Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation

To: debian-lts@lists.debian.org
Cc: jmm@debian.org
Subject: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
From: Matt Palmer <mpalmer@debian.org>
Date: Tue, 1 Jul 2014 10:01:35 +1000
Message-id: <[🔎] 20140701000135.GU15303@hezmatt.org>
In-reply-to: <53ADAA23.5050306@googlemail.com>
References: <53ADAA23.5050306@googlemail.com>

Hi,

On Fri, Jun 27, 2014 at 07:30:11PM +0200, Andreas Cadhalpun wrote:
> I'd like to inform you that ffmpeg 0.5.10-1 in squeeze is vulnerable
> to CVE-2014-4610 [1].
> The fix [2] should be easily backportable.

Thanks for taking the time to send this info through.

This bug has been marked as "wontfix" for squeeze; the rationale provided
was "end-of-life; Backports to 0.5.x not useful, too many checks missing". 
I'm not an expert in all things ffmpeg, and I wasn't the one who added that
note; I've Cc'd the person who added that notation to provide further
rationale if you need it.

-- 
Matt Palmer, Debian Developer
mpalmer@debian.org

Reply to:

Follow-Ups:
- Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Next by Date: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Next by thread: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Index(es):
- Date
- Thread