Bug#641478: Upload of ffmpeg for Squeeze
Moritz Muehlenhoff
jmm at inutil.org
Thu Nov 3 21:30:11 UTC 2011
On Wed, Nov 02, 2011 at 09:57:21PM +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
>
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
>
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
>
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?
MITRE loves to split hairs: While it was fixed in a single commit,
while some of missing bitstream validations only lead to denial of
service, the integer overflow allows code injection. Arguing around
this will probably be a waste of time, let's just use both IDs.
(Also the IDs are already in use for quite some time and changing
it would only arise more confusion).
The rest sounds good to me.
Cheers,
Moritz
More information about the pkg-multimedia-maintainers
mailing list