Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
Bálint Réczey
balint at balintreczey.hu
Sat May 16 14:28:51 UTC 2015
2015-05-16 15:31 GMT+02:00 Sebastian Ramacher <sramacher at debian.org>:
> On 2015-05-16 15:28:44, Arne Wichmann wrote:
>> begin quotation from Sebastian Ramacher (in <20150516130757.GA21093 at ramacher.at>):
>> > On 2015-05-15 15:22:28, Alessandro Ghedini wrote:
>> > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote:
>> > > > Version: 6:11.3-1
>> > > >
>> > > > On 2015-05-14 20:41:15, Arne Wichmann wrote:
>> > > > > Package: libavcodec56
>> > > > > Version: 6:11.3-2
>> > > > > Severity: grave
>> > > > > Tags: security
>> > > > > Justification: user security hole
>> > > > >
>> > > > > Hi, as far as I can see this has not yet been reported or fixed:
>> > > > >
>> > > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in
>> > > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow
>> > > > > remote attackers to cause a denial of service (use-after-free) or possibly
>> > > > > have unspecified other impact via crafted Vorbis I data [1]
>> > > > >
>> > > > > I marked this as grave as the impact is unclear and might include arbitrary
>> > > > > code execution. Feel free do downgrade if this can be ruled out.
>> > > > >
>> > > > > (Actually I would like to have a look at the test case to check a bit more
>> > > > > thoroughly, but AFAICS I would need to talk to google for this.)
>> > > > >
>> > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937
>> > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html
>> > > >
>> > > > A similar commit to the one maintained in this mailing list post was applied to
>> > > > 11.3. So closing with that version.
>> > >
>> > > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at
>> > > all, and the commit message doesn't even mention the bug fix. How can you be so
>> > > sure that the bug is fixed?
>> >
>> > I might have read the commit wrong. Do you have a sample for this CVE?
>>
>> There is one referenced in various messages relating to CVE-2014-7937:
>> asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg
>> unfortunately it is not publicly available AFAICS. You might ask upstream
>> about it.
>
> I did. libav developers do not seem to have it. So please provide a sample.
Why don't you/they ask FFmpeg upstream directly?
Cheers,
Balint
More information about the pkg-multimedia-maintainers
mailing list