*** This bug is a security vulnerability *** Public security bug reported:
FFmpeg 2.5.5 fixing a number of crashes and other potentially security relevant issues was released. >From the upstream Changelog: version 2.5.5: - vp9: make above buffer pointer 32-byte aligned. - avcodec/dnxhddec: Check that the frame is interlaced before using cur_field - avformat/mov: Disallow ".." in dref unless use_absolute_path is set - avformat/mov: Check for string truncation in mov_open_dref() - avformat/mov: Use sizeof(filename) instead of a literal number - eac3dec: fix scaling - ac3_fixed: fix computation of spx_noise_blend - ac3_fixed: fix out-of-bound read - ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext - avcodec/012v: redesign main loop - avcodec/012v: Check dimensions more completely - asfenc: fix leaking asf->index_ptr on error - avcodec/options_table: remove extradata_size from the AVOptions table - ffmdec: limit the backward seek to the last resync position - ffmdec: make sure the time base is valid - ffmdec: fix infinite loop at EOF - ffmdec: initialize f_cprv, f_stvi and f_stau - avformat/rm: limit packet size - avcodec/webp: validate the distance prefix code - avcodec/rv10: check size of s->mb_width * s->mb_height - eamad: check for out of bounds read - mdec: check for out of bounds read - arm: Suppress tags about used cpu arch and extensions - aic: Fix decoding files with odd dimensions - avcodec/tiff: move bpp check to after "end:" - mxfdec: Fix the error handling for when strftime fails - avcodec/opusdec: Fix delayed sample value - avcodec/opusdec: Clear out pointers per packet - avcodec/utils: Align YUV411 by as much as the other YUV variants - vp9: fix segmentation map retention with threading enabled. - webp: ensure that each transform is only used once - doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds - fix VP9 packet decoder returning 0 instead of the used data size - avformat/flvenc: check that the codec_tag fits in the available bits - avcodec/utils: use correct printf specifier in ff_set_sar - avutil/imgutils: correctly check for negative SAR components - swscale/utils: clear formatConvBuffer on allocation - avformat/bit: only accept the g729 codec and 1 channel - avformat/bit: check that pkt->size is 10 in write_packet - avformat/adxdec: check avctx->channels for invalid values - avformat/adxdec: set avctx->channels in adx_read_header - Fix buffer_size argument to init_put_bits() in multiple encoders. - mips/acelp_filters: fix incorrect register constraint - avcodec/hevc_ps: Sanity checks for some log2_* values - avcodec/zmbv: Check len before reading in decode_frame() - avcodec/h264: Only reinit quant tables if a new PPS is allowed - avcodec/snowdec: Fix ref value check - swscale/utils: More carefully merge and clear coefficients outside the input - avcodec/a64multienc: Assert that the Packet size does not grow - avcodec/a64multienc: simplify frame handling code - avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop - avcodec/a64multienc: initialize mc_meta_charset to zero - avcodec/a64multienc: don't set incorrect packet size - avcodec/a64multienc: use av_frame_ref instead of copying the frame - avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() - h264: initialize H264Context.avctx in init_thread_copy - wtvdec: fix integer overflow resulting in errors with large files - avcodec/gif: fix off by one in column offsetting finding Since Debian has already the next major upstream version 2.6.1, syncing is probably incompatible with the vivid freeze. Thus I've created a vivid branch in the git repository on Alioth [1], where I imported 2.5.5. I'm attaching the debdiff. I've tested the resulting package using the autopkgtests from 2.6.1-1 and only 2 failures remain of the 4 failures and 7 crashes with 2.5.4. 1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git ** Affects: ffmpeg (Ubuntu) Importance: Undecided Status: New ** Patch added: "2.5.5.debdiff" https://bugs.launchpad.net/bugs/1436296/+attachment/4355449/+files/2.5.5.debdiff ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1436296 Title: FFmpeg security fixes March 2015 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1436296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs