2015-05-16 15:31 GMT+02:00 Sebastian Ramacher <sramac...@debian.org>: > On 2015-05-16 15:28:44, Arne Wichmann wrote: >> begin quotation from Sebastian Ramacher (in >> <20150516130757.ga21...@ramacher.at>): >> > On 2015-05-15 15:22:28, Alessandro Ghedini wrote: >> > > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote: >> > > > Version: 6:11.3-1 >> > > > >> > > > On 2015-05-14 20:41:15, Arne Wichmann wrote: >> > > > > Package: libavcodec56 >> > > > > Version: 6:11.3-2 >> > > > > Severity: grave >> > > > > Tags: security >> > > > > Justification: user security hole >> > > > > >> > > > > Hi, as far as I can see this has not yet been reported or fixed: >> > > > > >> > > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c >> > > > > in >> > > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, >> > > > > allow >> > > > > remote attackers to cause a denial of service (use-after-free) or >> > > > > possibly >> > > > > have unspecified other impact via crafted Vorbis I data [1] >> > > > > >> > > > > I marked this as grave as the impact is unclear and might include >> > > > > arbitrary >> > > > > code execution. Feel free do downgrade if this can be ruled out. >> > > > > >> > > > > (Actually I would like to have a look at the test case to check a >> > > > > bit more >> > > > > thoroughly, but AFAICS I would need to talk to google for this.) >> > > > > >> > > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937 >> > > > > >> > > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html >> > > > >> > > > A similar commit to the one maintained in this mailing list post was >> > > > applied to >> > > > 11.3. So closing with that version. >> > > >> > > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg >> > > patch at >> > > all, and the commit message doesn't even mention the bug fix. How can >> > > you be so >> > > sure that the bug is fixed? >> > >> > I might have read the commit wrong. Do you have a sample for this CVE? >> >> There is one referenced in various messages relating to CVE-2014-7937: >> asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg >> unfortunately it is not publicly available AFAICS. You might ask upstream >> about it. > > I did. libav developers do not seem to have it. So please provide a sample. Why don't you/they ask FFmpeg upstream directly?
Cheers, Balint -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
