http://security-tracker.debian.net/tracker/source-package/ffmpeg

To: debian-security-tracker@lists.debian.org
Subject: http://security-tracker.debian.net/tracker/source-package/ffmpeg
From: Reinhard Tartler <siretart@debian.org>
Date: Tue, 29 Sep 2009 23:45:52 +0200
Message-id: <[🔎] 87y6nx1l2n.fsf@faui44a.informatik.uni-erlangen.de>

hi,

http://security-tracker.debian.net/tracker/source-package/ffmpeg claims
the following CVE reports to affect ffmpeg in unstable

Bug	Description
CVE-2008-3162	Stack-based buffer overflow in the str_read_packet function in
CVE-2009-0385	Integer signedness error in the fourxm_read_header function in

CVE-2008-3162 first is claimed to be fixed in r13993, CVE-2009-0385 in
r16846. However, the package in unstable is based on svn revision
r17725, and thus should have both fixes already in.

As for security status, google found some issues in ffmpeg as part of
their chrome project. This is documented at
https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240. The main problem
here is that the submitter refused to file seperate issues, but prefered
to send in a bulk of 73 (!) files.

Linked from there is issue1245, for which I think I've extracted a
patch. I'd like to experiment with it a bit more to ensure that it is
actually valid. For other issues, well, they still need more
investigation :-(


-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Reply to:

Follow-Ups:
- Re: http://security-tracker.debian.net/tracker/source-package/ffmpeg
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Re: No tracker page for DSA-188[89]-1
Next by Date: Re: http://security-tracker.debian.net/tracker/source-package/ffmpeg
Previous by thread: Re: No tracker page for DSA-188[89]-1
Next by thread: Re: http://security-tracker.debian.net/tracker/source-package/ffmpeg
Index(es):
- Date
- Thread