Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Hi,
On Fri, Jun 27, 2014 at 07:30:11PM +0200, Andreas Cadhalpun wrote:
> I'd like to inform you that ffmpeg 0.5.10-1 in squeeze is vulnerable
> to CVE-2014-4610 [1].
> The fix [2] should be easily backportable.
Thanks for taking the time to send this info through.
This bug has been marked as "wontfix" for squeeze; the rationale provided
was "end-of-life; Backports to 0.5.x not useful, too many checks missing".
I'm not an expert in all things ffmpeg, and I wasn't the one who added that
note; I've Cc'd the person who added that notation to provide further
rationale if you need it.
--
Matt Palmer, Debian Developer
mpalmer@debian.org
Reply to: