Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
On 2015-05-15 15:22:28, Alessandro Ghedini wrote: On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: Version: 6:11.3-1 On 2015-05-14 20:41:15, Arne Wichmann wrote: Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html A similar commit to the one maintained in this mailing list post was applied to 11.3. So closing with that version. Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? I might have read the commit wrong. Do you have a sample for this CVE? Cheers -- Sebastian Ramacher signature.asc Description: Digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
samplv1 0.6.3-1 MIGRATED to testing
FYI: The status of the samplv1 source package in Debian's testing distribution has changed. Previous version: 0.6.2-1 Current version: 0.6.3-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
On Sat, May 16, 2015 at 03:07:57PM +0200, Sebastian Ramacher wrote: On 2015-05-15 15:22:28, Alessandro Ghedini wrote: On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: Version: 6:11.3-1 On 2015-05-14 20:41:15, Arne Wichmann wrote: Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html A similar commit to the one maintained in this mailing list post was applied to 11.3. So closing with that version. Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? I might have read the commit wrong. Do you have a sample for this CVE? Unfortunately the reproducer isn't public. I contacted ffmpeg-security about it, I'll keep you posted. Cheers signature.asc Description: Digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
On 2015-05-16 15:28:44, Arne Wichmann wrote: begin quotation from Sebastian Ramacher (in 20150516130757.ga21...@ramacher.at): On 2015-05-15 15:22:28, Alessandro Ghedini wrote: On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: Version: 6:11.3-1 On 2015-05-14 20:41:15, Arne Wichmann wrote: Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html A similar commit to the one maintained in this mailing list post was applied to 11.3. So closing with that version. Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? I might have read the commit wrong. Do you have a sample for this CVE? There is one referenced in various messages relating to CVE-2014-7937: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg unfortunately it is not publicly available AFAICS. You might ask upstream about it. I did. libav developers do not seem to have it. So please provide a sample. Cheers -- Sebastian Ramacher signature.asc Description: Digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
2015-05-16 15:31 GMT+02:00 Sebastian Ramacher sramac...@debian.org: On 2015-05-16 15:28:44, Arne Wichmann wrote: begin quotation from Sebastian Ramacher (in 20150516130757.ga21...@ramacher.at): On 2015-05-15 15:22:28, Alessandro Ghedini wrote: On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: Version: 6:11.3-1 On 2015-05-14 20:41:15, Arne Wichmann wrote: Package: libavcodec56 Version: 6:11.3-2 Severity: grave Tags: security Justification: user security hole Hi, as far as I can see this has not yet been reported or fixed: CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data [1] I marked this as grave as the impact is unclear and might include arbitrary code execution. Feel free do downgrade if this can be ruled out. (Actually I would like to have a look at the test case to check a bit more thoroughly, but AFAICS I would need to talk to google for this.) [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html A similar commit to the one maintained in this mailing list post was applied to 11.3. So closing with that version. Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? I might have read the commit wrong. Do you have a sample for this CVE? There is one referenced in various messages relating to CVE-2014-7937: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg unfortunately it is not publicly available AFAICS. You might ask upstream about it. I did. libav developers do not seem to have it. So please provide a sample. Why don't you/they ask FFmpeg upstream directly? Cheers, Balint ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
yoshimi 1.3.4-3 MIGRATED to testing
FYI: The status of the yoshimi source package in Debian's testing distribution has changed. Previous version: 1.2.4-1 Current version: 1.3.4-3 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
amsynth 1.5.1-1 MIGRATED to testing
FYI: The status of the amsynth source package in Debian's testing distribution has changed. Previous version: 1.4.2-2 Current version: 1.5.1-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
drumkv1 0.6.3-1 MIGRATED to testing
FYI: The status of the drumkv1 source package in Debian's testing distribution has changed. Previous version: 0.6.2-1 Current version: 0.6.3-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: tagging 783838
Processing commands for cont...@bugs.debian.org: tags 783838 + sid stretch Bug #783838 {Done: m...@debian.org (Matteo F. Vescovi)} [src:blender] blender: FTBFS in Jessie Added tag(s) sid and stretch. thanks Stopping processing here. Please contact me if you need assistance. -- 783838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783838 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: Select provider of libav* libraries
Could you please quote ***only the parts*** to which you are replying? Sure. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: Select provider of libav* libraries
2015-05-16 13:52 GMT+02:00 Alessio Treglia ales...@debian.org: ... I wouldn't. And now let's keep the discussion go on and wait for others to share their view. Please propose a deadline for sharing views/casting votes. This would sound stupid in Stretch's release notes: We include Libav in Debian 9.0 because discussing the switch to FFmpeg never ended. Cheers, Balint ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processing of flowblade_0.18-1_amd64.changes
/flowblade_0.18-1_amd64.changes is already present on target host: -rw-r- 1 110 1281 0 May 16 10:00 flowblade_0.18-1_amd64.changes Either you already uploaded it, or someone else came first. Job flowblade_0.18-1_amd64.changes removed. Greetings, Your Debian queue daemon (running on host coccia.debian.org) ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: Select provider of libav* libraries
Hi Andreas, Thank you for a very good overview. On Fri, 15 May 2015 16:55:30 Andreas Cadhalpun wrote: FFmpeg is clearly better at fixing security issues. To take a random example, an out of bounds read in the bink decoder was fixed in FFmpeg three years ago [1], while Libav git master is still vulnerable today. [...] Interestingly Gentoo recently switched to FFmpeg by default [3] after conducting a survey [4]. About 300 people participated in that survey and the outcome was rather clear: 62%[ 189 ]I prefer ffmpeg, and it should be the default. 4% [ 15 ]I prefer libav, and it should be the default. [...] Maybe Moritz can elaborate on this. It seems he already did [11]: I think ffmpeg is doing better in terms of handling security issues; when I contacted Michael Niedermeyer in private we has always quick to reply, while libav-security@ seems understaffed: Several queries in the past needed additional poking, some were left unaddressed until today. Also, the Google fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg. [...] 3: http://thread.gmane.org/gmane.linux.gentoo.devel/95339/focus=95585 4: https://forums.gentoo.org/viewtopic-t-1010096.html 11: https://lists.debian.org/debian-devel/2014/08/msg00060.html After the above I don't need any more evidence to support transition to ffmpeg. There are benefits of reducing differences from other distros who already uses ffmpeg. After all with ffmpeg we will benefit from better upstream support. IMHO if Moritz thinks that ffmpeg is better from security prospective it means that we don't have a case for libav any more. I am now convinced that it will be better for Debian to use ffmpeg. I also found an interesting comparison where mpv upstream shares their assessment of the problem: https://web.archive.org/web/20150115005029/https://github.com/mpv-player/mpv/wiki/FFmpeg-versus-Libav -- Best wishes, Dmitry Smirnov GPG key : 4096R/53968D1B --- It is a mistake to try to look too far ahead. The chain of destiny can only be grasped one link at a time. -- Winston Churchill signature.asc Description: This is a digitally signed message part. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#785141: (no subject)
As a quick workaround, I deleted the offending entry from the recent files list, which is stored in ~/.local/share/recently-used.xbel (everything between bookmark... and the next /bookmark) - Roland ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers