Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774

To: debian-security-tracker@lists.debian.org
Subject: Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774
From: Reinhard Tartler <siretart@gmail.com>
Date: Fri, 4 Jan 2013 07:04:47 +0100
Message-id: <[🔎] CAJ0cceba3y7iCcbJwO8ULKTcnY3yXU__iK2gE5oSvxuLGuMHpw@mail.gmail.com>
In-reply-to: <[🔎] 1357255157-15913-4-git-send-email-siretart@tauware.de>
References: <[🔎] 1357255157-15913-1-git-send-email-siretart@tauware.de> <[🔎] 1357255157-15913-4-git-send-email-siretart@tauware.de>

On Fri, Jan 4, 2013 at 12:19 AM, Reinhard Tartler <siretart@tauware.de> wrote:
> ---
>  CVE/list |    4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/CVE/list b/CVE/list
> index 44dabb2..106a5c4 100644
> --- a/CVE/list
> +++ b/CVE/list
> @@ -10805,6 +10805,7 @@ CVE-2012-2882 (FFmpeg, as used in Google Chrome before 22.0.1229.79, does not ..
>         - libav <unfixed> (bug #694483)
>         - ffmpeg <removed>
>         NOTE: https://chromiumcodereview.appspot.com/10829204
> +       NOTE: proposed patch for libav: http://patches.libav.org/patch/32636/
>  CVE-2012-2881 (Google Chrome before 22.0.1229.79 does not properly handle plug-ins, ...)
>         - chromium-browser 22.0.1229.94~r161065-1
>  CVE-2012-2880 (Race condition in Google Chrome before 22.0.1229.79 allows remote ...)
> @@ -11043,6 +11044,7 @@ CVE-2012-2798 (Unspecified vulnerability in the decode_dds1 function in ...)
>  CVE-2012-2797 (Unspecified vulnerability in the decode_frame_mp3on4 function in ...)
>         [squeeze] - ffmpeg <unfixed> (bug #688849)
>         - libav <unfixed> (bug #688847)
> +       NOTE: patch proposed: http://patches.libav.org/patch/32642/
Based on Justins review, the libav <unfixed> should be <unspecified>
until someone can come up with a sample.

>  CVE-2012-2796 (Unspecified vulnerability in the vc1_decode_frame function in ...)
>         [squeeze] - ffmpeg <unfixed> (bug #688849)
>         - libav 6:0.8.4-1 (bug #688847)
> @@ -11108,6 +11110,8 @@ CVE-2012-2775 (Unspecified vulnerability in the read_var_block_data function in
>  CVE-2012-2774 (The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg ...)
>         [squeeze] - ffmpeg <unfixed> (bug #688849)
>         - libav <unfixed> (bug #688847)
> +       NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f
> +       NOTE: patch proposed: http://patches.libav.org/patch/32644/
Based on Ronald's review, the libav <unfixed> should be <unspecified>
until someone can come up with a sample

Do you want me to resent an updated patch, or can you change this
while applying?

-- 
regards,
    Reinhard

Reply to:

Follow-Ups:
- Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Comments on current open Libav issues
  - From: Reinhard Tartler <siretart@tauware.de>
- [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774
  - From: Reinhard Tartler <siretart@tauware.de>

Prev by Date: Comments on current open Libav issues
Next by Date: Re: Comments on current open Libav issues
Previous by thread: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774
Next by thread: Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774
Index(es):
- Date
- Thread