Bug#641478: Upload of ffmpeg for Squeeze

Yves-Alexis Perez corsac at debian.org
Thu Nov 3 13:56:51 UTC 2011


On mer., 2011-11-02 at 21:57 +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
> 
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
> 
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
> 
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?

I'm not too sure since I don't know who assigned it. Maybe mailing
someone at Mitre?
> 
> As for 3362 & 3973, I believe both have been fixed by this commit:
> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
> 
> This commit has also been merged into FFmpeg. That imported commit is
> also referenced in the CVE description of CVE-2011-3973, so I assume
> that this is the correct fix.

Looks like that, yes.
> 
> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
> function decode_residual_block(). I'd be curious to see a sample that
> still exploits Libav's cavs decoder without that signedness
> change. Until I'm presented an exploit that demonstrates this issue, I'm
> going to assume that CVE-2011-3362 is fixed by the same patch that fixed
> CVE-2011-3973.

Shouldn't it be safe to still fix the signed-ness?
> 
> Now for CVE-2011-3504, which concerns an allocation error in the
> matroska decoder. I strongly believe that this has been fixed by this
> commit:
> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
> 
> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
> does not seem to exist in bing at all. I currently assume that the CVE
> is right and the commit message (which was imported from FFmpeg without
> further checking) should have referenced MSVR11-011 instead.
> 
> In any case, I've just backported both patches to the 0.5 branch:
> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5

Thanks.
> 
> Feedback and tests welcome.
> 
> If nobody disagrees and nothing else pops up until let's say Friday,
> I'm going to roll 0.5.5 tarballs.
> 
> Does this work for everyone?
> 
Works for me at least, notwithstanding the 3362 fix.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20111103/1844c806/attachment.pgp>


More information about the pkg-multimedia-maintainers mailing list