Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Michael Gilbert wrote:
> Reinhard Tartler wrote:
>
> > On Fr, Jul 29, 2011 at 12:16:13 (CEST), Moritz Mühlenhoff wrote:
> >
> > > On Mon, Jun 27, 2011 at 03:58:28PM +0200, Laurent Bonnaud wrote:
> > >> Hi,
> > >>
> > >> I am looking at those 3 security issues:
> > >>
> > >> http://security-tracker.debian.org/tracker/CVE-2011-2160
> > >> http://security-tracker.debian.org/tracker/CVE-2011-2161
> > >> http://security-tracker.debian.org/tracker/CVE-2011-2162
> > >>
> > >> that are marked as not fixed in Debian. However, when reading bug
> > >> #628448, Reinhard Tartler, maintainer of the package, says those bugs
> > >> are fixed in sid:
> > >>
> > >> > With this research, I couldn't find any issue that was not already fixed
> > >> > in a point release or another, so unstable is fixed TTBOMK.
> > >>
> > >> and therefore in wheezy. So could someone please update the pages in
> > >> the Debian security tracker ?
> > >
> > > Which version of ffmpeg fixed it?
> >
> > Currently, the security tracker lists the following issues for libav:
> >
> > CVE-2010-3908
> >
> > allows remote attackers to cause a denial of service (memory corruption
> > and application crash) or possibly execute arbitrary code via a
> > malformed WMV file.
> >
> > Fixed in 0.5.4
> >
> > CVE-2011-0722
> >
> > Real Media decoder bug, fixed in 0.5.4
> >
> > CVE-2011-0723
> >
> > VC-1 decoder bug, fixed in 0.5.4
> >
> > CVE-2011-1196
> >
> > oggdec, heap corruption bug.
> >
> > fixed in 0.7.1 but the patch does not apply 0.5, and I failed to reproduce. If
> > someone can, please get in touch with me.
> >
> > CVE-2011-1198
> >
> > ffmpeg-mt specific bug with mp4 files, Unreproducible with libav:
> > http://thread.gmane.org/gmane.comp.video.libav.devel/8507
> >
> > CVE-2011-2160
> >
> > extremly vague, no useful references given
It looks like this was assigned based on your changelog text [0]. Your
wording for CVE-2011-0723 differs from the other fixes, so Mitre
assumed there was something else to it and gave it a new id. Yikes!
> > CVE-2011-2162
> >
> > description on mitre is way too vague, the referenced madriva source
> > package does not contain any relevant patch to this issue.
It looks like this is CVE-2011-1198 again. The new idea seems to
have arisen via ill-defined text in the Mandriva advisories [0].
[0] http://openwall.com/lists/oss-security/2011/09/02/1
Reply to: