hi, http://security-tracker.debian.net/tracker/source-package/ffmpeg claims the following CVE reports to affect ffmpeg in unstable
Bug Description CVE-2008-3162 Stack-based buffer overflow in the str_read_packet function in CVE-2009-0385 Integer signedness error in the fourxm_read_header function in CVE-2008-3162 first is claimed to be fixed in r13993, CVE-2009-0385 in r16846. However, the package in unstable is based on svn revision r17725, and thus should have both fixes already in. As for security status, google found some issues in ffmpeg as part of their chrome project. This is documented at https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240. The main problem here is that the submitter refused to file seperate issues, but prefered to send in a bulk of 73 (!) files. Linked from there is issue1245, for which I think I've extracted a patch. I'd like to experiment with it a bit more to ensure that it is actually valid. For other issues, well, they still need more investigation :-( -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
