Your message dated Thu, 29 Jan 2009 08:47:08 +0000
with message-id <[email protected]>
and subject line Bug#498764: fixed in ffmpeg-debian 0.svn20080206-16
has caused the Debian Bug report #498764,
regarding ffmpeg-debian: vulnerable to denial-of-service attack (CVE-2008-3230)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
498764: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498764
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ffmpeg-debian
Version: 0.svn20080206-12
Severity: grave
Tags: security
Justification: user security hole
according to the debian security tracker [1], ffmpeg is known to be
vulnerable to a denial-of-service attack [2]. the description of the
CVE is
The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial
of service (application crash) via a crafted GIF file, possibly related
to gstreamer, as demonstrated by lol-giftopnm.gif.
i'm reporting this here to make you aware of the issue, and so the issue
can be tracked as release-critical for etch. this affects stable, testing,
and unstable.
thanks for the hard work.
[1] http://security-tracker.debian.net/tracker/CVE-2008-3230
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3230
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: ffmpeg-debian
Source-Version: 0.svn20080206-16
We believe that the bug you reported is fixed in the latest version of
ffmpeg-debian, which is due to be installed in the Debian FTP archive:
ffmpeg-dbg_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/ffmpeg-dbg_0.svn20080206-16_i386.deb
ffmpeg-debian_0.svn20080206-16.diff.gz
to pool/main/f/ffmpeg-debian/ffmpeg-debian_0.svn20080206-16.diff.gz
ffmpeg-debian_0.svn20080206-16.dsc
to pool/main/f/ffmpeg-debian/ffmpeg-debian_0.svn20080206-16.dsc
ffmpeg-doc_0.svn20080206-16_all.deb
to pool/main/f/ffmpeg-debian/ffmpeg-doc_0.svn20080206-16_all.deb
ffmpeg_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/ffmpeg_0.svn20080206-16_i386.deb
libavcodec-dev_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavcodec-dev_0.svn20080206-16_i386.deb
libavcodec51_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavcodec51_0.svn20080206-16_i386.deb
libavdevice-dev_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavdevice-dev_0.svn20080206-16_i386.deb
libavdevice52_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavdevice52_0.svn20080206-16_i386.deb
libavformat-dev_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavformat-dev_0.svn20080206-16_i386.deb
libavformat52_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavformat52_0.svn20080206-16_i386.deb
libavutil-dev_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavutil-dev_0.svn20080206-16_i386.deb
libavutil49_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libavutil49_0.svn20080206-16_i386.deb
libpostproc-dev_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libpostproc-dev_0.svn20080206-16_i386.deb
libpostproc51_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libpostproc51_0.svn20080206-16_i386.deb
libswscale-dev_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libswscale-dev_0.svn20080206-16_i386.deb
libswscale0_0.svn20080206-16_i386.deb
to pool/main/f/ffmpeg-debian/libswscale0_0.svn20080206-16_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated ffmpeg-debian
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 Jan 2009 00:51:19 +0100
Source: ffmpeg-debian
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavutil49 libavcodec51 libavdevice52
libpostproc51 libavformat52 libswscale0 libavutil-dev libavcodec-dev
libavdevice-dev libpostproc-dev libavformat-dev libswscale-dev
Architecture: source i386 all
Version: 0.svn20080206-16
Distribution: unstable
Urgency: low
Maintainer: Debian multimedia packages maintainers
<[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Description:
ffmpeg - multimedia player, server and encoder
ffmpeg-dbg - Debug symbols for ffmpeg related packages
ffmpeg-doc - documentation of the ffmpeg API
libavcodec-dev - development files for libavcodec
libavcodec51 - ffmpeg codec library
libavdevice-dev - development files for libavdevice
libavdevice52 - ffmpeg device handling library
libavformat-dev - development files for libavformat
libavformat52 - ffmpeg file format library
libavutil-dev - development files for libavutil
libavutil49 - ffmpeg utility library
libpostproc-dev - development files for libpostproc
libpostproc51 - ffmpeg video postprocessing library
libswscale-dev - development files for libswscale
libswscale0 - ffmpeg video scaling library
Closes: 498764
Changes:
ffmpeg-debian (0.svn20080206-16) unstable; urgency=low
.
* bug fix: denial-of-service attack (CVE-2008-3230) Closes: #498764
* fix remotely exploitable security issue in libavformat/4xm.c.
Sorry, no CVE for this yet
Checksums-Sha1:
d3342750735aeb993aac6b456560edbda48b9b65 2210
ffmpeg-debian_0.svn20080206-16.dsc
296e05b5a20007b87e877aeaa2da3f7e7ac88544 36416
ffmpeg-debian_0.svn20080206-16.diff.gz
87692bc6f12ae29f40b15e70837f9375a15ad00d 235546
ffmpeg_0.svn20080206-16_i386.deb
4d09048c5dbbb8c3c9d11c4118fe71d197a08cc4 7991952
ffmpeg-dbg_0.svn20080206-16_i386.deb
3fd86c2e539f95f1d7e6966539cc71103684ff33 12116580
ffmpeg-doc_0.svn20080206-16_all.deb
3c822369fe77ba262f78916627ca36d9773072f5 76262
libavutil49_0.svn20080206-16_i386.deb
6ebd65baab6c7ecb561836305d7aefb925eccc39 3498236
libavcodec51_0.svn20080206-16_i386.deb
a82bee5bb4493063219991b4ab7657257d52e2b5 61160
libavdevice52_0.svn20080206-16_i386.deb
9fd6be56848b7825fd3dd25073b8440fddfc5899 69566
libpostproc51_0.svn20080206-16_i386.deb
79c9fdf3f800a43f7b3af19438c3d8b251bf7e05 620610
libavformat52_0.svn20080206-16_i386.deb
5aa743225c81aee3e41740258df9ba65331e0c58 156302
libswscale0_0.svn20080206-16_i386.deb
4161528e9c3a5541f954a1ae11f077ebab3a8b54 67136
libavutil-dev_0.svn20080206-16_i386.deb
1353366d49cd94cd0578e4677384aaa8700e5011 1957466
libavcodec-dev_0.svn20080206-16_i386.deb
5ea06bf90f4b5ea010b4e64da447407cc780d4d2 47428
libavdevice-dev_0.svn20080206-16_i386.deb
3cee2fb6d9223a5ac7992c193b5e0bd9ad8273ab 51458
libpostproc-dev_0.svn20080206-16_i386.deb
1bfa0a844f8f77f6dae0363dcdbb6124be28fe33 386574
libavformat-dev_0.svn20080206-16_i386.deb
39c7d9d56d812099da6626c50c196aee32821aea 99246
libswscale-dev_0.svn20080206-16_i386.deb
Checksums-Sha256:
75869399d0e48766ecb64530ad97e202fe8d78479890a55c8baf419215c3fae6 2210
ffmpeg-debian_0.svn20080206-16.dsc
d8bf9b95f51bc3b115ce6af0ee288010696c6b6fca2600fd7f62060d3f3f4184 36416
ffmpeg-debian_0.svn20080206-16.diff.gz
0970fcfbe26aa00816904d605c760b3d4259cf37dad402e6a6d7512b8829bf0f 235546
ffmpeg_0.svn20080206-16_i386.deb
cecfe42f35c30e404980b6852219efdeff5e07a78180b748ee6ab5bd55bca4aa 7991952
ffmpeg-dbg_0.svn20080206-16_i386.deb
2634328c799d37d7f036dbdfcea4eb640d0407f5c3a0d677f95dd713343e03f5 12116580
ffmpeg-doc_0.svn20080206-16_all.deb
285cebc0ec4ce2a555609c41f4ae3690b40e80faa1e3a98b9d77a881eb3b277a 76262
libavutil49_0.svn20080206-16_i386.deb
be3d60ac9f476449325132edfe688e8388ea42dcaa663af170cbc7209be85e07 3498236
libavcodec51_0.svn20080206-16_i386.deb
d3c9df085427f6e550725a2e9c7b43a2171c8faaf496a03a5cb1453bd054721b 61160
libavdevice52_0.svn20080206-16_i386.deb
6b8fde67e237b4e188edacc9457298f3e5adca3ab51c673ebdc484e2d3d97eb4 69566
libpostproc51_0.svn20080206-16_i386.deb
5015e7e7d1d5b8b8d817b9c3d4f21f086c025e7b8e73d99915dedc8426625e8f 620610
libavformat52_0.svn20080206-16_i386.deb
37b34d760e16e0182961ce932fb93a6bb8d083480c04ddd21d7b5a4ad9d74991 156302
libswscale0_0.svn20080206-16_i386.deb
3012f535a6bb04d19404ecda2b757f21a3fdf1fa911231fa7d55c171399d6bea 67136
libavutil-dev_0.svn20080206-16_i386.deb
ad9022b218a7044c9d635d751e6af321ebed11db66281a88775fe5461f413a36 1957466
libavcodec-dev_0.svn20080206-16_i386.deb
411a854ee6657200e34c992dd48d6622ed2eef090abb509185386f5f3780e178 47428
libavdevice-dev_0.svn20080206-16_i386.deb
49c0b5081a11d7da68467685a6e35b8fda9f2f19c5f6c0d7ec75afd1f15bc4e8 51458
libpostproc-dev_0.svn20080206-16_i386.deb
ffa89f1db713b45296c0dd3da854b2985fdab6bf6ac390b1613b75d03f72cf10 386574
libavformat-dev_0.svn20080206-16_i386.deb
38bcc6d4c68fb30b192e88717404b4b1a734bf3d8788a1ec9967c51d41f397a1 99246
libswscale-dev_0.svn20080206-16_i386.deb
Files:
8a211a8dd14eb25a5f39140d92c85dd6 2210 libs optional
ffmpeg-debian_0.svn20080206-16.dsc
ec69d664f762584e71522138d7a1c191 36416 libs optional
ffmpeg-debian_0.svn20080206-16.diff.gz
373225e1da2577fd6fcdefc02c2890d2 235546 graphics optional
ffmpeg_0.svn20080206-16_i386.deb
14b05f959d9d6bd831fa909b31fb5941 7991952 libs extra
ffmpeg-dbg_0.svn20080206-16_i386.deb
590ab4eb5c544fd608b6fab430cf89b1 12116580 doc optional
ffmpeg-doc_0.svn20080206-16_all.deb
841776d873e5c921958af228bd62715e 76262 libs optional
libavutil49_0.svn20080206-16_i386.deb
60162633c82e147422543ac0f4cd9d61 3498236 libs optional
libavcodec51_0.svn20080206-16_i386.deb
387f190216b5b93418548fcc39587823 61160 libs optional
libavdevice52_0.svn20080206-16_i386.deb
0e17080257cf728a116684b909d73120 69566 libs optional
libpostproc51_0.svn20080206-16_i386.deb
723b101afc39157a3b4abd7dcbf633de 620610 libs optional
libavformat52_0.svn20080206-16_i386.deb
3570d16c992745513d400a0562646a94 156302 libs optional
libswscale0_0.svn20080206-16_i386.deb
03cdc4775f889e5b0f09f5e62496c011 67136 libdevel optional
libavutil-dev_0.svn20080206-16_i386.deb
ddb665392989ac989828ef8b9f1f4cb7 1957466 libdevel optional
libavcodec-dev_0.svn20080206-16_i386.deb
b23118628d0dd6f402c1c3948caf0f1d 47428 libdevel optional
libavdevice-dev_0.svn20080206-16_i386.deb
24b63f1cb2b16e42b67192cc2af8e0e4 51458 libdevel optional
libpostproc-dev_0.svn20080206-16_i386.deb
9427a91a1f08d0ed2c8452585cebeefa 386574 libdevel optional
libavformat-dev_0.svn20080206-16_i386.deb
0da13f2f0de3825020a9faf0793d090d 99246 libdevel optional
libswscale-dev_0.svn20080206-16_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian Powered!
iJwEAQECAAYFAkmBasYACgkQ78RAoABp8o+dwwQAn02XPUZMUk9tnA5+AQvU7OIW
QyGQe3Y+WS4f1LHzY4nQ77tz1ys+/Tsu41x6SbbolS4hGrs6hRDQvw2Q7bm0E8pG
PF+3IaNdOlfWEKTjMo7DsPtiY23ulBOvv3JXIhSZpkpxtGl7LQmaFiXaqJWFkY9/
poRTqMq2LTwVZSEpjgE=
=KnlA
-----END PGP SIGNATURE-----
--- End Message ---
