Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation

To: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Cc: Matt Palmer <mpalmer@debian.org>, debian-lts@lists.debian.org, geissert@debian.org
Subject: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 14 Jul 2014 18:34:26 +0200
Message-id: <[🔎] 20140714163426.GA3048@pisco.westfalen.local>
In-reply-to: <[🔎] 53BDBDEA.8070508@googlemail.com>
References: <[🔎] 20140701142710.GB9900@inutil.org> <[🔎] 53BDBDEA.8070508@googlemail.com>

On Thu, Jul 10, 2014 at 12:10:50AM +0200, Andreas Cadhalpun wrote:
> 
> As this seems to be a rather important security bug, I think a backport
> would be useful in this case. 

Raphael wanted to update ffmpeg in squeeze. I'm adding him to CC,
so that he can fold in the patch.

> I'm afraid I don't understand the part about
> 'too many checks missing'.

It means that the 0.5.x branch of ffmpeg is missing many other security
fixes already.

Cheers,
        Moritz

Reply to:

References:
- Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
  - From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>

Prev by Date: Re: DLA documented
Next by Date: Re: DLA documented
Previous by thread: Re: CVE-2014-4610: Integer Overflow in FFmpeg LZO implementation
Next by thread: LTS / DebConf
Index(es):
- Date
- Thread