Source: ffmpeg Version: 7:2.8.2-1 Severity: important Tags: security upstream patch fixed-upstream
Hi, the following vulnerabilities were published for ffmpeg. CVE-2015-8363[0]: | The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in | FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does | not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which | allows remote attackers to cause a denial of service (out-of-bounds | heap-memory access) or possibly have unspecified other impact via a | crafted image with two or more of these markers. CVE-2015-8364[1]: | Integer overflow in the ff_ivi_init_planes function in | libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x | through 2.8.2 allows remote attackers to cause a denial of service | (out-of-bounds heap-memory access) or possibly have unspecified other | impact via crafted image dimensions in Indeo Video Interactive data. CVE-2015-8365[2]: | The smka_decode_frame function in libavcodec/smacker.c in FFmpeg | before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not | verify that the data size is consistent with the number of channels, | which allows remote attackers to cause a denial of service | (out-of-bounds array access) or possibly have unspecified other impact | via crafted Smacker data. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-8363 [1] https://security-tracker.debian.org/tracker/CVE-2015-8364 [2] https://security-tracker.debian.org/tracker/CVE-2015-8365 Regards, Salvatore
