Author: sunweaver
Date: 2016-01-14 09:03:54 +0000 (Thu, 14 Jan 2016)
New Revision: 38903
Modified:
data/CVE/list
Log:
ffmpeg: Triage new issues for squeeze-lts (tagging as end-of-life), plus
various format fixes for false placement of other end-of-life tags on earlier
triaged issues.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-01-14 08:48:15 UTC (rev 38902)
+++ data/CVE/list 2016-01-14 09:03:54 UTC (rev 38903)
@@ -1,9 +1,11 @@
CVE-2016-1898
- ffmpeg <unfixed>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <removed>
NOTE: http://habrahabr.ru/company/mailru/blog/274855
CVE-2016-1897
- ffmpeg <unfixed>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <removed>
NOTE: http://habrahabr.ru/company/mailru/blog/274855
CVE-2016-1867 [Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function]
@@ -1709,16 +1711,19 @@
TODO: check
CVE-2015-8663 (The ff_get_buffer function in libavcodec/utils.c in FFmpeg
before ...)
- ffmpeg <undetermined>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=abee0a1c60612e8638640a8a3738fffb65e16dbf
TODO: check
CVE-2015-8662 (The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in
FFmpeg ...)
- ffmpeg <undetermined>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5
TODO: check
CVE-2015-8661 (The h264_slice_header_init function in libavcodec/h264_slice.c
in ...)
- ffmpeg <undetermined>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4ea4d2f438c9a7eba37980c9a87be4b34943e4d5
TODO: check
@@ -9261,40 +9266,40 @@
NOT-FOR-US: Auto-Exchanger
CVE-2015-6826 (The ff_rv34_decode_init_thread_copy function in
libavcodec/rv34.c in ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6825 (The ff_frame_thread_init function in libavcodec/pthread_frame.c
in ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6824 (The sws_init_context function in libswscale/utils.c in FFmpeg
before ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6823 (The allocate_buffers function in libavcodec/alac.c in FFmpeg
before ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6822 (The destroy_buffers function in libavcodec/sanm.c in FFmpeg
before ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6821 (The ff_mpv_common_init function in libavcodec/mpegvideo.c in
FFmpeg ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6820 (The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg
before ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6819 (Multiple integer underflows in the ff_mjpeg_decode_frame
function in ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6818 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg
before ...)
- ffmpeg 7:2.7.2-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
CVE-2015-6814
RESERVED
CVE-2015-6813
@@ -9613,11 +9618,11 @@
CVE-2015-6761 (The update_dimensions function in libavcodec/vp8.c in FFmpeg
through ...)
{DSA-3376-1}
- ffmpeg 7:2.8.1-1
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <undetermined>
- chromium-browser 44.0.2403.157-1
[wheezy] - chromium-browser <end-of-life>
[squeeze] - chromium-browser <end-of-life>
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
NOTE: https://code.google.com/p/chromium/issues/detail?id=447860
NOTE: https://code.google.com/p/chromium/issues/detail?id=532967
NOTE: Starting with 44.0.2403.157-1 chromium uses the ffmpeg system copy
@@ -12872,10 +12877,10 @@
CVE-2015-5479
RESERVED
- ffmpeg <not-affected> (Vulnerable code not present)
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <removed> (low)
[jessie] - libav <no-dsa> (Minor issue, can be fixed along in a future
DSA)
[wheezy] - libav <no-dsa> (Minor issue, can be fixed along in a future
DSA)
- [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
NOTE: Patch in libav:
https://git.libav.org/?p=libav.git;a=commit;h=0a49a62f998747cfa564d98d36a459fe70d3299b
CVE-2015-5478
RESERVED
@@ -18860,7 +18865,6 @@
[squeeze] - ffmpeg <not-affected> (Vulnerable code not present)
- libav 6:11.4-1
[wheezy] - libav <not-affected> (Vulnerable code not present)
- [squeeze] - libav <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/e8714f6f93d1a32f4e4655209960afcf4c185214
CVE-2015-3404 (The Certify module before 6.x-2.3 for Drupal does not properly
perform ...)
NOT-FOR-US: Certify module for Drupal
@@ -26625,14 +26629,14 @@
CVE-2014-9604 (libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check
for a ...)
{DSA-3189-1}
- ffmpeg 7:2.5.1-1
- [squeeze] - ffmpeg <end-of-life>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav 6:11.3-1 (bug #775593)
NOTE: Applies to 0.8, but in different file (utvideo.c)
NOTE: libav:
https://git.libav.org/?p=libav.git;a=commit;h=0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d
NOTE: ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3881606240953b9275a247a1c98a567f3c44890f
CVE-2014-9603 (The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg
before ...)
- ffmpeg 7:2.5.1-1
- [squeeze] - ffmpeg <end-of-life>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
- libav <not-affected> (Vulnerable code not present, reproducer tested
with 8, 11 and trunk)
NOTE: ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd
CVE-2014-9602 (libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain
digits ...)
@@ -29735,7 +29739,7 @@
CVE-2014-9316 (The mjpeg_decode_app function in libavcodec/mjpegdec.c in
FFMpeg ...)
- libav <not-affected> (Vulnerable code not present, reproducer tested
with 8, 11 and trunk)
- ffmpeg 2.4.4-1
- [squeeze] - ffmpeg <end-of-life>
+ [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)
NOTE: ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0eecf40935b22644e6cd74c586057237ecfd6844
CVE-2014-9315
RESERVED
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
