Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
87c07f62 by Moritz Muehlenhoff at 2024-06-17T16:20:58+02:00
ffmpeg triage
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -18673,7 +18673,6 @@ CVE-2023-51794 (Buffer Overflow vulnerability in Ffmpeg
v.N113007-g8d24a28d06 al
{DSA-5712-1}
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
[buster] - ffmpeg <postponed> (Pick up when fixed in 4.1.x)
NOTE: https://trac.ffmpeg.org/ticket/10746
NOTE: Fixed in
https://github.com/ffmpeg/FFmpeg/commit/50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07
(n7.0)
@@ -19959,7 +19958,6 @@ CVE-2023-51798 (Buffer Overflow vulnerability in Ffmpeg
v.N113007-g8d24a28d06 al
{DSA-5712-1}
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
[buster] - ffmpeg <postponed> (Pick up when fixed in most related
branch)
NOTE: https://trac.ffmpeg.org/ticket/10758
NOTE: Fixed in
https://github.com/ffmpeg/FFmpeg/commit/68146f06f852078866b3ef1564556e3a272920c7
(n7.0)
@@ -19992,7 +19990,6 @@ CVE-2023-51793 (Buffer Overflow vulnerability in Ffmpeg
v.N113007-g8d24a28d06 al
{DSA-5712-1}
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
[buster] - ffmpeg <postponed> (Pick up when fixed in most related
branch)
NOTE: Fixed in
https://github.com/FFmpeg/FFmpeg/commit/0ecc1f0e48930723d7a467761b66850811c23e62
(n7.0)
NOTE: https://trac.ffmpeg.org/ticket/10743
@@ -20017,7 +20014,6 @@ CVE-2023-50010 (Buffer Overflow vulnerability in Ffmpeg
v.n6.1-3-g466799d4f5 all
{DSA-5712-1}
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
[buster] - ffmpeg <postponed> (Pick up when fixed in most related
branch)
NOTE: https://trac.ffmpeg.org/ticket/10702
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/e4d2666bdc3dbd177a81bbf428654a5f2fa3787a
(n7.0)
@@ -20033,16 +20029,16 @@ CVE-2023-50008 (Buffer Overflow vulnerability in
Ffmpeg v.n6.1-3-g466799d4f5 all
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
- [buster] - ffmpeg <postponed> (Pick up when fixed in most related
branch)
+ [bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+ [buster] - ffmpeg <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/5f87a68cf70dafeab2fb89b42e41a4c29053b89b
(n7.0)
NOTE: https://trac.ffmpeg.org/ticket/10701
CVE-2023-50007 (Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5
allows a ...)
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
- [buster] - ffmpeg <postponed> (Pick up when fixed in most related
branch)
+ [bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+ [buster] - ffmpeg <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/b1942734c7cbcdc9034034373abcc9ecb9644c47
(n7.0)
NOTE: https://trac.ffmpeg.org/ticket/10700
CVE-2023-49963 (DYMO LabelWriter Print Server through 2.366 contains a
backdoor hard-c ...)
@@ -20544,8 +20540,8 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to
contain a heap buffer over
[experimental] - ffmpeg 7:7.0-1
- ffmpeg <unfixed>
[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
- [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
- [buster] - ffmpeg <postponed> (Pick up when fixed in 4.1.x)
+ [bullseye] - ffmpeg <not-affected> (Vulnerable code not present)
+ [buster] - ffmpeg <not-affected> (Vulnerable code not present)
NOTE: Fixed by
https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2
(n7.0)
CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper
validation o ...)
[experimental] - ffmpeg 7:7.0-1
@@ -90993,7 +90989,6 @@ CVE-2023-1691 (Vulnerability of failures to capture
exceptions in the communicat
NOT-FOR-US: Huawei
CVE-2022-48434 (libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in
VLC and ...)
- ffmpeg 7:5.1.2-1
- [bullseye] - ffmpeg <postponed> (Wait until it lands in 4.3.x)
[buster] - ffmpeg <postponed> (Wait until the backport to 4.x)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11
(n6.1-dev)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda
(n5.1.2)
@@ -135873,7 +135868,6 @@ CVE-2022-3342 (The Jetpack CRM plugin for WordPress
is vulnerable to PHAR deseri
CVE-2022-3341 (A null pointer dereference issue was discovered in 'FFmpeg' in
decode_ ...)
{DLA-3454-1}
- ffmpeg 7:5.1-1
- [bullseye] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.3.x)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2157054
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e
(n5.1)
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/08f0a18c3488b2fb8297ebba3684792da8a6606e
(n4.1.11)
=====================================
data/DSA/list
=====================================
@@ -1162,7 +1162,7 @@
{CVE-2023-23920}
[bullseye] - nodejs 12.22.12~dfsg-1~deb11u4
[30 Apr 2023] DSA-5394-1 ffmpeg - security update
- {CVE-2022-3109}
+ {CVE-2022-3109 CVE-2022-3341}
[bullseye] - ffmpeg 7:4.3.6-0+deb11u1
[22 Apr 2023] DSA-5393-1 chromium - security update
{CVE-2023-2133 CVE-2023-2134 CVE-2023-2135 CVE-2023-2136 CVE-2023-2137}
=====================================
data/dsa-needed.txt
=====================================
@@ -18,7 +18,7 @@ dnsdist (jmm)
--
dnsmasq
--
-ffmpeg/stable (jmm)
+ffmpeg/oldstable (jmm)
--
frr
Tobias Frost (tobi) proposed to work on preparing an update, but discussion
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c07f6212ea5e6787f399183a39e179aa22a3aa
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c07f6212ea5e6787f399183a39e179aa22a3aa
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
