On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: > Version: 6:11.3-1 > > On 2015-05-14 20:41:15, Arne Wichmann wrote: > > Package: libavcodec56 > > Version: 6:11.3-2 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Hi, as far as I can see this has not yet been reported or fixed: > > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow > > remote attackers to cause a denial of service (use-after-free) or possibly > > have unspecified other impact via crafted Vorbis I data [1] > > > > I marked this as grave as the impact is unclear and might include arbitrary > > code execution. Feel free do downgrade if this can be ruled out. > > > > (Actually I would like to have a look at the test case to check a bit more > > thoroughly, but AFAICS I would need to talk to google for this.) > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html > > A similar commit to the one maintained in this mailing list post was applied > to > 11.3. So closing with that version.
Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at all, and the commit message doesn't even mention the bug fix. How can you be so sure that the bug is fixed? Cheers [0] https://github.com/libav/libav/commit/0025f7408a0fab2cab4a950064e4784a67463994
signature.asc
Description: Digital signature
