Bug#980000: marked as done (ffmpeg: CVE-2020-35964)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 12 Jan 2021 20:33:30 +0000
with message-id <E1kzQM6-0003Lc-1t@fasolo.debian.org>
and subject line Bug#980000: fixed in ffmpeg 7:4.3.1-6
has caused the Debian Bug report #980000,
regarding ffmpeg: CVE-2020-35964
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
980000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980000
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ffmpeg: CVE-2020-35964
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 12 Jan 2021 19:11:06 +0100
• Message-id: <[🔎] 161047506654.3113.17398135953468222484.reportbug@eldamar.lan>

Source: ffmpeg
Version: 7:4.3.1-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ffmpeg.

CVE-2020-35964[0]:
| track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-
| bounds write because of incorrect extradata packing.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35964
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35964
[1] https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 980000-close@bugs.debian.org
• Subject: Bug#980000: fixed in ffmpeg 7:4.3.1-6
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 12 Jan 2021 20:33:30 +0000
• Message-id: <E1kzQM6-0003Lc-1t@fasolo.debian.org>
• Reply-to: Sebastian Ramacher <sramacher@debian.org>

Source: ffmpeg
Source-Version: 7:4.3.1-6
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 980000@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 Jan 2021 20:48:08 +0100
Source: ffmpeg
Architecture: source
Version: 7:4.3.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 979999 980000
Changes:
 ffmpeg (7:4.3.1-6) unstable; urgency=medium
 .
   * Team upload
   * debian/control:
     - Bump Standards-Version
     - Drop obsolete Build-Depends
     - Switch to libfontconfig-dev and libfreetype-dev
   * debian/patches:
     - Fix out-of-bounds write in libavcodec/exr.c (Closes: #980000)
       (CVE-2020-35964)
     - Fix out-of-bounds write in libavcodec/vividas.c (Closes: #979999)
       (CVE-2020-35965)
Checksums-Sha1:
 f4d71c30cf8b46b3e0b92a10140c55935a1905c2 5369 ffmpeg_4.3.1-6.dsc
 b8e3601cf67d6a647d45ad4ae554cf011e49e075 90292 ffmpeg_4.3.1-6.debian.tar.xz
Checksums-Sha256:
 260e967ede8c0dc393ab80ea16ec3220fb2cbcf6a9e1fa34f0493e653976dc4e 5369 ffmpeg_4.3.1-6.dsc
 0df3d8d4ed4785b795848caf148571268e58c739be28e8fe24c4d0726d482834 90292 ffmpeg_4.3.1-6.debian.tar.xz
Files:
 002cfa5047ca37644f17b3cc94e6e318 5369 video optional ffmpeg_4.3.1-6.dsc
 d0a62ba671a2af7dd84598d71797f2f5 90292 video optional ffmpeg_4.3.1-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl/+BykACgkQafL8UW6n
GZOSxA/+Ok5J1i3HYUXDrmO6rKs2RT45VzJveNKHVyp5QdadchWkIzvz6YyqszJr
55wk4BkVTsygdfYsapmGc1DGbUZEEuaRXKKTXGGZPhmkUlaCyE3hzwiPeMEJ6TAF
oUsdPWviZa2TqQjyPDvKTZ7Sg5gQCU/5SoSE1REGi2gCmSnXpmG8i3PU+PwJ9DVT
QVj/jKuCwj9vdf7uJq/N9o7vc5jvMuOP6+cSsH/0ASaLmIl6NViCDWCa+PKWUEdJ
YHanHNaDeBR+GpqxNbCZw/LO2SvX3L4w3KCuTC9fYXAdZorOzW8b69cUSdLiR8T9
er3eeFWfEBClj6ILrNnGkF7Ig4hz0dQ7qEMmzOAnV/2B9PHZduIr4rWcDH9r5e0P
iHwOElYA6RfVYj7NRPgLP4EZIBkd/Xegk2XPF1ESIh+0GbseBtDaS0h1tdEgM5dQ
MDXUfLmMUKEOiTAwKpZVCLv45zS2QMAfyZiORBXGFq3kw2mkGtCW+9jq4FTJJJqx
n/3NyM4Jx6mjNlTD8U5BJukgIswBEViA/alYWMO8Y5cWl5TPYUY9DcbzNxEVeQr/
6/Im55Oc+8CKIN+ERmSeiUGskHFvDw1bOHr2d/eCINjtb4Evny671Z5jFWYDvEPc
YraF4a2/BsGgRycMu4VIcMi0XvuUGBejZSZGoFt7Jd3FuQjIxzo=
=Oje9
-----END PGP SIGNATURE-----

--- End Message ---