Bug 6485 - blender affected by security issues fixed in ffmpeg 0.5.10
: blender affected by security issues fixed in ffmpeg 0.5.10
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: has_procedure MGA1-32-OK MGA1-64-OK
: validated_update
:
: 5033 6427
  Show dependency treegraph
 
Reported: 2012-06-17 00:33 CEST by David Walser
Modified: 2012-08-06 18:04 CEST (History)
6 users (show)

See Also:
Source RPM: blender-2.49b-11.1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-17 00:33:29 CEST
ffmpeg 0.5.10 was released on June 9th, fixing some security issues.

blender is built with an internal copy of ffmpeg, which has been updated.

Advisory:
========================

Updated blender package fixes security vulnerabilities:

* dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)

* kmvc: Check palsize (CVE-2011-3952)

Blender's internal copy of ffmpeg has been updated to 0.5.10 to fix
these issues, as well as some other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852
========================

Updated packages in {core,tainted}/updates_testing:
========================
blender-2.49b-11.3.mga1

from blender-2.49b-11.3.mga1.src.rpm
Comment 1 David Walser 2012-06-17 00:34:11 CEST
This update was built by Funda Wang.
Comment 2 Samuel Verschelde 2012-07-24 12:36:31 CEST
Testing procedure: follow http://www.youtube.com/watch?v=caIg7sIX6d4
Comment 3 Carolyn Rowse 2012-07-28 17:04:47 CEST
I had a few spare minutes so I thought I'd have a go with Mga1 i586, but the tutorial doesn't match what's on the interface I've got.  I see someone else left a comment underneath that the tutorial's out of date.

Carolyn
Comment 4 David Walser 2012-07-28 17:08:02 CEST
How so?  The blender version hasn't been updated and it seemed to match well enough when Claire and I followed it to QA a previous update of this package.
Comment 5 Carolyn Rowse 2012-07-28 19:35:23 CEST
The very first thing I was supposed to click on (multires) brought up some options that didn't look anything like in the tutorial and I couldn't work out how to get to where the tutor was.  I haven't got a clue about Blender anyway, which doesn't help.

Unfortunately I won't have time to have another go now.

Carolyn
Comment 6 Samuel Verschelde 2012-08-05 15:08:52 CEST
After discussing with David, it appears that we don't need to push the tainted build, it belongs to another bug report.
Comment 7 Dave Hodgins 2012-08-05 23:04:43 CEST
Testing Mageia 1 i586 now.
Comment 8 Dave Hodgins 2012-08-06 00:27:13 CEST
Testing complete on Mageia 1 i586
Comment 9 Dave Hodgins 2012-08-06 00:51:26 CEST
Testing complete on Mageia 1 x86-64.

Could someone on the sysadmin team push the srpm
blender-2.49b-11.3.mga1
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated blender package fixes security vulnerabilities:

* dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)

* kmvc: Check palsize (CVE-2011-3952)

Blender's internal copy of ffmpeg has been updated to 0.5.10 to fix
these issues, as well as some other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852

https://bugs.mageia.org/show_bug.cgi?id=6485
Comment 10 Thomas Backlund 2012-08-06 18:04:26 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0199

Note You need to log in before you can comment on or make changes to this bug.