for the cves, so just testing that mplayer works. I'll shortly be testing both Mageia 1 Core Updates testing, and then Tainted updates Testing.
CC: (none) => davidwhodgins
Testing complete on Mageia 1 i586 for the srpms mplayer-1.0-1.rc4.0.r32713.5.4.mga1.src.rpm mplayer-1.0-1.rc4.0.r32713.5.4.mga1.tainted.src.rpm
Whiteboard: (none) => mga1-32-OK
Testing complete on Mageia 1 x86_64. Update validated. See comment #0 for SRPMs and advisory
Keywords: (none) => validated_updateCC: (none) => stormiWhiteboard: mga1-32-OK => mga1-64-OK mga1-32-OK
CC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0141
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED