Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162

To: debian-security-tracker@lists.debian.org, siretart@debian.org
Subject: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 2 Sep 2011 17:31:22 -0400
Message-id: <[🔎] 20110902173122.323166f2fe4ff8dc59f14387@gmail.com>
In-reply-to: <[🔎] 20110902002234.95b4fe3ee09ad559b2678942@gmail.com>
References: <1309183108.5105.19.camel@vougeot> <20110729101613.GA17796@pisco.westfalen.local> <87fwlefik2.fsf@faui43f.informatik.uni-erlangen.de> <[🔎] 20110902002234.95b4fe3ee09ad559b2678942@gmail.com>

Michael Gilbert wrote:

> Reinhard Tartler wrote:
> 
> > On Fr, Jul 29, 2011 at 12:16:13 (CEST), Moritz Mühlenhoff wrote:
> > 
> > > On Mon, Jun 27, 2011 at 03:58:28PM +0200, Laurent Bonnaud wrote:
> > >> Hi,
> > >> 
> > >> I am looking at those 3 security issues:
> > >> 
> > >>   http://security-tracker.debian.org/tracker/CVE-2011-2160
> > >>   http://security-tracker.debian.org/tracker/CVE-2011-2161
> > >>   http://security-tracker.debian.org/tracker/CVE-2011-2162
> > >> 
> > >> that are marked as not fixed in Debian.  However, when reading bug
> > >> #628448, Reinhard Tartler, maintainer of the package, says those bugs
> > >> are fixed in sid:
> > >> 
> > >> > With this research, I couldn't find any issue that was not already fixed
> > >> > in a point release or another, so unstable is fixed TTBOMK.
> > >> 
> > >> and therefore in wheezy.  So could someone please update the pages in
> > >> the Debian security tracker ?
> > >
> > > Which version of ffmpeg fixed it?
> > 
> > Currently, the security tracker lists the following issues for libav:
> > 
> > CVE-2010-3908
> > 
> > allows remote attackers to cause a denial of service (memory corruption
> > and application crash) or possibly execute arbitrary code via a
> > malformed WMV file.
> > 
> > Fixed in 0.5.4
> > 
> > CVE-2011-0722
> > 
> > Real Media decoder bug, fixed in 0.5.4
> > 
> > CVE-2011-0723
> > 
> > VC-1 decoder bug, fixed in 0.5.4
> > 
> > CVE-2011-1196
> > 
> > oggdec, heap corruption bug.
> > 
> > fixed in 0.7.1 but the patch does not apply 0.5, and I failed to reproduce. If
> > someone can, please get in touch with me.
> > 
> > CVE-2011-1198
> > 
> > ffmpeg-mt specific bug with mp4 files, Unreproducible with libav:
> > http://thread.gmane.org/gmane.comp.video.libav.devel/8507
> > 
> > CVE-2011-2160
> > 
> > extremly vague, no useful references given

It looks like this was assigned based on your changelog text [0].  Your
wording for CVE-2011-0723 differs from the other fixes, so Mitre
assumed there was something else to it and gave it a new id.  Yikes!

> > CVE-2011-2162
> > 
> > description on mitre is way too vague, the referenced madriva source
> > package does not contain any relevant patch to this issue.

It looks like this is CVE-2011-1198 again.  The new idea seems to
have arisen via ill-defined text in the Mandriva advisories [0].

[0] http://openwall.com/lists/oss-security/2011/09/02/1

Reply to:

Follow-Ups:
- Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
  - From: Reinhard Tartler <siretart@debian.org>

References:
- Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Next by Date: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Previous by thread: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Next by thread: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Index(es):
- Date
- Thread