Bug#932469: ffmpeg: CVE-2019-12730

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#932469: ffmpeg: CVE-2019-12730
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 19 Jul 2019 21:43:18 +0200
Message-id: <[🔎] 156356539869.24696.7037652552144615215.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 932469@bugs.debian.org

Source: ffmpeg
Version: 7:4.1.3-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerability was published for ffmpeg, it is fixed in
the 4.4.1 release (and was previously fixed already in 3.2 series and
thus was already included in DSA-4449-1).

CVE-2019-12730[0]:
| aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x
| before 4.1.4 does not check for sscanf failure and consequently allows
| use of uninitialized variables.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12730
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730
[1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2

Reply to:

Follow-Ups:
- Bug#932469: marked as done (ffmpeg: CVE-2019-12730)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#932460: vlc: UPNP does not work in VLC
Next by Date: Processing of vlc_3.0.7.1-3_source.changes
Previous by thread: Bug#932460: vlc: UPNP does not work in VLC
Next by thread: Bug#932469: marked as done (ffmpeg: CVE-2019-12730)
Index(es):
- Date
- Thread