Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation

To: Matt Palmer <mpalmer@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 1 Jul 2014 16:27:10 +0200
Message-id: <[🔎] 20140701142710.GB9900@inutil.org>
In-reply-to: <[🔎] 20140701000135.GU15303@hezmatt.org>
References: <53ADAA23.5050306@googlemail.com> <[🔎] 20140701000135.GU15303@hezmatt.org>

On Tue, Jul 01, 2014 at 10:01:35AM +1000, Matt Palmer wrote:
> Hi,
> 
> On Fri, Jun 27, 2014 at 07:30:11PM +0200, Andreas Cadhalpun wrote:
> > I'd like to inform you that ffmpeg 0.5.10-1 in squeeze is vulnerable
> > to CVE-2014-4610 [1].
> > The fix [2] should be easily backportable.
> 
> Thanks for taking the time to send this info through.
> 
> This bug has been marked as "wontfix" for squeeze; the rationale provided
> was "end-of-life; Backports to 0.5.x not useful, too many checks missing". 
> I'm not an expert in all things ffmpeg, and I wasn't the one who added that
> note; I've Cc'd the person who added that notation to provide further
> rationale if you need it.

If there are isolated patch which apply the 0.5.x, they can be shipped.
Raphael was also planning to push some fixes.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
  - From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>

References:
- Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
  - From: Matt Palmer <mpalmer@debian.org>

Prev by Date: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Next by Date: LTS / DebConf
Previous by thread: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Next by thread: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Index(es):
- Date
- Thread