Bug#688847: libav: multiple CVEs in ffmpeg/libav
On Tue, Dec 25, 2012 at 11:31 AM, Moritz Mühlenhoff j...@inutil.org wrote: On Mon, Oct 15, 2012 at 05:38:37AM -0400, Reinhard Tartler wrote: None of these are merged into 0.5.x, has the code diverged so much? I arrived only today from my two week trip and will work on backports for 0.7-0.5 this week. Sorry for the delay. Merry christmas Reinhard, did you have a chance to work on this in the mean time? Later than anticipated, but 0.8.5-1 is now finally in unstable. Moritz, last time you did some extensive testing and reported the results to the RMs. Can you do so this time again? Thanks, Reinhard -- regards, Reinhard -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688847: libav: multiple CVEs in ffmpeg/libav
On Mon, Oct 15, 2012 at 05:38:37AM -0400, Reinhard Tartler wrote: None of these are merged into 0.5.x, has the code diverged so much? I arrived only today from my two week trip and will work on backports for 0.7-0.5 this week. Sorry for the delay. Merry christmas Reinhard, did you have a chance to work on this in the mean time? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688847: libav: multiple CVEs in ffmpeg/libav
On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote: On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez cor...@debian.org wrote: Source: libav Severity: grave Justification: user security hole Hi, it seems that a huge pile of CVE were allocated for ffmpeg/libav short status update: Most/all of the CVEs have now been backported upstream. Before releaseing 0.8.4, I need to review the list to ensure that nothing was forgotten. You can help with this by reviewing the list here: http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 Hi Reinhard, I double-checked the list and the following CVE IDs fixed in the ffmpeg 0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific I suppose): CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7 CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998 CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081 d462949974668ffb013467d12dc4934b9106fe19 CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6 CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389 CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8 CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3 2a7063de547b1d8fb1cef523469390fb59fb2c50 b3a43515827f3d22a881c33b87384f01c86786fd CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23 CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3 CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04 None of these are merged into 0.5.x, has the code diverged so much? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688847: libav: multiple CVEs in ffmpeg/libav
On Mon, Oct 15, 2012 at 3:39 AM, Moritz Muehlenhoff j...@inutil.org wrote: On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote: On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez cor...@debian.org wrote: Source: libav Severity: grave Justification: user security hole Hi, it seems that a huge pile of CVE were allocated for ffmpeg/libav short status update: Most/all of the CVEs have now been backported upstream. Before releaseing 0.8.4, I need to review the list to ensure that nothing was forgotten. You can help with this by reviewing the list here: http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 Hi Reinhard, I double-checked the list and the following CVE IDs fixed in the ffmpeg 0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific I suppose): CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7 CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998 CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081 d462949974668ffb013467d12dc4934b9106fe19 CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6 CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389 CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8 CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3 2a7063de547b1d8fb1cef523469390fb59fb2c50 b3a43515827f3d22a881c33b87384f01c86786fd CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23 CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3 CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04 Those are commits from ffmpeg, and do not necessarily apply to libav as well. Our current working list looks like this: fixed: CVE-2012-2772 (cb7190cd2c691fd93e4d3664f3fce6c19ee001dd) CVE-2012-2775 (9853e41aa0a6cfff629ff7009685eb8bf8d64e7f) CVE-2012-2777 (c20a69630619d14ae92c5541d52c579d7c8f3e94) CVE-2012-2779 (891918431db628db17885ed947ee387b29826a64) CVE-2012-2784 (same as CVE-2012-2777) CVE-2012-2785 (326f7a68bbd429c63fd2f19f4050658982b5b081 d462949974668ffb013467d12dc4934b9106fe19) CVE-2012-2786 (ee715f49a06bf3898246d01b056284a9bb1bcbb9) CVE-2012-2787 (b146d74730ab9ec5abede9066f770ad851e45fbc) CVE-2012-2788 (0af49a63c7f87876486ab09482d5b26b95abce60) CVE-2012-2789 (99f392a584dd10b553facc8e819f2c7e982e176d) CVE-2012-2790 (66197988b1ee914825afbc3084e6da63f862068a) CVE-2012-2792 (065b3a1cfa3f23aedf76244b3f3883ba913173ff) CVE-2012-2793 (b631e4ed64f7d1b9ca8f897fda31140e8d1fad81) CVE-2012-2796 (1100acbab26883007898c53efeb289f562c6e514) CVE-2012-2776 (e4d4044339b9c3b0f45f7203cd026eda3c0414c0) CVE-2012-2794 (2d09cdbaf2f449ba23d54e97e94bd97ca22208c6) CVE-2012-2800 (ae3da0ae5550053583a6f281ea7fd940497ea0d1) CVE-2012-2795 (607f57152c59bcec26caaf2060a86d96f76c4e8b f48fbf2eb5ba7015c65b31c266edf399dd6a82b1 6a99310fce49f51773ab7d8ffa4f4748bbf58db9) CVE-2012-2798 (d05f72c75445969cd7bdb1d860635c9880c67fb6) CVE-2012-2799 (d65d8347314b645051e336aed141aaf32a6c0d02) CVE-2012-2801 (85f477935cd6b34e6ec2716b20e15ce748277a89) submitted: CVE-2012-2783 (has been oked, but looks shady) invalid?: CVE-2012-2774 -- ffmpeg fix is not a fix, it's unclear what real issue it is supposed to fix CVE-2012-2804 -- same as above CVE-2012-2782 -- Ronald says it does not apply to us CVE-2012-2797 -- Justin says it's completely wrong CVE-2012-2803 -- looks very shady other: CVE-2012-2791 (0846719dd11ab3f7a7caee13e7af71f71d913389) -- needs input from kostya CVE-2012-2802 -- Justin said he'd fix it differently None of these are merged into 0.5.x, has the code diverged so much? I arrived only today from my two week trip and will work on backports for 0.7-0.5 this week. Sorry for the delay. Cheers, Reinhard -- regards, Reinhard -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688847: libav: multiple CVEs in ffmpeg/libav
On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez cor...@debian.org wrote: Source: libav Severity: grave Justification: user security hole Hi, it seems that a huge pile of CVE were allocated for ffmpeg/libav short status update: Most/all of the CVEs have now been backported upstream. Before releaseing 0.8.4, I need to review the list to ensure that nothing was forgotten. You can help with this by reviewing the list here: http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 -- regards, Reinhard -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688847: libav: multiple CVEs in ffmpeg/libav
Source: libav Severity: grave Justification: user security hole Hi, it seems that a huge pile of CVE were allocated for ffmpeg/libav and are supposed to be fixed in 0.11: CVE-2012-2772 CVE-2012-2774 CVE-2012-2775 CVE-2012-2776 CVE-2012-2777 CVE-2012-2779 CVE-2012-2782 CVE-2012-2783 CVE-2012-2784 CVE-2012-2785 CVE-2012-2786 CVE-2012-2787 CVE-2012-2788 CVE-2012-2789 CVE-2012-2790 CVE-2012-2791 CVE-2012-2792 CVE-2012-2793 CVE-2012-2794 CVE-2012-2795 CVE-2012-2796 CVE-2012-2797 CVE-2012-2798 CVE-2012-2799 CVE-2012-2800 CVE-2012-2801 CVE-2012-2802 CVE-2012-2803 CVE-2012-2804 As far as I can tell you're already aware of that, but so it's just a tracking bug. Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org