On Do, Nov 03, 2011 at 14:56:51 (CET), Yves-Alexis Perez wrote: >> As for 3362 & 3973, I believe both have been fixed by this commit: >> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78 >> >> This commit has also been merged into FFmpeg. That imported commit is >> also referenced in the CVE description of CVE-2011-3973, so I assume >> that this is the correct fix. > > Looks like that, yes. >> >> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the >> function decode_residual_block(). I'd be curious to see a sample that >> still exploits Libav's cavs decoder without that signedness >> change. Until I'm presented an exploit that demonstrates this issue, I'm >> going to assume that CVE-2011-3362 is fixed by the same patch that fixed >> CVE-2011-3973. > > Shouldn't it be safe to still fix the signed-ness?
Feel free to propose such a patch. I've tried to come up with a proper explanation what the signed change is going to fix, but I failed. If only there existed a sample exploit that showed that libav 0.5.5 is still vulnerable… >> Now for CVE-2011-3504, which concerns an allocation error in the >> matroska decoder. I strongly believe that this has been fixed by this >> commit: >> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec >> >> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which >> does not seem to exist in bing at all. I currently assume that the CVE >> is right and the commit message (which was imported from FFmpeg without >> further checking) should have referenced MSVR11-011 instead. >> >> In any case, I've just backported both patches to the 0.5 branch: >> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5 > > Thanks. released 0.5.5 & updated the branch now. >> Feedback and tests welcome. >> >> If nobody disagrees and nothing else pops up until let's say Friday, >> I'm going to roll 0.5.5 tarballs. >> >> Does this work for everyone? >> > Works for me at least, notwithstanding the 3362 fix. Moritz seems to be OK with this: On Do, Nov 03, 2011 at 22:30:11 (CET), Moritz Muehlenhoff wrote: [...] > The rest sounds good to me. I'm going to upload 0.5.5-1 to stable-security later today, unless someone objects. (it needs to be approved manually anyways) Cheers, Reinhard. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
