[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

On Mon, Jan 16, 2017 at 10:30:27PM +0100, Hugo Lefeuvre wrote:
> > I just released libav 0.8.20 with some more fixes, changelog below.
> > 
> > Diego
> > 
> > version 0.8.20:
> > 
> > - mpegvideo: Fix undefined negative shifts in mpeg_motion_internal (Bug-Id: 980, CVE-2016-9820)
> > - mpegvideo: Fix undefined negative shifts in ff_init_block_index (Bug-Id: 980, CVE-2016-9819)
> > - mpeg12dec: move setting first_field to mpeg_field_start() (Bug-ID: 999)
> > - mpeg12dec: avoid signed overflow in bitrate calculation (Bug-Id: 981, CVE-2016-9822)
> > - mpegvideo_parser: avoid signed overflow in bitrate calculation (Bug-Id: 981, CVE-2016-9821)
> > - h264: Use the right H264Context for struct member comparison
> Thanks for your work. I'll have a look at it and upload tomorrow.


> Concerning the old CVEs (CVE-2015-6820, etc.), we could maybe ask the
> ffmpeg project for the reproducers ? Not sure they will still have them,
> but it doesn't hurt to try.

I'll try to get in contact with the Google people in order to receive direct
access. Doing this through multiple levels of indirection is quite annoying.

I just noticed that you are listing CVE-2015-5479 and CVE-2015-1872 as still
open for 0.8 on


We fixed this a long time ago with release 0.8.18, you can mark these as
fixed for wheezy and close the CVE entries.


Attachment: signature.asc
Description: Digital signature

Reply to: