Your message dated Sat, 02 May 2009 19:54:23 +0000
with message-id <[email protected]>
and subject line Bug#524799: fixed in ffmpeg 0.cvs20060823-8+etch1
has caused the Debian Bug report #524799,
regarding ffmpeg-debian: CVE-2009-0385 integer signedness error
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
524799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524799
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: ffmpeg-debian
severity: important
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for ffmpeg-debian.
CVE-2009-0385[0]:
| Integer signedness error in the fourxm_read_header function in
| libavformat/4xm.c in FFmpeg before revision 16846 allows remote
| attackers to execute arbitrary code via a malformed 4X movie file with
| a large current_track value, which triggers a NULL pointer
| dereference.
See fedora security announcement for more details [1].
Please coordinate with the security team to prepare updated packages
for the stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385
http://security-tracker.debian.net/tracker/CVE-2009-0385
[1] http://lwn.net/Articles/328039/
--- End Message ---
--- Begin Message ---
Source: ffmpeg
Source-Version: 0.cvs20060823-8+etch1
We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive:
ffmpeg_0.cvs20060823-8+etch1.diff.gz
to pool/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1.diff.gz
ffmpeg_0.cvs20060823-8+etch1.dsc
to pool/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1.dsc
ffmpeg_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/ffmpeg_0.cvs20060823-8+etch1_i386.deb
libavcodec-dev_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/libavcodec-dev_0.cvs20060823-8+etch1_i386.deb
libavcodec0d_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/libavcodec0d_0.cvs20060823-8+etch1_i386.deb
libavformat-dev_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/libavformat-dev_0.cvs20060823-8+etch1_i386.deb
libavformat0d_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/libavformat0d_0.cvs20060823-8+etch1_i386.deb
libpostproc-dev_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/libpostproc-dev_0.cvs20060823-8+etch1_i386.deb
libpostproc0d_0.cvs20060823-8+etch1_i386.deb
to pool/main/f/ffmpeg/libpostproc0d_0.cvs20060823-8+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <[email protected]> (supplier of updated ffmpeg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 26 Apr 2009 11:19:49 +0000
Source: ffmpeg
Binary: libavformat-dev libavformat0d ffmpeg libavcodec-dev libpostproc0d
libpostproc-dev libavcodec0d
Architecture: source i386
Version: 0.cvs20060823-8+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian multimedia packages maintainers
<[email protected]>
Changed-By: Steffen Joeris <[email protected]>
Description:
ffmpeg - multimedia player, server and encoder
libavcodec-dev - development files for libavcodec
libavcodec0d - ffmpeg codec library
libavformat-dev - development files for libavformat
libavformat0d - ffmpeg file format library
libpostproc-dev - development files for libpostproc
libpostproc0d - ffmpeg video postprocessing library
Closes: 489965 524799
Changes:
ffmpeg (0.cvs20060823-8+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix integer signedness error in libavformat/4xm.c (Closes: #524799)
Fixes: CVE-2009-0385
* Fix buffer overflow in libavformat/psxstr.c (Closes: #489965)
Fixes: CVE-2008-3162
Files:
9ec2715aea4be5b91b1ed1e694d71e72 1271 libs optional
ffmpeg_0.cvs20060823-8+etch1.dsc
12e2e5d9e46ebfd08851b05665ecce25 2309921 libs optional
ffmpeg_0.cvs20060823.orig.tar.gz
acab6c61a1f82caa6e44da962f40db41 37279 libs optional
ffmpeg_0.cvs20060823-8+etch1.diff.gz
9d62aa8fb06c00a61d5db5e03c4e02b6 182312 graphics optional
ffmpeg_0.cvs20060823-8+etch1_i386.deb
8843e529305e25fd5977562d319ad12e 1528278 libs optional
libavcodec0d_0.cvs20060823-8+etch1_i386.deb
c47391aec564ebc180adca1513828074 37560 libs optional
libpostproc0d_0.cvs20060823-8+etch1_i386.deb
f731a6c8377ee91feab474f4d5aaa8e8 286526 libs optional
libavformat0d_0.cvs20060823-8+etch1_i386.deb
e232e7971b6a1ce0a25c5b5c5535a2cd 1582552 libdevel optional
libavcodec-dev_0.cvs20060823-8+etch1_i386.deb
72ed15718afa2d3903fc38d4e4959276 37934 libdevel optional
libpostproc-dev_0.cvs20060823-8+etch1_i386.deb
131f13f9e09a437f6db3375c07756f2d 329760 libdevel optional
libavformat-dev_0.cvs20060823-8+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn0kQsACgkQ62zWxYk/rQfveQCfVXU01eh9PW3U1CyKZzAqsE35
pWsAnRXRE8N5c4k0sPOrVJMzLc2qVb0s
=TFvm
-----END PGP SIGNATURE-----
--- End Message ---
