Your message dated Sat, 28 Nov 2015 12:34:01 +0000
with message-id <[email protected]>
and subject line Bug#806519: fixed in ffmpeg 7:2.8.3-1
has caused the Debian Bug report #806519,
regarding ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
806519: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806519
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ffmpeg
Version: 7:2.8.2-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for ffmpeg.

CVE-2015-8363[0]:
| The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in
| FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does
| not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which
| allows remote attackers to cause a denial of service (out-of-bounds
| heap-memory access) or possibly have unspecified other impact via a
| crafted image with two or more of these markers.

CVE-2015-8364[1]:
| Integer overflow in the ff_ivi_init_planes function in
| libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x
| through 2.8.2 allows remote attackers to cause a denial of service
| (out-of-bounds heap-memory access) or possibly have unspecified other
| impact via crafted image dimensions in Indeo Video Interactive data.

CVE-2015-8365[2]:
| The smka_decode_frame function in libavcodec/smacker.c in FFmpeg
| before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not
| verify that the data size is consistent with the number of channels,
| which allows remote attackers to cause a denial of service
| (out-of-bounds array access) or possibly have unspecified other impact
| via crafted Smacker data.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8363
[1] https://security-tracker.debian.org/tracker/CVE-2015-8364
[2] https://security-tracker.debian.org/tracker/CVE-2015-8365

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: ffmpeg
Source-Version: 7:2.8.3-1

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Cadhalpun <[email protected]> (supplier of updated 
ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 28 Nov 2015 11:39:49 +0100
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavcodec-ffmpeg56 
libavcodec-ffmpeg-extra56 libavcodec-extra libavcodec-dev libavdevice-ffmpeg56 
libavdevice-dev libavfilter-ffmpeg5 libavfilter-dev libavformat-ffmpeg56 
libavformat-dev libavresample-ffmpeg2 libavresample-dev libavutil-ffmpeg54 
libavutil-dev libpostproc-ffmpeg53 libpostproc-dev libswresample-ffmpeg1 
libswresample-dev libswscale-ffmpeg3 libswscale-dev libav-tools
Architecture: source
Version: 7:2.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers 
<[email protected]>
Changed-By: Andreas Cadhalpun <[email protected]>
Description:
 ffmpeg     - Tools for transcoding, streaming and playing of multimedia files
 ffmpeg-dbg - Debug symbols for the FFmpeg multimedia framework
 ffmpeg-doc - Documentation of the FFmpeg multimedia framework
 libav-tools - Compatibility links for libav-tools (transitional package)
 libavcodec-dev - FFmpeg library with de/encoders for audio/video codecs - 
developm
 libavcodec-extra - FFmpeg library with extra codecs (metapackage)
 libavcodec-ffmpeg-extra56 - FFmpeg library with additional de/encoders for 
audio/video codecs
 libavcodec-ffmpeg56 - FFmpeg library with de/encoders for audio/video codecs - 
runtime
 libavdevice-dev - FFmpeg library for handling input and output devices - 
developmen
 libavdevice-ffmpeg56 - FFmpeg library for handling input and output devices - 
runtime fi
 libavfilter-dev - FFmpeg library containing media filters - development files
 libavfilter-ffmpeg5 - FFmpeg library containing media filters - runtime files
 libavformat-dev - FFmpeg library with (de)muxers for multimedia containers - 
develo
 libavformat-ffmpeg56 - FFmpeg library with (de)muxers for multimedia 
containers - runtim
 libavresample-dev - FFmpeg compatibility library for resampling - development 
files
 libavresample-ffmpeg2 - FFmpeg compatibility library for resampling - runtime 
files
 libavutil-dev - FFmpeg library with functions for simplifying programming - 
devel
 libavutil-ffmpeg54 - FFmpeg library with functions for simplifying programming 
- runti
 libpostproc-dev - FFmpeg library for post processing - development files
 libpostproc-ffmpeg53 - FFmpeg library for post processing - runtime files
 libswresample-dev - FFmpeg library for audio resampling, rematrixing etc. - 
developme
 libswresample-ffmpeg1 - FFmpeg library for audio resampling, rematrixing etc. 
- runtime f
 libswscale-dev - FFmpeg library for image scaling and various conversions - 
develo
 libswscale-ffmpeg3 - FFmpeg library for image scaling and various conversions 
- runtim
Closes: 806519
Changes:
 ffmpeg (7:2.8.3-1) unstable; urgency=medium
 .
   * Switch debian/watch to xz instead of gz.
   * Import new upstream bugfix release 2.8.3.
     Fixes CVE-2015-8363, CVE-2015-8364 and CVE-2015-8365. (Closes: #806519)
   * Respect CC and CXX from the environment in debian/rules.
Checksums-Sha1:
 0f4e81bdbdb5ade110af1b17f44f72df3ca29bb2 4734 ffmpeg_2.8.3-1.dsc
 a6f39efe1bea9a9b271c903d3c1dcb940a510c87 7199216 ffmpeg_2.8.3.orig.tar.xz
 ed92b051f003da5aa0a59505f5c306fb392f1132 41348 ffmpeg_2.8.3-1.debian.tar.xz
Checksums-Sha256:
 a99a86ad728893913f04cb7cd6b74ddcfece8ba89307c28a3147282d1b722f0c 4734 
ffmpeg_2.8.3-1.dsc
 18e22e3866d3b5fefcb1911c0d87ae8ababc30b7ea15901c1cf02885ccf6704a 7199216 
ffmpeg_2.8.3.orig.tar.xz
 3595f2a91905dfdf1e6bf416a0fab7111992a67382bd0003eec253643f6cced5 41348 
ffmpeg_2.8.3-1.debian.tar.xz
Files:
 f3051d407652a6c9ff2763497faff201 4734 video optional ffmpeg_2.8.3-1.dsc
 2af2723dd53364ac0635efd20cf6e34e 7199216 video optional 
ffmpeg_2.8.3.orig.tar.xz
 6137c4c5a35de9fdea7aebb3a2d6ab3d 41348 video optional 
ffmpeg_2.8.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWWYvxAAoJEPZk0la0aRp9i7MP/0i5iPSi0Num5UsgdunhU3jV
9Q/51uN73OT/noqVJULBVeTzp4tlb9s16z7Mt2G/YqJ2Vwi1uHoxu+uvIUZPqWKs
VG+lqoEJK5O1KsRG9R6zVH1X9Akbe9zum8Mk6AWgJOVzUb0Sry4kE8n7V6N21xcA
+ymQ8zPVU99P4k04pXgH7IGnRuY/1HRZ6yd6TSLEOrcn/ksp30YFRPRUUy+jknof
s5ax8Fpe3310Iwnj7nbuw9KCuBUwz+fAE1oZqKDYpb7XMTnqBDnM6P6MzTRSPHVb
Pcayqppc+L7CGwaOiB+T+QZXgfB+bxbRNvGSkS2Tttwwa9ZF6c5+9luHiOl7taSS
ntW0eeoUOQxD2wtPidp9z21yRggFSAPMk1RAbFws31dg0XyyE4TlVFbFymBJRRYo
YOqm3eX+zOQ+oGGq8dhs0n9RAK7Oohs5H7FPfzy+vpdpvYm4ZVnMQw+bwgajmxxV
reNVliLhvMY3V3L4V97Arsnk+Ky/olPxHYRdS2csp+b3n4d3U5QrK+qxub+3I1bG
ovFV9rR+7zjDZJnKpXyLxFTewECP3vxRIbor7mD+eJFreiV8pPWk1NyUsYsA4njh
PsJZvCzYt2Hjs5gJ2pswvcCtdTMHSkvHGUbqQk8yme2ZpLYWKT6OUXYi3fQI6x8Q
asSQtNgCmB3ttidB0o3M
=9Sqx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to