-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 begin quotation from Sebastian Ramacher (in <20150516130757.ga21...@ramacher.at>): > On 2015-05-15 15:22:28, Alessandro Ghedini wrote: > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: > > > Version: 6:11.3-1 > > > > > > On 2015-05-14 20:41:15, Arne Wichmann wrote: > > > > Package: libavcodec56 > > > > Version: 6:11.3-2 > > > > Severity: grave > > > > Tags: security > > > > Justification: user security hole > > > > > > > > Hi, as far as I can see this has not yet been reported or fixed: > > > > > > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in > > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow > > > > remote attackers to cause a denial of service (use-after-free) or > > > > possibly > > > > have unspecified other impact via crafted Vorbis I data [1] > > > > > > > > I marked this as grave as the impact is unclear and might include > > > > arbitrary > > > > code execution. Feel free do downgrade if this can be ruled out. > > > > > > > > (Actually I would like to have a look at the test case to check a bit > > > > more > > > > thoroughly, but AFAICS I would need to talk to google for this.) > > > > > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html > > > > > > A similar commit to the one maintained in this mailing list post was > > > applied to > > > 11.3. So closing with that version. > > > > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg > > patch at > > all, and the commit message doesn't even mention the bug fix. How can you > > be so > > sure that the bug is fixed? > > I might have read the commit wrong. Do you have a sample for this CVE?
There is one referenced in various messages relating to CVE-2014-7937: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg unfortunately it is not publicly available AFAICS. You might ask upstream about it. cu AW - -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVV0YMAAoJEENYfBy4DUs++FAP/j6NA8gP37qu4hHTFK9rKc+3 ddj3sClTKQ3d8aC2xq3+rgxjUo35YiPgY3sdcTb4Sni5rm8acHpo0NdDlkpPdFS4 gR3nx3t0GEAqe55aLzUls6Rq9U9fWwHrhjl+Kbhr6zNR+XtXoDMj12GA3ICcJp7J ucvMZtpbJhaTJwvqsljn7IAvjgdikAdtxiRqPXHbeAAwKYJkU5Bdlu9eB+YtXABF IAHU8Qyc4PaJ4o/kbv+C5IBk8ILqhZPjTNSdljJryJTPBkH/R5P9VFjJs/rcSh8O nB2bUmXcRX/+tw5GFcLvYrpivylCpQPLebp2gQjoAUuj8ARS931pGEiFxThqffP+ 53F+lG/tIXpO53Yn/CpoOkGm0sjgApSRDgCwJsgy2HkUi8CN66mBt03nciEfPvG6 om60Oa0Mj+BoevtiQeaXRgXI/bsKDz57sUuhOlGY6LbfNbAWew90ns+q1CWTDW/8 uAsi8SgKjVKp3lM8f3TR73GIOMVn8lNAgnSyrbVVGke7nHO0AjwdeV/Ld6So6fWG 1ELvZyzkn/BI6V3W29IjcKlo7ncS9bv6CU1z+vToW2FPUitazS3P2cdr069KyKyH bU8hQPkqDp2jwMMk4DDojS5ue8VhFj0yazhMKYJB7KSzjf57qgegjipEvKQlN5HT FFVJBtD94jGVHzspGh0s =lqqu -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org