Bug#703200: libav: CVE-2013-0894 CVE-2013-2277 CVE-2013-2495 CVE-2013-2496
Reinhard Tartler
siretart at gmail.com
Sun Mar 17 09:21:19 UTC 2013
On Sat, Mar 16, 2013 at 9:09 PM, Michael Gilbert <mgilbert at debian.org> wrote:
> package: src:libav
> severity: grave
> version: 6:0.8.5-1
>
> Hi, the following vulnerabilities were published for libav. These are
> currently unfixed in 0.8.5-1.
>
> CVE-2013-0894[0]:
> | Buffer overflow in the vorbis_parse_setup_hdr_floors function in the
> | Vorbis decoder in vorbisdec.c in libavcodec in FFmpeg through 1.1.3,
> | as used in Google Chrome before 25.0.1364.97 on Windows and Linux and
> | before 25.0.1364.99 on Mac OS X and other products, allows remote
> | attackers to cause a denial of service (divide-by-zero error or
> | out-of-bounds array access) or possibly have unspecified other impact
> | via vectors involving a zero value for a bark map size.
scheduled for 0.8.6, commit v0.8.5-12-ge050af9
> CVE-2013-2277[1]:
> | The ff_h264_decode_seq_parameter_set function in h264_ps.c in
> | libavcodec in FFmpeg before 1.1.3 does not validate the relationship
> | between luma depth and chroma depth, which allows remote attackers to
> | cause a denial of service (out-of-bounds array access and application
> | crash) or possibly have unspecified other impact via crafted H.264
> | data.
>
Scheduled for 0.8.6, commit v0.8.5-19-g9e48d77
> CVE-2013-2495[2]:
> | The iff_read_header function in iff.c in libavformat in FFmpeg through
> | 1.1.3 does not properly handle data sizes for Interchange File Format
> | (IFF) data during operations involving a CMAP chunk or a video codec,
> | which allows remote attackers to cause a denial of service (integer
> | overflow, out-of-bounds array access, and application crash) or
> | possibly have unspecified other impact via a crafted header.
Patch proposed: http://patches.libav.org/patch/36075/
We are currently discussing this issue; we are unsure if the fix from
FFmpeg is correct.
> CVE-2013-2496[3]:
> | The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in
> | FFmpeg through 1.1.3 does not properly determine certain end pointers,
> | which allows remote attackers to cause a denial of service
> | (out-of-bounds array access and application crash) or possibly have
> | unspecified other impact via crafted Microsoft RLE data.
scheduled for 0.8.6, commit v0.8.5-38-g4160398
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Will do.
As for the timeline, I actually intended to release 0.8.6 this
weekend, but since you have raised these four issues, I'm considering
to delay the release for another week to allow further testing, espc.
given that one of the issues did not even land in master yet.
Thanks for raising these security issues.
--
regards,
Reinhard
More information about the pkg-multimedia-maintainers
mailing list