[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH 3/4] link proposed patches for libav CVE-2012-2882, CVE-2012-2797 and CVE-2012-2774

On Fri, Jan 4, 2013 at 11:27 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Fri, Jan 04, 2013 at 07:04:47AM +0100, Reinhard Tartler wrote:
>> On Fri, Jan 4, 2013 at 12:19 AM, Reinhard Tartler <siretart@tauware.de> wrote:
>> > ---
>> >  CVE/list |    4 ++++
>> >  1 file changed, 4 insertions(+)
>> >
>> > diff --git a/CVE/list b/CVE/list
>> > index 44dabb2..106a5c4 100644
>> > --- a/CVE/list
>> > +++ b/CVE/list
>> > @@ -10805,6 +10805,7 @@ CVE-2012-2882 (FFmpeg, as used in Google Chrome before 22.0.1229.79, does not ..
>> >         - libav <unfixed> (bug #694483)
>> >         - ffmpeg <removed>
>> >         NOTE: https://chromiumcodereview.appspot.com/10829204
>> > +       NOTE: proposed patch for libav: http://patches.libav.org/patch/32636/
>> >  CVE-2012-2881 (Google Chrome before 22.0.1229.79 does not properly handle plug-ins, ...)
>> >         - chromium-browser 22.0.1229.94~r161065-1
>> >  CVE-2012-2880 (Race condition in Google Chrome before 22.0.1229.79 allows remote ...)
>> > @@ -11043,6 +11044,7 @@ CVE-2012-2798 (Unspecified vulnerability in the decode_dds1 function in ...)
>> >  CVE-2012-2797 (Unspecified vulnerability in the decode_frame_mp3on4 function in ...)
>> >         [squeeze] - ffmpeg <unfixed> (bug #688849)
>> >         - libav <unfixed> (bug #688847)
>> > +       NOTE: patch proposed: http://patches.libav.org/patch/32642/
>> Based on Justins review, the libav <unfixed> should be <unspecified>
>> until someone can come up with a sample.
>>
>> >  CVE-2012-2796 (Unspecified vulnerability in the vc1_decode_frame function in ...)
>> >         [squeeze] - ffmpeg <unfixed> (bug #688849)
>> >         - libav 6:0.8.4-1 (bug #688847)
>> > @@ -11108,6 +11110,8 @@ CVE-2012-2775 (Unspecified vulnerability in the read_var_block_data function in
>> >  CVE-2012-2774 (The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg ...)
>> >         [squeeze] - ffmpeg <unfixed> (bug #688849)
>> >         - libav <unfixed> (bug #688847)
>> > +       NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f
>> > +       NOTE: patch proposed: http://patches.libav.org/patch/32644/
>> Based on Ronald's review, the libav <unfixed> should be <unspecified>
>> until someone can come up with a sample
>>
>> Do you want me to resent an updated patch, or can you change this
>> while applying?
>
> Fixed up during application. Can you contact the Google for the reproducer?

Ronald is at Google and works at Chromium. The original reporter is a
co-worker of him. I guess this qualifies as "yes" :-)


-- 
regards,
    Reinhard
Reply to: