Your message dated Tue, 21 Jun 2011 19:05:52 +0200
with message-id <87k4cfazdb....@faui43f.informatik.uni-erlangen.de>
and subject line Re: several vulnerabilities: CVE-2011-2162 CVE-2011-2161
CVE-2011-2160
has caused the Debian Bug report #628448,
regarding several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
628448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628448
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libav
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.
CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
| 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
| Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
| related to issues "originally discovered by Google Chrome developers."
CVE-2011-2161[1]:
| The ape_read_header function in ape.c in libavformat in FFmpeg before
| 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
| products, allows remote attackers to cause a denial of service
| (application crash) via an APE (aka Monkey's Audio) file that contains
| a header but no frames.
CVE-2011-2160[2]:
| The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
| MPlayer and other products, does not properly restrict read
| operations, which allows remote attackers to have an unspecified
| impact via a crafted VC-1 file, a related issue to CVE-2011-0723.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers,
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2162
http://security-tracker.debian.org/tracker/CVE-2011-2162
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161
http://security-tracker.debian.org/tracker/CVE-2011-2161
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2160
http://security-tracker.debian.org/tracker/CVE-2011-2160
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3hvCAACgkQ62zWxYk/rQd1aACfZBs5SZcStYwaRi/5LB5zttpL
VPEAn2gZK2qTTba9yMf2XwQKsBrqKGMr
=2kvn
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Hi,
sorry for the delay, I somehow must have missed this mail and then got
too busy with releasing 0.7 upstream.
This report is pretty problematic because it describe different
vulnerabilities that got fixed in different versions. Moreover, the CVE
descriptions are /very/ vague, which doesn't make this report easier to
process, but well, so let's see.
On Sun, May 29, 2011 at 05:23:17 (CEST), Steffen Joeris wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for libav.
>
> CVE-2011-2162[0]:
> | Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
> | used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
> | 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
> | Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
> | related to issues "originally discovered by Google Chrome developers."
What "multiple unspecified vulnerabilities" is this talking about?!
Looking at the references, it seems they talk about:
- CVE-2009-4632, fixed upstream commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=ef84190a1ab777c35ea9fec64c3ab6ce641b79e5
- CVE-2009-4633, upstream commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=9ef13f70f4d38514fa82b998f7e62abb7940f4c1
- CVE-2009-4634, fixed versions in: 0.5.2 and 0.6.1, upstream commits:
http://git.libav.org/?p=libav.git;a=commitdiff;h=329e816ed7903cf078c52aecd32a3be3b5dabbee
http://git.libav.org/?p=libav.git;a=commitdiff;h=d6860fb653ed42a9d35e134f843f03cc049b74f1
cf. http://security-tracker.debian.org/tracker/CVE-2009-4633 and DSA-2000
- CVE-2009-4635, Also addressed by DSA-2000, upstream commit is:
http://git.libav.org/?p=libav.git;a=commitdiff;h=48b086b0efa40799ace96bcec010b6b72a9490d6
- CVE-2009-4639, classified as "denial-of-service only"
http://security-tracker.debian.org/tracker/CVE-2009-4639
required example file to verify
- CVE-2009-4640, seems be the same as 2009-4634
- CVE-2010-3429, upstream commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=2f504d7a90605b77d1a9ac43a8d1efa208e0f515
- CVE-2010-4704, seems to the same as CVE-2009-4634
- CVE-2011-0480, again a vorbis_dec problem, upstream commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=329e816ed7903cf078c52aecd32a3be3b5dabbee
- CVE-2011-0722, upstream commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=808f9ce727fb05058a43de8d64539eddf5fa74d6
- CVE-2011-0723, upstream commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=8069e2f6fbd79e3d3d2ba17f5f097475b43e2921
- CVE-2009-4636, wtf?
With this mess, its quite possible that I missed some important patch,
so feel free to correct me.
> CVE-2011-2161[1]:
> | The ape_read_header function in ape.c in libavformat in FFmpeg before
> | 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
> | products, allows remote attackers to cause a denial of service
> | (application crash) via an APE (aka Monkey's Audio) file that contains
> | a header but no frames.
- CVE-2011-2161:
http://git.libav.org/?p=libav.git;a=commitdiff;h=18c5fe919f4b1818ebdf405812c5a2d16174688f
> CVE-2011-2160[2]:
> | The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
> | MPlayer and other products, does not properly restrict read
> | operations, which allows remote attackers to have an unspecified
> | impact via a crafted VC-1 file, a related issue to CVE-2011-0723.
Does not explain the difference to CVE-2011-0723, and provides no testfile.
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
With this research, I couldn't find any issue that was not already fixed
in a point release or another, so unstable is fixed TTBOMK. Again, if
you think I'm wrong please be more specifc.
For squeeze, I have prepared a 0.5.4 package with all known issues fixed
months ago, but I don't understand why it's not being processed. I
strongly recommend to accept new upstream versions from the same release
branches. That's why I'm doing those upstream releases, after all!
For lenny, sorry, we should EOL it and announce this fact properly. I
don't have the time and infrastructure to backport to such an old
snapshot properly.
Cheers,
Reinhard.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--- End Message ---
