Ubuntu has issued an advisory today (January 28): http://www.ubuntu.com/usn/usn-1705-1/ It includes the following CVEs, which have been fixed in upstream git [1], since our last update to 0.10.6: CVE-2012-5144 CVE-2012-2783 CVE-2012-2797 CVE-2012-2803 CVE-2012-2804 CVE-2012-2783 CVE-2012-2791 The other CVEs it lists were fixed in our update to 0.10.6. I don't know if they plan to issue a 0.10.7 release upstream, or if we will have to pull git or patch it and issue an update. [1] - http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10
CC: (none) => fundawang
ffmpeg 0.10.7 has been released on April 10. Additional CVEs they've fixed since I posted this bug: CVE-2012-2882 CVE-2013-0894 CVE-2013-2277 CVE-2013-2495
Updated packages uploaded for Mageia 2. Note to QA: previous ffmpeg update was Bug 8065. Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: ivi_common: check that scan pattern is set before using it (CVE-2012-2791). vp56: release frames on error (CVE-2012-2783). mpeg12: do not decode extradata more than once (CVE-2012-2803). mp3: properly forward mp_decode_frame errors (CVE-2012-2797). vp6: properly fail on unsupported feature (CVE-2012-2783). aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN (CVE-2012-5144). indeo3: ensure that decoded cell data is in 7-bit range as presumed by decoder; when freeing buffers, set pointers referencing them to NULL as well; initialise pixel planes on allocation (CVE-2012-2804). oggdec: make sure the private parse data is cleaned up (CVE-2012-2882). vorbisdec: Error on bark_map_size equal to 0 (CVE-2013-0894). h264: check for luma and chroma bit depth being equal (CVE-2013-2277). iff: validate CMAP palette size (CVE-2013-2495). This updates ffmpeg to version 0.10.7 which contains the security fixes above as well as other bug fixes. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2495 http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10 ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-0.10.7-1.mga2 libavcodec53-0.10.7-1.mga2 libpostproc52-0.10.7-1.mga2 libavformat53-0.10.7-1.mga2 libavutil51-0.10.7-1.mga2 libswscaler2-0.10.7-1.mga2 libavfilter2-0.10.7-1.mga2 libswresample0-0.10.7-1.mga2 libffmpeg-devel-0.10.7-1.mga2 libffmpeg-static-devel-0.10.7-1.mga2 from ffmpeg-0.10.7-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Summary: ffmpeg new security issues fixed upstream => ffmpeg new security issues fixed upstream in 0.10.7
Testing ideas: http://rodrigopolo.com/ffmpeg/cheats.php#FFmpeg_Encoding Also see: https://bugs.mageia.org/show_bug.cgi?id=8065#c6
Also there are 2 srpm's ffmpeg-0.10.7-1.mga2.src.rpm ffmpeg-0.10.7-1.mga2.tainted.src.rpm
Testing complete mga2 64
Whiteboard: (none) => has_procedure mga2-64-ok
Testing complete mga2 32 Validating Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0136
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED