[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#932469: marked as done (ffmpeg: CVE-2019-12730)

Your message dated Sat, 27 Jul 2019 14:39:38 +0000
with message-id <E1hrNrG-00086h-ND@fasolo.debian.org>
and subject line Bug#932469: fixed in ffmpeg 7:4.1.4-1
has caused the Debian Bug report #932469,
regarding ffmpeg: CVE-2019-12730
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
932469: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932469
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: ffmpeg
Version: 7:4.1.3-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerability was published for ffmpeg, it is fixed in
the 4.4.1 release (and was previously fixed already in 3.2 series and
thus was already included in DSA-4449-1).

CVE-2019-12730[0]:
| aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x
| before 4.1.4 does not check for sscanf failure and consequently allows
| use of uninitialized variables.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12730
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730
[1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2

--- End Message ---
--- Begin Message --- 
Source: ffmpeg
Source-Version: 7:4.1.4-1

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 932469@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jul 2019 11:24:18 +0100
Source: ffmpeg
Architecture: source
Version: 7:4.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Closes: 917292 924528 932469
Changes:
 ffmpeg (7:4.1.4-1) unstable; urgency=medium
 .
   [ James Cowgill ]
   * New upstream release. (LP: #1837480)
     - avformat/aadec: Check for scanf() failure (CVE-2019-12730)
       (Closes: #932469)
 .
   * d/copyright: Remove paragraph containing license files.
   * d/control: Bump standards version to 4.4.0.
   * d/ffmpeg-doc.doc-base*:
     - Move API docs to Programming/C section.
     - Index the main manual pages as well.
       Thanks to 積丹尼 Dan Jacobson for the suggestion. (Closes: #924528)
   * d/rules:
     - Disable crystalhd. (Closes: #917292)
     - Generate index.html file for the HTML manual pages.
 .
   [ Ondřej Nový ]
   * d/control:
     - Use debhelper-compat instead of debian/compat.
Checksums-Sha1:
 93796b84f12e421f9e5f2dfa6b67f5eacfb3d4aa 5302 ffmpeg_4.1.4-1.dsc
 c4dc0e8efca38c03a98e3698279327fdaa767cc4 8896056 ffmpeg_4.1.4.orig.tar.xz
 5833542d9a4dc03b38e20b1538d6097c810e153c 473 ffmpeg_4.1.4.orig.tar.xz.asc
 860e17a3051309dd6c76933d57c80f712b75e439 47760 ffmpeg_4.1.4-1.debian.tar.xz
Checksums-Sha256:
 b6479877fd4c15771540c4a2ec341d4804d2f03cba2a7a7c012dff0ef8ec55a5 5302 ffmpeg_4.1.4-1.dsc
 f1f049a82fcfbf156564e73a3935d7e750891fab2abf302e735104fd4050a7e1 8896056 ffmpeg_4.1.4.orig.tar.xz
 1ae4a0a9a95b9da8c42268e4e876d344643d38fc1f7f34d49fc478cd97db2bd6 473 ffmpeg_4.1.4.orig.tar.xz.asc
 7972f4e82c80e48154933d66e062de2eb10d7511d8df0697733fa2664ce7c02f 47760 ffmpeg_4.1.4-1.debian.tar.xz
Files:
 b05a90b73602b300f61443330a651fd2 5302 video optional ffmpeg_4.1.4-1.dsc
 5307931aeb7aaee5e1509d9996040661 8896056 video optional ffmpeg_4.1.4.orig.tar.xz
 dc222ffd686e4a565d96876cf730224c 473 video optional ffmpeg_4.1.4.orig.tar.xz.asc
 d32e6d0693e1a560961d79da48059659 47760 video optional ffmpeg_4.1.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAl08WvgUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe9pWw//TUpC7vZvv8c5BWe98TlFr2HGIaY9
l8TEkO9ehg0qCR0SQxySaEkhwABVuWBiy7zBUYxaYxZtdmemvaIHLHQfgvXpWR++
LCRz6x+B2UhTXwT5tgQN4U/IWwXtVW42QCR0hnDCGBUzaDIDOWRalYNikI1OKLRu
r4mGAtddXl8LwUMC9kzHh2MbUJfV1RJiCOyVjteguHM8T5pQRPVl0I7pwJ0fGo7P
zSrrI4e4SRFR7CGU3voylP4N6srigNABXC9X7OIcYpTve4z3Ej41DOOPJwixPD//
lG6yPDE1zIUTZlwJeAoPc7pYWkKnwcQcz8ug7RSq8atESKa7EmJbH5TNP3hdo1pH
K+jyuLw8vVgjJFQN9LKc7SBI4juOd5liqcKjmjSCS3CpdWcPrnvYy9VVYY+pCzOk
CBNCeo/OVzNKRQUHUpGlkZ7lFtidY9SYLg1SWXtvvOPT/TdMzzWlIhhh1kjfZ/wd
X9n8MNz/8kLoAKKDdNvmWLNnacnFDUhI+TrvcvohnFcUq9A37rAPPZ6NvoIuklrw
iHartnz3fYLqqWVqxUepOuEV1uT42sozvO9/wbQwtPCqHN/hOW4YjTTwnctunHW4
a94tKjjBiBEC66kkTDGU1YPH5lEURs1qmWdsRkWRVLGR8GY5edyep09Kfu3GHL2U
PYrNYqnY/j6mNwI=
=2rID
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: