Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162

To: debian-security-tracker@lists.debian.org, siretart@debian.org
Subject: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 2 Sep 2011 00:22:34 -0400
Message-id: <[🔎] 20110902002234.95b4fe3ee09ad559b2678942@gmail.com>
In-reply-to: <87fwlefik2.fsf@faui43f.informatik.uni-erlangen.de>
References: <1309183108.5105.19.camel@vougeot> <20110729101613.GA17796@pisco.westfalen.local> <87fwlefik2.fsf@faui43f.informatik.uni-erlangen.de>

Reinhard Tartler wrote:

> On Fr, Jul 29, 2011 at 12:16:13 (CEST), Moritz Mühlenhoff wrote:
> 
> > On Mon, Jun 27, 2011 at 03:58:28PM +0200, Laurent Bonnaud wrote:
> >> Hi,
> >> 
> >> I am looking at those 3 security issues:
> >> 
> >>   http://security-tracker.debian.org/tracker/CVE-2011-2160
> >>   http://security-tracker.debian.org/tracker/CVE-2011-2161
> >>   http://security-tracker.debian.org/tracker/CVE-2011-2162
> >> 
> >> that are marked as not fixed in Debian.  However, when reading bug
> >> #628448, Reinhard Tartler, maintainer of the package, says those bugs
> >> are fixed in sid:
> >> 
> >> > With this research, I couldn't find any issue that was not already fixed
> >> > in a point release or another, so unstable is fixed TTBOMK.
> >> 
> >> and therefore in wheezy.  So could someone please update the pages in
> >> the Debian security tracker ?
> >
> > Which version of ffmpeg fixed it?
> 
> Currently, the security tracker lists the following issues for libav:
> 
> CVE-2010-3908
> 
> allows remote attackers to cause a denial of service (memory corruption
> and application crash) or possibly execute arbitrary code via a
> malformed WMV file.
> 
> Fixed in 0.5.4
> 
> CVE-2011-0722
> 
> Real Media decoder bug, fixed in 0.5.4
> 
> CVE-2011-0723
> 
> VC-1 decoder bug, fixed in 0.5.4
> 
> CVE-2011-1196
> 
> oggdec, heap corruption bug.
> 
> fixed in 0.7.1 but the patch does not apply 0.5, and I failed to reproduce. If
> someone can, please get in touch with me.
> 
> CVE-2011-1198
> 
> ffmpeg-mt specific bug with mp4 files, Unreproducible with libav:
> http://thread.gmane.org/gmane.comp.video.libav.devel/8507
> 
> CVE-2011-2160
> 
> extremly vague, no useful references given
> 
> CVE-2011-2161
> 
> APE decoder bug, fixed in 0.5.4
> 
> CVE-2011-2162
> 
> description on mitre is way too vague, the referenced madriva source
> package does not contain any relevant patch to this issue.

Sometimes advisories like these are just brain dead.  In these cases,
the best thing to do is send a message to oss-sec asking for more
info, which I've just done [0].

> ffmpeg (4:0.5.4-1) stable-security; urgency=low
> 
>   * New upstream release. New releases fixes:
>     - Fix memory corruption in WMV parsing
>       (addresses CVE-2010-3908, LP: #690169)
>     - Fix heap corruption crashes (addresses CVE-2011-0722)
>     - Fix crashes in Vorbis decoding found by zzuf (addresses CVE-2010-4704,
>       Closes: #611495)
>     - Fix another crash in Vorbis decoding (addresses CVE-2011-0480,
>       Chrome issue 68115)
>     - Fix invalid reads in VC-1 decoding (related to CVE-2011-0723)
>     - Do not attempt to decode APE file with no frames (fixes DoS)
>   * drop fix-CVE-2010-3429.patch, applied upstream
>   
>  -- Reinhard Tartler <siretart@tauware.de>  Sun, 06 Mar 2011 18:02:34 +0100
> 
> Can someone from the security team please check what's the problem with
> the upload?

It may be that they simply won't accept the upstream version bump in a
security upload.  You could do a proposed-update instead (of course
sending a review request to the release team first).

Best wishes,
Mike

[0] http://openwall.com/lists/oss-security/2011/09/02/1

Reply to:

Follow-Ups:
- Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Eliminar suscripción
Next by Date: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Previous by thread: Eliminar suscripción
Next by thread: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Index(es):
- Date
- Thread