Bug#570713: ffmpeg: remaining vulnerabilities from bug #550442
Reinhard Tartler
siretart at tauware.de
Sun Feb 21 10:20:22 UTC 2010
On Sa, Feb 20, 2010 at 22:02:51 (CET), Michael Gilbert wrote:
> package: ffmpeg
> version: 0.svn20080206-18
> severity: serious
> tags: security
>
> hi, i have just tested the latest ffmpeg update against the original
> proof of concepts [0] reported in bug #550442 [1]. many of them are
> still effective. there is some good news though; i've found that
> upstream has addressed all of the problems in their latest svn version.
> attached are my findings.
can you please rerun your tests using this branch:
/srv/scratch/packages/ffmpeg/upstream/ffmpeg-0.5
I'm working on getting an 0.5.1 point release released RSN which will
get into squeeze. Fixing these security bugs there is a higher priority
for me than fixing 0.svn20080206-18.
Unfortunately I'm very busy this week and cannot promise to work on that
until next weekend.
> reference [2] may be useful to track down the other needed patches; or
> it may be easier to just upgrade to a new svn (however, the patches
> still need to be determined for stable).
I don't think its really worth tracking dos-only fixes. FFmpeg is very
performance tuned, and AFAIUI upstream does consider dos-only fixes only
on a best efford basis as long as it doesn't impair performance.
crashers that allow remote code execution however are another issue that
need to be investigated.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
More information about the pkg-multimedia-maintainers
mailing list