On Thu, 2008-12-04 at 22:41 +0100, Reinhard Tartler wrote: > Mark Purcell <m...@debian.org> writes: > > > On Wednesday 12 November 2008 19:23:18 Reinhard Tartler wrote: > >> Summary: the only issue this bug is about is actually CVE-2008-4869, > >> where I have committed a patch, but would really need some help with > >> verifying the patch.
Don't you mean -4866? > > Reinhard, > > > > This RC bug has been sitting idle for the last couple of weeks are you in a > > position to upload a package to experimental/ unstable to assist with > > verification of your fix? > > Test packages are available at > http://pkg-multimedia.alioth.debian.org/ffmpeg-test/ > > I'll upload it as soon as someone can confirm me that these packages > actually fix the problem. Based on inspection of the original code and patch for -4866 in this test package, I am confident that this will be fixed. Please also include the fix for -4867 (#496612) as it sounds like the bug could be used for code injection and the change looks low-risk. -4868 apparently doesn't apply to lenny or sid; the original leak might but it appears to be extremely limited and probably not controllable by an attacker. -4869 is not clearly defined so seems impossible to address. Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. ... I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949
signature.asc
Description: This is a digitally signed message part
