On 02/16/2012 10:36 AM, Reinhard Tartler wrote: > > We probably want to check and backport these commits and backport them > to stable. I'm forwarding this list so that the discussion is archived > properly.
Here is my assessment on all but 2 of them: ================================================================================ CVE-2012-0847 FFmpeg ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi: add missing check in avfilter_filter_samples() - Not applicable to Libav. Relates to lavfi audio filters. ================================================================================ CVE-2012-0848 FFmpeg 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1: Fix wrong samples count and crash. - Ok. Need to cherry-pick. ================================================================================ CVE-2012-0849 FFmpeg 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec: Fix integer overflow leading to a segfault - Not applicable to Libav. Relates to jpeg2k decoder. ================================================================================ CVE-2012-0850 FFmpeg 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr: Fix memory corruption. - Was fixed slightly differently in 17ce52912f59a74ecc265e062578fb1181456e18 ================================================================================ CVE-2012-0852 FFmpeg 608708009f69ba4cecebf05120c696167494c897 adpcm: Fix crash - Was fixed differently in bb5b3940b08d8dad5b7e948e8f3b02cd2eb70716 ================================================================================ CVE-2012-0853 FFmpeg 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3: Fix crash in tonal component decoding. - Ok. Need to cherry-pick. ================================================================================ CVE-2012-0854 FFmpeg 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5 CODEC_ID_SOL_DPCM: Fix used write buffer. - Was fixed in 529a25d6e5c3ff889257a57042872d84dc2312d5 ================================================================================ CVE-2012-0855 FFmpeg 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec: Check curtileno for validity - Not applicable to Libav. Relates to jpeg2k decoder. ================================================================================ CVE-2012-0857 FFmpeg 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec: Fix crash in get_qcx - Not applicable to Libav. Relates to jpeg2k decoder. ================================================================================ CVE-2012-0858 FFmpeg 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten: Fix invalid free() - Ok. Need to cherry-pick (with a much better description though) ================================================================================ CVE-2012-0859 FFmpeg 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis: Fix last quarter of CVE-2011-3893 - I'm fairly certain we already fixed this. ================================================================================ _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
