Bug#641478: [libav-devel] Bug#641478: Upload of ffmpeg for Squeeze, Re: [libav-devel] Bug#641478: Upload of ffmpeg for Squeeze

Reinhard Tartler siretart at tauware.de
Sat Nov 5 13:24:00 UTC 2011 

On Do, Nov 03, 2011 at 14:56:51 (CET), Yves-Alexis Perez wrote:

>> As for 3362 & 3973, I believe both have been fixed by this commit:
>> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
>> 
>> This commit has also been merged into FFmpeg. That imported commit is
>> also referenced in the CVE description of CVE-2011-3973, so I assume
>> that this is the correct fix.
>
> Looks like that, yes.
>> 
>> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
>> function decode_residual_block(). I'd be curious to see a sample that
>> still exploits Libav's cavs decoder without that signedness
>> change. Until I'm presented an exploit that demonstrates this issue, I'm
>> going to assume that CVE-2011-3362 is fixed by the same patch that fixed
>> CVE-2011-3973.
>
> Shouldn't it be safe to still fix the signed-ness?

Feel free to propose such a patch. I've tried to come up with a proper
explanation what the signed change is going to fix, but I failed.  If
only there existed a sample exploit that showed that libav 0.5.5 is
still vulnerable…

>> Now for CVE-2011-3504, which concerns an allocation error in the
>> matroska decoder. I strongly believe that this has been fixed by this
>> commit:
>> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
>> 
>> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
>> does not seem to exist in bing at all. I currently assume that the CVE
>> is right and the commit message (which was imported from FFmpeg without
>> further checking) should have referenced MSVR11-011 instead.
>> 
>> In any case, I've just backported both patches to the 0.5 branch:
>> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
>
> Thanks.

released 0.5.5 & updated the branch now.

>> Feedback and tests welcome.
>> 
>> If nobody disagrees and nothing else pops up until let's say Friday,
>> I'm going to roll 0.5.5 tarballs.
>> 
>> Does this work for everyone?
>> 
> Works for me at least, notwithstanding the 3362 fix.

Moritz seems to be OK with this:

On Do, Nov 03, 2011 at 22:30:11 (CET), Moritz Muehlenhoff wrote:

[...]

> The rest sounds good to me.


I'm going to upload 0.5.5-1 to stable-security later today, unless
someone objects. (it needs to be approved manually anyways)

Cheers,
Reinhard.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list