On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
> I'm considering the various open issues in ffmpeg in Squeeze
> (CVE-2011-{3362,3504,3973,3974}).
I'm currently investigating these issues. Let's first discuss the CAVS
related ones (3362,3973,3974):
3974 seems to have been allocated in error, as it even references the
same commit as 3973. What is the procedure to request it
removed/invalidated?
As for 3362 & 3973, I believe both have been fixed by this commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
This commit has also been merged into FFmpeg. That imported commit is
also referenced in the CVE description of CVE-2011-3973, so I assume
that this is the correct fix.
For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
function decode_residual_block(). I'd be curious to see a sample that
still exploits Libav's cavs decoder without that signedness
change. Until I'm presented an exploit that demonstrates this issue, I'm
going to assume that CVE-2011-3362 is fixed by the same patch that fixed
CVE-2011-3973.
Now for CVE-2011-3504, which concerns an allocation error in the
matroska decoder. I strongly believe that this has been fixed by this
commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
does not seem to exist in bing at all. I currently assume that the CVE
is right and the commit message (which was imported from FFmpeg without
further checking) should have referenced MSVR11-011 instead.
In any case, I've just backported both patches to the 0.5 branch:
http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
Feedback and tests welcome.
If nobody disagrees and nothing else pops up until let's say Friday,
I'm going to roll 0.5.5 tarballs.
Does this work for everyone?
Cheers,
Reinhard.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
