Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization
Moritz Muehlenhoff
jmm at inutil.org
Tue Feb 9 20:34:31 UTC 2010
On Tue, Feb 09, 2010 at 09:53:46AM +0100, Reinhard Tartler wrote:
> On Do, Jan 28, 2010 at 22:26:45 (CET), Moritz Muehlenhoff wrote:
>
> > On Fri, Jan 22, 2010 at 06:10:55PM +0100, Moritz Muehlenhoff wrote:
> >> On Wed, Jan 13, 2010 at 09:28:43AM +0100, Reinhard Tartler wrote:
> >> > found 550442 0.svn20080206-18
> >> > stop
> >> >
> >> > On Sa, Dez 05, 2009 at 00:33:02 (CET), Reinhard Tartler wrote:
> >> >
> >> > > Moritz Muehlenhoff <jmm at inutil.org> writes:
> >> > >
> >> > >> Sorry, this slipped through. An update for stable-security would be very
> >> > >> welcome.
> >> > >
> >> > > Test packages (both amd64 and i386) with build logs can be found at
> >> > > http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.
> >> > >
> >> > > Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
> >> > > snapshot, not all patches did apply cleanly. I did my best to backports
> >> > > all patches, but I needed to drop thee of them:
> >> > >
> >> > > security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
> >> > > security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
> >> > > security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
> >> > >
> >> > > The biggest problem is that I haven't tested them yet. Testers very
> >> > > welcome!
> >> > >
> >> > > If I get positive feedback, or Moritz asks me to do so, I'll of course
> >> > > upload to security.debian.org immediately.
> >> >
> >> > ping?
> >> > Any interest from the security team having this in lenny?
> >>
> >> Sorry, I've been busy. I'll test, review and release.
> >
> > Updates are tested and building, should appear soon.
>
> ping? I've noticed a failed upload, but no packages in the archive nor
> any announcement. are we still on track?
Packages are built on security-master and tested. I'm waiting for CVE
assignment from either CERT or MITRE for more than a week now. If they
don't react soon, I'll just go ahead and release w/o CVE IDs.
Cheers,
Moritz
More information about the pkg-multimedia-maintainers
mailing list