[Git][security-tracker-team/security-tracker][master] ffmpeg triage

Moritz Muehlenhoff Thu, 12 Jul 2018 03:42:59 -0700

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
38ffdb18 by Moritz Muehlenhoff at 2018-07-12T12:41:48+02:00
ffmpeg triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1440,28 +1440,34 @@ CVE-2018-13306
        RESERVED
 CVE-2018-13305 (In FFmpeg 4.0.1, due to a missing check for negative values of 
the ...)
        - ffmpeg <unfixed>
+       [stretch] - ffmpeg <not-affected> (Vulnerable code not present)
        - libav <undetermined>
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/d08d4a8c7387e758d439b0592782e4cfa2b4d6a4
 CVE-2018-13304 (In libavcodec in FFmpeg 4.0.1, improper maintenance of the 
consistency ...)
        - ffmpeg <unfixed>
+       [stretch] - ffmpeg <not-affected> (Vulnerable code not present)
        - libav <undetermined>
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/bd27a9364ca274ca97f1df6d984e88a0700fb235
 CVE-2018-13303 (In FFmpeg 4.0.1, a missing check for failure of a call to ...)
        - ffmpeg <unfixed>
+       [stretch] - ffmpeg <not-affected> (Vulnerable code not present)
        - libav <undetermined>
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/00e8181bd97c834fe60751b0c511d4bb97875f78
 CVE-2018-13302 (In FFmpeg 4.0.1, improper handling of frame types (other than 
...)
        - ffmpeg 7:3.4.3-1
        - libav <undetermined>
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50
+       NOTE: Fixed in 3.2.11
 CVE-2018-13301 (In FFmpeg 4.0.1, due to a missing check of a profile value 
before ...)
-       - ffmpeg <unfixed>
+       - ffmpeg <unfixed> (low)
+       [stretch] - ffmpeg <postponed> (Can be fixed when new 3.2.x release 
fixes it)
        - libav <undetermined>
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/2aa9047486dbff12d9e040f917e5f799ed2fd78b
 CVE-2018-13300 (In FFmpeg 4.0.1, an improper argument (AVCodecParameters) 
passed to the ...)
        - ffmpeg 7:3.4.3-1
        - libav <undetermined>
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/95556e27e2c1d56d9e18f5db34d6f756f3011148
+       NOTE: Fixed in 3.2.11
 CVE-2018-13299
        RESERVED
 CVE-2018-13298
@@ -3559,8 +3565,8 @@ CVE-2018-12459 (An inconsistent bits-per-sample value in 
the ...)
 CVE-2018-12458 (An improper integer type in the mpeg4_encode_gop_header 
function in ...)
        [experimental] - ffmpeg 7:4.0.1-1 (low)
        - ffmpeg 7:3.4.3-1 (low)
-       [stretch] - ffmpeg <postponed> (Can be fixed when new 3.2.x release 
fixes it)
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/e1182fac1afba92a4975917823a5f644bee7e6e8
+       NOTE: Fixed in 3.2.11
 CVE-2018-12457 (expressCart before 1.1.6 allows remote attackers to create an 
admin ...)
        NOT-FOR-US: expressCart
 CVE-2018-12456
@@ -10012,9 +10018,9 @@ CVE-2018-10002
        RESERVED
 CVE-2018-10001 (The decode_init function in libavcodec/utvideodec.c in FFmpeg 
through ...)
        - ffmpeg 7:3.4.3-1 (low)
-       [stretch] - ffmpeg <postponed> (Can wait until the next ffmpeg 3.2.x 
release)
        NOTE: 
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=47b7c68ae54560e2308bdb6be4fb076c73b93081
        - libav <undetermined>
+       NOTE: Fixed in 3.2.11
 CVE-2018-10000 (The Video Downloader professional extension before 2018-04-05 
for ...)
        NOT-FOR-US: The Video Downloader professional extension for Chrome
 CVE-2017-18260 (Dolibarr ERP/CRM is affected by multiple SQL injection 
vulnerabilities ...)
@@ -47745,7 +47751,7 @@ CVE-2017-14051 (An integer overflow in the 
qla2x00_sysfs_write_optrom_ctl functi
        NOTE: https://patchwork.kernel.org/patch/9929625/
        NOTE: Non issue, only "exploitable" with root access
 CVE-2017-14034 (The restore_tqb_pixels function in hevc_filter.c in 
libavcodec, as used ...)
-       - ffmpeg <undetermined>
+       NOT-FOR-US: libbpg
        NOTE: Issue 3 from https://github.com/ebel34/bpg-web-encoder/issues/1
 CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before 
2.2.8, ...)
        {DSA-4031-1 DLA-1114-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/38ffdb18893eede75473e3f7b7816d3924962c2e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/38ffdb18893eede75473e3f7b7816d3924962c2e
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] ffmpeg triage

Reply via email to