Your message dated Sat, 28 Nov 2015 12:34:01 +0000
with message-id <[email protected]>
and subject line Bug#806519: fixed in ffmpeg 7:2.8.3-1
has caused the Debian Bug report #806519,
regarding ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
806519: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806519
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ffmpeg
Version: 7:2.8.2-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerabilities were published for ffmpeg.
CVE-2015-8363[0]:
| The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in
| FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does
| not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which
| allows remote attackers to cause a denial of service (out-of-bounds
| heap-memory access) or possibly have unspecified other impact via a
| crafted image with two or more of these markers.
CVE-2015-8364[1]:
| Integer overflow in the ff_ivi_init_planes function in
| libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x
| through 2.8.2 allows remote attackers to cause a denial of service
| (out-of-bounds heap-memory access) or possibly have unspecified other
| impact via crafted image dimensions in Indeo Video Interactive data.
CVE-2015-8365[2]:
| The smka_decode_frame function in libavcodec/smacker.c in FFmpeg
| before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not
| verify that the data size is consistent with the number of channels,
| which allows remote attackers to cause a denial of service
| (out-of-bounds array access) or possibly have unspecified other impact
| via crafted Smacker data.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8363
[1] https://security-tracker.debian.org/tracker/CVE-2015-8364
[2] https://security-tracker.debian.org/tracker/CVE-2015-8365
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ffmpeg
Source-Version: 7:2.8.3-1
We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Cadhalpun <[email protected]> (supplier of updated
ffmpeg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Nov 2015 11:39:49 +0100
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavcodec-ffmpeg56
libavcodec-ffmpeg-extra56 libavcodec-extra libavcodec-dev libavdevice-ffmpeg56
libavdevice-dev libavfilter-ffmpeg5 libavfilter-dev libavformat-ffmpeg56
libavformat-dev libavresample-ffmpeg2 libavresample-dev libavutil-ffmpeg54
libavutil-dev libpostproc-ffmpeg53 libpostproc-dev libswresample-ffmpeg1
libswresample-dev libswscale-ffmpeg3 libswscale-dev libav-tools
Architecture: source
Version: 7:2.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers
<[email protected]>
Changed-By: Andreas Cadhalpun <[email protected]>
Description:
ffmpeg - Tools for transcoding, streaming and playing of multimedia files
ffmpeg-dbg - Debug symbols for the FFmpeg multimedia framework
ffmpeg-doc - Documentation of the FFmpeg multimedia framework
libav-tools - Compatibility links for libav-tools (transitional package)
libavcodec-dev - FFmpeg library with de/encoders for audio/video codecs -
developm
libavcodec-extra - FFmpeg library with extra codecs (metapackage)
libavcodec-ffmpeg-extra56 - FFmpeg library with additional de/encoders for
audio/video codecs
libavcodec-ffmpeg56 - FFmpeg library with de/encoders for audio/video codecs -
runtime
libavdevice-dev - FFmpeg library for handling input and output devices -
developmen
libavdevice-ffmpeg56 - FFmpeg library for handling input and output devices -
runtime fi
libavfilter-dev - FFmpeg library containing media filters - development files
libavfilter-ffmpeg5 - FFmpeg library containing media filters - runtime files
libavformat-dev - FFmpeg library with (de)muxers for multimedia containers -
develo
libavformat-ffmpeg56 - FFmpeg library with (de)muxers for multimedia
containers - runtim
libavresample-dev - FFmpeg compatibility library for resampling - development
files
libavresample-ffmpeg2 - FFmpeg compatibility library for resampling - runtime
files
libavutil-dev - FFmpeg library with functions for simplifying programming -
devel
libavutil-ffmpeg54 - FFmpeg library with functions for simplifying programming
- runti
libpostproc-dev - FFmpeg library for post processing - development files
libpostproc-ffmpeg53 - FFmpeg library for post processing - runtime files
libswresample-dev - FFmpeg library for audio resampling, rematrixing etc. -
developme
libswresample-ffmpeg1 - FFmpeg library for audio resampling, rematrixing etc.
- runtime f
libswscale-dev - FFmpeg library for image scaling and various conversions -
develo
libswscale-ffmpeg3 - FFmpeg library for image scaling and various conversions
- runtim
Closes: 806519
Changes:
ffmpeg (7:2.8.3-1) unstable; urgency=medium
.
* Switch debian/watch to xz instead of gz.
* Import new upstream bugfix release 2.8.3.
Fixes CVE-2015-8363, CVE-2015-8364 and CVE-2015-8365. (Closes: #806519)
* Respect CC and CXX from the environment in debian/rules.
Checksums-Sha1:
0f4e81bdbdb5ade110af1b17f44f72df3ca29bb2 4734 ffmpeg_2.8.3-1.dsc
a6f39efe1bea9a9b271c903d3c1dcb940a510c87 7199216 ffmpeg_2.8.3.orig.tar.xz
ed92b051f003da5aa0a59505f5c306fb392f1132 41348 ffmpeg_2.8.3-1.debian.tar.xz
Checksums-Sha256:
a99a86ad728893913f04cb7cd6b74ddcfece8ba89307c28a3147282d1b722f0c 4734
ffmpeg_2.8.3-1.dsc
18e22e3866d3b5fefcb1911c0d87ae8ababc30b7ea15901c1cf02885ccf6704a 7199216
ffmpeg_2.8.3.orig.tar.xz
3595f2a91905dfdf1e6bf416a0fab7111992a67382bd0003eec253643f6cced5 41348
ffmpeg_2.8.3-1.debian.tar.xz
Files:
f3051d407652a6c9ff2763497faff201 4734 video optional ffmpeg_2.8.3-1.dsc
2af2723dd53364ac0635efd20cf6e34e 7199216 video optional
ffmpeg_2.8.3.orig.tar.xz
6137c4c5a35de9fdea7aebb3a2d6ab3d 41348 video optional
ffmpeg_2.8.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWWYvxAAoJEPZk0la0aRp9i7MP/0i5iPSi0Num5UsgdunhU3jV
9Q/51uN73OT/noqVJULBVeTzp4tlb9s16z7Mt2G/YqJ2Vwi1uHoxu+uvIUZPqWKs
VG+lqoEJK5O1KsRG9R6zVH1X9Akbe9zum8Mk6AWgJOVzUb0Sry4kE8n7V6N21xcA
+ymQ8zPVU99P4k04pXgH7IGnRuY/1HRZ6yd6TSLEOrcn/ksp30YFRPRUUy+jknof
s5ax8Fpe3310Iwnj7nbuw9KCuBUwz+fAE1oZqKDYpb7XMTnqBDnM6P6MzTRSPHVb
Pcayqppc+L7CGwaOiB+T+QZXgfB+bxbRNvGSkS2Tttwwa9ZF6c5+9luHiOl7taSS
ntW0eeoUOQxD2wtPidp9z21yRggFSAPMk1RAbFws31dg0XyyE4TlVFbFymBJRRYo
YOqm3eX+zOQ+oGGq8dhs0n9RAK7Oohs5H7FPfzy+vpdpvYm4ZVnMQw+bwgajmxxV
reNVliLhvMY3V3L4V97Arsnk+Ky/olPxHYRdS2csp+b3n4d3U5QrK+qxub+3I1bG
ovFV9rR+7zjDZJnKpXyLxFTewECP3vxRIbor7mD+eJFreiV8pPWk1NyUsYsA4njh
PsJZvCzYt2Hjs5gJ2pswvcCtdTMHSkvHGUbqQk8yme2ZpLYWKT6OUXYi3fQI6x8Q
asSQtNgCmB3ttidB0o3M
=9Sqx
-----END PGP SIGNATURE-----
--- End Message ---