Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
Alessandro Ghedini
ghedo at debian.org
Sat May 16 13:43:37 UTC 2015
On Sat, May 16, 2015 at 03:07:57PM +0200, Sebastian Ramacher wrote:
> On 2015-05-15 15:22:28, Alessandro Ghedini wrote:
> > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote:
> > > Version: 6:11.3-1
> > >
> > > On 2015-05-14 20:41:15, Arne Wichmann wrote:
> > > > Package: libavcodec56
> > > > Version: 6:11.3-2
> > > > Severity: grave
> > > > Tags: security
> > > > Justification: user security hole
> > > >
> > > > Hi, as far as I can see this has not yet been reported or fixed:
> > > >
> > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in
> > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow
> > > > remote attackers to cause a denial of service (use-after-free) or possibly
> > > > have unspecified other impact via crafted Vorbis I data [1]
> > > >
> > > > I marked this as grave as the impact is unclear and might include arbitrary
> > > > code execution. Feel free do downgrade if this can be ruled out.
> > > >
> > > > (Actually I would like to have a look at the test case to check a bit more
> > > > thoroughly, but AFAICS I would need to talk to google for this.)
> > > >
> > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937
> > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html
> > >
> > > A similar commit to the one maintained in this mailing list post was applied to
> > > 11.3. So closing with that version.
> >
> > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at
> > all, and the commit message doesn't even mention the bug fix. How can you be so
> > sure that the bug is fixed?
>
> I might have read the commit wrong. Do you have a sample for this CVE?
Unfortunately the reproducer isn't public. I contacted ffmpeg-security about
it, I'll keep you posted.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150516/51091326/attachment-0001.sig>
More information about the pkg-multimedia-maintainers
mailing list