Bug#893544: mp4v2: CVE-2018-7339

Source: mp4v2 Version: 2.0.0~dfsg0-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for mp4v2. CVE-2018-7339[0]: | The MP4Atom class in mp4atom.cpp in MP4v2 through 2.0.0 mishandles | Entry Number validation for the MP4 Table Property, which allows

Bug#892526: gpac: CVE-2018-7752: Stack buffer overflow in av_parsers.c

Source: gpac Version: 0.5.2-426-gc5ad4e4+dfsg5-3 Severity: important Tags: patch security upstream Forwarded: https://github.com/gpac/gpac/issues/997 Hi, the following vulnerability was published for gpac. CVE-2018-7752[0]: | GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps

Bug#889915: libfaad2 in Wheezy contains patches for some security bugs. They were not backported to Jessie.

Hi Fabian, On Fri, Feb 09, 2018 at 08:26:10AM +0100, Fabian Greffrath wrote: > tags 889915 +security +jessie > thanks > > Forwarding this to the security team. The current issues which were fixed in DLA-1077-1 are all no-dsa, so thei did not warrant a DSA via security.d.o. Can you fix those

Bug#888654: mpv: CVE-2018-6360

Source: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/mpv-player/mpv/issues/5456 Hi, the following vulnerability was published for mpv. CVE-2018-6360[0]: | mpv through 0.28.0 allows remote attackers to execute arbitrary code | via a crafted web

Re: ffmpeg 3.2.10 update

Hi James, On Sat, Jan 27, 2018 at 10:19:19AM +, James Cowgill wrote: > Hi, > > On 26/01/18 17:53, Moritz Mühlenhoff wrote: > > On Fri, Jan 26, 2018 at 05:13:54PM +, James Cowgill wrote: > >> Hi, > >> > >> I've pushed ffmpeg 3.2.10 here: > >>

Bug#884735: libsndfile: CVE-2017-17456 CVE-2017-17457

Source: libsndfile Version: 1.0.28-4 Severity: important Tags: security upstream Forwarded: https://github.com/erikd/libsndfile/issues/344 Hi, the following vulnerabilities were published for libsndfile. CVE-2017-17456[0]: | The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may

Bug#884232: ffmpeg: CVE-2017-17555

Control: reassign -1 src:aubio 0.4.5-1 Hi Carl, On Tue, Dec 12, 2017 at 11:20:42PM +0100, Carl Eugen Hoyos wrote: > This is not a bug in FFmpeg: > aubio initializes libswresample with 2 channels and then passes data > that contains just one channel. > > That cant really work or how

Bug#884232: ffmpeg: CVE-2017-17555

Source: ffmpeg Version: 7:3.4-4 Severity: normal Tags: security upstream Control: found -1 7:3.4.1-1 Hi, the following vulnerability was published for ffmpeg. CVE-2017-17555[0]: | The swri_audio_convert function in audioconvert.c in FFmpeg | libswresample through 3.0.101, as used in FFmpeg

Bug#876783: libsndfile: CVE-2017-14634

Hi On Mon, Sep 25, 2017 at 10:24:01PM +0200, Salvatore Bonaccorso wrote: > Forwarded: https://github.com/erikd/libsndfile/issues/318 Upstream fix: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 Regards, Salvat

Bug#878809: closed by Jaromír Mikeš <mira.mi...@seznam.cz> (Bug#878809: fixed in sox 14.4.2-1)

Source: sox Source-Version: 14.4.2-1 Hi Jaromir, On Sun, Nov 19, 2017 at 10:23:01PM +0100, Jaromír Mikeš wrote: > 2017-11-19 21:11 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>: > > > Control: reopen -1 > > Control: found -1 14.4.1-5 > > Control: found -1

Bug#876783: libsndfile: CVE-2017-14634

Source: libsndfile Version: 1.0.28-4 Severity: normal Tags: upstream security Forwarded: https://github.com/erikd/libsndfile/issues/318 Control: found -1 1.0.25-9.1 Hi, the following vulnerability was published for libsndfile. CVE-2017-14634[0]: | In libsndfile 1.0.28, a divide-by-zero error

Bug#873718: Fixes for security vulnerabilities on libgig?

On Wed, Aug 30, 2017 at 04:34:44PM +0200, Salvatore Bonaccorso wrote: > Hi > > All, but not CVE-2017-12951 are probably fixed already with the > 4.0.0-4 upload to unstable today. Might actually just uncover another problem after the fix. Regard

Bug#873718: Fixes for security vulnerabilities on libgig?

Hi All, but not CVE-2017-12951 are probably fixed already with the 4.0.0-4 upload to unstable today. Regards, Salvatore ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org

Bug#871931: libvpx: CVE-2017-0641

Hi On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote: > Hi, > > we are already using: > > --size-limit=16384x16384 Yupp, I know that, I added that comment to the tracker. It's not clear to me if we need to limit it quite further. The android approach is to limit it to 4k frames. Mabe

Bug#871931: libvpx: CVE-2017-0641

Source: libvpx Version: 1.6.1-3 Severity: important Tags: security upstream Hi, the following vulnerability was published for libvpx. CVE-2017-0641[0]: | A remote denial of service vulnerability in libvpx in Mediaserver | could enable an attacker to use a specially crafted file to cause a |

Bug#870809: lame: CVE-2017-11720: duplicate, already fixed in all versions

Control: notfound -1 3.99.5+repack1-7 Control: found -1 3.99.5+repack1-3 Control: fixed -1 3.99.5+repack1-3+deb7u1 Control: fixed -1 3.99.5+repack1-6 Hi On Tue, Aug 08, 2017 at 03:53:35PM -0400, Hugo Lefeuvre wrote: > Hi, > > This bug is a duplicate of #777159, which is already fixed in all

Bug#870856: soundtouch: CVE-2017-9259

Source: soundtouch Version: 1.9.2-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for soundtouch. CVE-2017-9259[0]: | The TDStretch::acceptNewOverlapLength function in | source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote | attackers to

Bug#870857: soundtouch: CVE-2017-9260

Source: soundtouch Version: 1.9.2-2 Severity: important Tags: upstream security Hi, the following vulnerability was published for soundtouch. CVE-2017-9260[0]: | The TDStretchSSE::calcCrossCorr function in | source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 allows remote | attackers to

Bug#870854: soundtouch: CVE-2017-9258

Source: soundtouch Version: 1.9.2-2 Severity: important Tags: security upstream Hi, the following vulnerability was published for soundtouch. There is as well CVE-2017-9259 and CVE-2017-9260, but since I have not verified if the issues are all commont back to jessie, fill individual bugs. OTOH I

Bug#870809: lame: CVE-2017-11720

Source: lame Version: 3.99.5+repack1-7 Severity: important Tags: security upstream Forwarded: https://sourceforge.net/p/lame/bugs/460/ Hi, the following vulnerability was published for lame. CVE-2017-11720[0]: | There is a division-by-zero vulnerability in LAME 3.99.5, caused by a | malformed

Bug#870799: mpg123: CVE-2017-9545

Source: mpg123 Version: 1.23.8-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for mpg123. CVE-2017-9545[0]: | The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows | remote attackers to cause a denial of service (buffer over-read) via

Bug#866860: mpg123: CVE-2017-10683

Control: tags -1 + patch On Sun, Jul 02, 2017 at 11:12:36AM +0200, Salvatore Bonaccorso wrote: > Source: mpg123 > Version: 1.25.0-1 > Severity: important > Tags: upstream security > > Hi, > > the following vulnerability was published for mpg123. > > CVE-2017-

Bug#866860: mpg123: CVE-2017-10683

Source: mpg123 Version: 1.25.0-1 Severity: important Tags: upstream security Hi, the following vulnerability was published for mpg123. CVE-2017-10683[0]: | In mpg123 1.25.0, there is a heap-based buffer over-read in the | convert_latin1 function in libmpg123/id3.c. A crafted input will lead |

Bug#865909: faac: CVE-2017-9129 CVE-2017-9130

Source: faac Version: 1.28+cvs20151130-1 Severity: important Tags: security upstream Hi, the following vulnerabilities were published for faac. CVE-2017-9129[0]: | The wav_open_read function in frontend/input.c in Freeware Advanced | Audio Coder (FAAC) 1.28 allows remote attackers to cause a

Bug#863230: kodi: malicious subtitle zip files vulnerability

Control: retitle -1 kodi: CVE-2017-8314: malicious subtitle zip files vulnerability Control: tags -1 + upstream security On Wed, May 24, 2017 at 09:35:29AM +0200, Jonatan Nyberg wrote: > Package: kodi > severity: important > > Dear Maintainer, > > Kodi 17.2 have an important fix for the

Bug#857651: Multiple security issues

On Mon, Mar 13, 2017 at 07:59:34PM +0100, Moritz Muehlenhoff wrote: > Source: audiofile > Severity: grave > Tags: security > > Hi, > please see these security tracker entries for details, which > have all the links to the reports, github issues and patches: > >

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

Control: notfound -1 0.13.4-1 Hi On Tue, Nov 01, 2016 at 08:13:56PM +0100, Salvatore Bonaccorso wrote: > Control: severity -1 minor > > After feedback from MITRE marked it as unimportant, and lowering the > severity. Reasoning in > http://www.openwall.com/lists/oss-securit

Bug#855225: kodi: CVE-2017-5982: Unrestricted file download

Source: kodi Severity: important Tags: upstream security Forwarded: http://trac.kodi.tv/ticket/17314 Hi, the following vulnerability was published for kodi. I did not had the time to verify if 17.0 is affected. Could you please check and add according found versions to this bug please or

Bug#855099: libquicktime: CVE-2016-2399

Source: libquicktime Version: 2:1.2.4-7 Severity: important Tags: security upstream Hi, the following vulnerability was published for libquicktime. CVE-2016-2399[0]: | Integer overflow in the quicktime_read_pascal function in libquicktime | 1.2.4 and earlier allows remote attackers to cause a

Bug#853076: wavpack: CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172

Source: wavpack Version: 5.0.0-1 Severity: important Tags: security upstream patch fixed-upstream Hi, the following vulnerabilities were published for wavpack. CVE-2016-10169[0]: global buffer overread in read_code / read_words.c CVE-2016-10170[1]: heap out of bounds read in WriteCaffHeader /

Re: Bug#842093: embedded copies of libupnp

Hi Sebastian, On Fri, Dec 09, 2016 at 11:28:53AM +0100, Sebastian Ramacher wrote: > On 2016-12-09 10:16:25, James Cowgill wrote: > > Hi, > > > > On 09/12/16 09:27, Uwe Kleine-König wrote: > > > Hello, > > > > > > there are two source packages (in sid, found via codesearch.d.n) that > > >

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

Control: severity -1 minor After feedback from MITRE marked it as unimportant, and lowering the severity. Reasoning in http://www.openwall.com/lists/oss-security/2016/11/01/10 Regards, Salvatore ___ pkg-multimedia-maintainers mailing list

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

Hi, On Wed, Oct 26, 2016 at 09:46:57PM +0200, Ola Lundqvist wrote: > Hi > > I had a quick look at libass today regarding CVE-2016-7971. > > When I read the discussion thread about this issue it looks like the > problem is not only disputed upstream, but actually disputed by the person >

Bug#840434: ffmpeg: CVE-2016-7122 CVE-2016-7450 CVE-2016-7502 CVE-2016-7555 CVE-2016-7562 CVE-2016-7785 CVE-2016-7905

Source: ffmpeg Version: 7:3.1.3-2 Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerabilities were published for ffmpeg. CVE-2016-7122[0], CVE-2016-7450[1], CVE-2016-7502[2], CVE-2016-7555[3], CVE-2016-7562[4], CVE-2016-7785[5], CVE-2016-7905[6]. The upstream

Bug#840338: libass: CVE-2016-7971: large allocation leading to crash

Source: libass Version: 0.13.4-1 Severity: normal Tags: security upstream Hi, the following vulnerability was published for libass. This is to help tracking the issue in the BTS. This CVE is for the issue which remained unfixed in the recent upstream version, and so far has no good solution at

Bug#838960: denial of service with crafted id3v2 tags in all mpg123 versions since 0.60

Hi Thomas, On Fri, Sep 30, 2016 at 08:05:14AM +0200, Thomas Orgis wrote: > Am Thu, 29 Sep 2016 01:20:05 +0200 > schrieb Thomas Orgis : > > > Still nothing. I don't expect anything to arrive anymore. Perhaps that > > Google Docs form was a joke anyway. So, please let's

Re: Wheezy update of vlc?

Hi, On Sun, May 29, 2016 at 10:10:20PM -0400, Reinhard Tartler wrote: > Also note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5108 > doesn't provide and useful information about this issue. Is that issue also > known by a different identifier? MITRE has just not yet updated

Bug#801102: Fix for security issue in audiofile (CVE-2015-7747)?

Hi, On Tue, Jun 14, 2016 at 03:00:08PM +0100, James Cowgill wrote: > On Tue, 2016-06-14 at 15:43 +0200, Petter Reinholdtsen wrote: > > [James Cowgill] > > > I can fix it right now in Debian (along with a few other things). Hold > > > on a moment... > > > > Very good.  Via the upstream github

Bug#825728: vlc: CVE-2016-5108

Source: vlc Version: 2.2.3-1 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for vlc. CVE-2016-5108[0]: crash and potential code execution when processing QuickTime IMA files If you fix the vulnerability please also make sure to include the CVE

Bug#823723: mplayer: CVE-2016-4352: Mplayer/Mencoder integer overflow parsing gif files

Source: mplayer Version: 2:1.0~rc4.dfsg1+svn34540-1 Severity: important Tags: security upstream fixed-upstream Forwarded: https://trac.mplayerhq.hu/ticket/2295 Control: found -1 2:1.3.0-1 Hi, the following vulnerability was published for mplayer. CVE-2016-4352[0]: Mplayer/Mencoder integer

Bug#806519: ffmpeg: CVE-2015-8363 CVE-2015-8364 CVE-2015-8365

Hi Andreas, On Sat, Nov 28, 2015 at 11:34:57AM +0100, Andreas Cadhalpun wrote: > Control: tag -1 pending > > Hi Salvatore, > > On 28.11.2015 11:28, Salvatore Bonaccorso wrote: > > the following vulnerabilities were published for ffmpeg. > > > > CVE-2015-8363[

Bug#796255: vlc: CVE-2015-5949

Source: vlc Version: 2.2.0~rc2-2 Severity: grave Tags: security upstream patch fixed-upstream Justification: user security hole Control: fixed -1 2.2.0~rc2-2+deb8u1 Hi, the following vulnerability was published for vlc. CVE-2015-5949[0]: No description was found (try on a search engine) If you

cloning 786688, reassign -1 to src:kodi, found -1 in 14.2+dfsg1-1, retitle -1 to kodi: CVE-2015-3885

clone 786688 -1 reassign -1 src:kodi found -1 14.2+dfsg1-1 retitle -1 kodi: CVE-2015-3885 thanks ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org

Bug#781806: das-watchdog: diff for NMU version 0.9.0-3.1

in the handling of the XAUTHORITY env variable +(CVE-2015-2831) (Closes: #781806) + * Remove duplicate check for temp[i] == '\0' in das_watchdog.c + * Fix infinite loop on platforms where char is unsigned + + -- Salvatore Bonaccorso car...@debian.org Fri, 10 Apr 2015 22:19:18 +0200 + das-watchdog

Bug#775866: vlc: multiple vulnerabilities

Hi! On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so a DSA might be needed. They were assigned now: http://www.openwall.com/lists/oss-security/2015/01/20/11 Regards, Salvatore

Bug#747428: [xbmc] passwords are stored in plain xml file

Hi, CVE-2014-3800 was assigned now for the issue that mode 0644 is used for the file containing the password, see [1]. [1] http://www.openwall.com/lists/oss-security/2014/05/20/5 Regards, Salvatore ___ pkg-multimedia-maintainers mailing list

Bug#745301: libmms: CVE-2014-2892: heap-based buffer overflow

Source: libmms Version: 0.6-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for libmms. CVE-2014-2892[0]: heap-based buffer overflow If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures)

Bug#736154: cantata: Information disclosure (no CVE assigned yet)

Control: retitle -1 cantata: Information disclosure (CVE-2013-7300 CVE-2013-7301) Hi On Mon, Jan 20, 2014 at 12:34:45PM +0100, Moritz Muehlenhoff wrote: Package: cantata Severity: grave Tags: security Justification: user security hole Hi, the following was reported on oss-security:

Bug#672030: beast: FTBFS: birnetutils.cc:725:44: error: 'access' was not declared in this scope

Hi On Thu, Jun 21, 2012 at 09:54:15PM +0100, Steven Chamberlain wrote: # the fix for this seems finalised in VCS tags 672030 + patch I tried to build beast in current state of the git repository, it succeeds at least at the previous part but now the package FTBFS later on (build segfaults).

Bug#624666: vlc: security update breaks mp3 support

Hi Are there any news on this? Bests Salvatore signature.asc Description: Digital signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org