On Mon, Jan 16, 2017 at 10:30:27PM +0100, Hugo Lefeuvre wrote: > > I just released libav 0.8.20 with some more fixes, changelog below. > > > > Diego > > > > version 0.8.20: > > > > - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id: > > 980, CVE-2016-9820) > > - mpegvideo: Fix undefined negative shifts in ff_init_block_index (Bug-Id: > > 980, CVE-2016-9819) > > - mpeg12dec: move setting first_field to mpeg_field_start() (Bug-ID: 999) > > - mpeg12dec: avoid signed overflow in bitrate calculation (Bug-Id: 981, > > CVE-2016-9822) > > - mpegvideo_parser: avoid signed overflow in bitrate calculation (Bug-Id: > > 981, CVE-2016-9821) > > - h264: Use the right H264Context for struct member comparison > > Thanks for your work. I'll have a look at it and upload tomorrow.
Nice. > Concerning the old CVEs (CVE-2015-6820, etc.), we could maybe ask the > ffmpeg project for the reproducers ? Not sure they will still have them, > but it doesn't hurt to try. I'll try to get in contact with the Google people in order to receive direct access. Doing this through multiple levels of indirection is quite annoying. I just noticed that you are listing CVE-2015-5479 and CVE-2015-1872 as still open for 0.8 on https://security-tracker.debian.org/tracker/CVE-2015-5479 https://security-tracker.debian.org/tracker/CVE-2015-1872 We fixed this a long time ago with release 0.8.18, you can mark these as fixed for wheezy and close the CVE entries. Diego
signature.asc
Description: Digital signature
