Just to update the bug for others scanning the RC bug list... https://security-tracker.debian.org/tracker/CVE-2014-8545 - libav <not-affected> (Vulnerable code not present) CVE-2014-8545[5]: | libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the | monochrome-black format without verifying that the bits-per-pixel | value is 1, which allows remote attackers to cause a denial of service | (out-of-bounds access) or possibly have unspecified other impact via | crafted PNG data.
So this one can be discounted from the list. Other patches exist as upstream commits linked from the security tracker: CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547, CVE-2014-8548, CVE-2014-8549 https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550 https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28 https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903 https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686 Five CVEs therefore remain without upstream patches in libav: https://security-tracker.debian.org/tracker/CVE-2014-8544 https://security-tracker.debian.org/tracker/CVE-2014-8546 https://security-tracker.debian.org/tracker/CVE-2014-9316 https://security-tracker.debian.org/tracker/CVE-2014-9318 https://security-tracker.debian.org/tracker/CVE-2014-9319 Each of these has fixes upstream in ffmpeg but it'll need someone with more familiarity with the mpeg source code than me to investigate whether the fixes in ffmpeg can become fixes in libav. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgplfew7A_hgj.pgp
Description: OpenPGP digital signature
