Bug#628448: marked as done (several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160)

[Debian Bug Tracking System]

Your message dated Mon, 27 Jun 2011 21:36:15 +0000
with message-id <e1qbjtb-00016s...@franck.debian.org>
and subject line Bug#628448: fixed in libav 4:0.7-1
has caused the Debian Bug report #628448,
regarding several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
628448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628448
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libav
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.

CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
| 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
| Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
| related to issues "originally discovered by Google Chrome developers."

CVE-2011-2161[1]:
| The ape_read_header function in ape.c in libavformat in FFmpeg before
| 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
| products, allows remote attackers to cause a denial of service
| (application crash) via an APE (aka Monkey's Audio) file that contains
| a header but no frames.

CVE-2011-2160[2]:
| The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
| MPlayer and other products, does not properly restrict read
| operations, which allows remote attackers to have an unspecified
| impact via a crafted VC-1 file, a related issue to CVE-2011-0723.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Cheers,
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2162
    http://security-tracker.debian.org/tracker/CVE-2011-2162
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161
    http://security-tracker.debian.org/tracker/CVE-2011-2161
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2160
    http://security-tracker.debian.org/tracker/CVE-2011-2160


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3hvCAACgkQ62zWxYk/rQd1aACfZBs5SZcStYwaRi/5LB5zttpL
VPEAn2gZK2qTTba9yMf2XwQKsBrqKGMr
=2kvn
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: libav
Source-Version: 4:0.7-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive:

ffmpeg-dbg_0.7-1_amd64.deb
  to main/liba/libav/ffmpeg-dbg_0.7-1_amd64.deb
ffmpeg-doc_0.7-1_all.deb
  to main/liba/libav/ffmpeg-doc_0.7-1_all.deb
ffmpeg_0.7-1_amd64.deb
  to main/liba/libav/ffmpeg_0.7-1_amd64.deb
libav-dbg_0.7-1_amd64.deb
  to main/liba/libav/libav-dbg_0.7-1_amd64.deb
libav-doc_0.7-1_all.deb
  to main/liba/libav/libav-doc_0.7-1_all.deb
libav-source_0.7-1_all.deb
  to main/liba/libav/libav-source_0.7-1_all.deb
libav_0.7-1.debian.tar.gz
  to main/liba/libav/libav_0.7-1.debian.tar.gz
libav_0.7-1.dsc
  to main/liba/libav/libav_0.7-1.dsc
libav_0.7.orig.tar.gz
  to main/liba/libav/libav_0.7.orig.tar.gz
libavcodec-dev_0.7-1_amd64.deb
  to main/liba/libav/libavcodec-dev_0.7-1_amd64.deb
libavcodec53_0.7-1_amd64.deb
  to main/liba/libav/libavcodec53_0.7-1_amd64.deb
libavdevice-dev_0.7-1_amd64.deb
  to main/liba/libav/libavdevice-dev_0.7-1_amd64.deb
libavdevice53_0.7-1_amd64.deb
  to main/liba/libav/libavdevice53_0.7-1_amd64.deb
libavfilter-dev_0.7-1_amd64.deb
  to main/liba/libav/libavfilter-dev_0.7-1_amd64.deb
libavfilter2_0.7-1_amd64.deb
  to main/liba/libav/libavfilter2_0.7-1_amd64.deb
libavformat-dev_0.7-1_amd64.deb
  to main/liba/libav/libavformat-dev_0.7-1_amd64.deb
libavformat53_0.7-1_amd64.deb
  to main/liba/libav/libavformat53_0.7-1_amd64.deb
libavutil-dev_0.7-1_amd64.deb
  to main/liba/libav/libavutil-dev_0.7-1_amd64.deb
libavutil51_0.7-1_amd64.deb
  to main/liba/libav/libavutil51_0.7-1_amd64.deb
libpostproc-dev_0.7-1_amd64.deb
  to main/liba/libav/libpostproc-dev_0.7-1_amd64.deb
libpostproc52_0.7-1_amd64.deb
  to main/liba/libav/libpostproc52_0.7-1_amd64.deb
libswscale-dev_0.7-1_amd64.deb
  to main/liba/libav/libswscale-dev_0.7-1_amd64.deb
libswscale2_0.7-1_amd64.deb
  to main/liba/libav/libswscale2_0.7-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 628...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 21 Jun 2011 07:49:59 +0200
Source: libav
Binary: ffmpeg ffmpeg-dbg libav-dbg libav-source ffmpeg-doc libav-doc 
libavutil51 libavcodec53 libavdevice53 libavformat53 libavfilter2 libpostproc52 
libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev 
libavfilter-dev libpostproc-dev libswscale-dev
Architecture: source amd64 all
Version: 4:0.7-1
Distribution: experimental
Urgency: low
Maintainer: siretart <siret...@tauware.de>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Description: 
 ffmpeg     - Multimedia player, server, encoder and transcoder
 ffmpeg-dbg - Debug symbols for Libav related packages
 ffmpeg-doc - Documentation of the Libav API (transitional package)
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-source - Patched Libav sources
 libavcodec-dev - Development files for libavcodec
 libavcodec53 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice53 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter2 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat53 - Libav file format library
 libavutil-dev - Development files for libavutil
 libavutil51 - Libav utility library
 libpostproc-dev - Development files for libpostproc
 libpostproc52 - Libav video postprocessing library
 libswscale-dev - Development files for libswscale
 libswscale2 - Libav video scaling library
Closes: 594108 627818 628448
Changes: 
 libav (4:0.7-1) experimental; urgency=low
 .
   * New upstream release.
   * Fixes several potential security issues, Closes: #628448
   * Much imporved libavfilter, Closes: #594108
   * Fixes some overlapping memcpys my using memmove instead, Closes: #627818
   * Bump libswscale SONAME
   * Bump shlibs
   * Bump Standards version to 3.9.2
Checksums-Sha1: 
 ba72d7b289858ed357acebf4f83df979fb34c17a 2371 libav_0.7-1.dsc
 ec4e3714a4f59aa3a25e75f5d7b4a64d7e46f03d 4918413 libav_0.7.orig.tar.gz
 2f335b6d38c049146cdbd06594688bfa53d38c6d 34651 libav_0.7-1.debian.tar.gz
 7d2dcf9d21bfd50f8c260bd438b978da80680d0d 445276 ffmpeg_0.7-1_amd64.deb
 1569d2d87b90b9f2ca275a3241d6d1825e3540d5 36966 ffmpeg-dbg_0.7-1_amd64.deb
 670834ab1fae1d21fcce2f04378980c2820ac6dd 9418840 libav-dbg_0.7-1_amd64.deb
 f9d2434ca5a39484c52eabee523c2cd67ba78f6c 25471736 libav-source_0.7-1_all.deb
 edb8bf74495647cb284093dfc0908591ab62f847 36932 ffmpeg-doc_0.7-1_all.deb
 5895f3f0ddb98a19df62d59d83bbaf5629d687de 20095888 libav-doc_0.7-1_all.deb
 5cf1775e4bcd1ab226c67598508bf81788a2bd4a 90518 libavutil51_0.7-1_amd64.deb
 9162f29bf47c4a0d1925eafb1310902e55da000a 2697134 libavcodec53_0.7-1_amd64.deb
 73d261b60cbcaf931eb44ded015e9a28fe7cdb57 59604 libavdevice53_0.7-1_amd64.deb
 59b9db609b5282e25b6b0c7de76cd2d98a822f87 490072 libavformat53_0.7-1_amd64.deb
 4b8e3fb0626a9f1f7c09c8c6eeb00d503a925878 92428 libavfilter2_0.7-1_amd64.deb
 ab3b358f0519a8805f81b8dcf609f7eddd9c276a 97524 libpostproc52_0.7-1_amd64.deb
 589a62db5a7d306bdfbba748ba8dab37527eadc4 118676 libswscale2_0.7-1_amd64.deb
 c5117e80b9e328108b5a9a106e95341ca2a31285 134334 libavutil-dev_0.7-1_amd64.deb
 eaae2d089abf82ec6964c1f405740803c3bf746a 3135542 libavcodec-dev_0.7-1_amd64.deb
 922cb6d355d3321361e813f881143ea6d3930e65 61462 libavdevice-dev_0.7-1_amd64.deb
 c66564d940bdc8f0d0ad3db4793c552a0298d3f9 649844 libavformat-dev_0.7-1_amd64.deb
 d6344891d9cf433489b63dc5f38dd28be6b081da 118404 libavfilter-dev_0.7-1_amd64.deb
 63bc67e0115cfb4a82681e9c6afe92538c030da4 98028 libpostproc-dev_0.7-1_amd64.deb
 1a710265a4733f7142d8052083f02e2c6bd666ed 136320 libswscale-dev_0.7-1_amd64.deb
Checksums-Sha256: 
 65bf77b09c6b47458e6d9a8f971f12fce962a504c36fb275c04fefbb135c7468 2371 
libav_0.7-1.dsc
 6c6896dd0da3bc4a955824f5d798f97251280608d68c8c480fe5cf8edd54a28f 4918413 
libav_0.7.orig.tar.gz
 e7e5aff090ec5ca14238b2d389129aa89d5ee9b0b4769711039a87ee885bd1a4 34651 
libav_0.7-1.debian.tar.gz
 51d337ebe0073e56fc1438525f594fb22f82fad08319f1110dab7d7b18b35ebd 445276 
ffmpeg_0.7-1_amd64.deb
 7d4171d18fd8dc664006ece136abf0f5bbd67b4369a2145247537b7fab5d51c2 36966 
ffmpeg-dbg_0.7-1_amd64.deb
 91821b2a52d37af0e1775299f32546ccb20b86f3467b5e2abd6fa70218a4183d 9418840 
libav-dbg_0.7-1_amd64.deb
 98474412cdc38556548a6cc48ffadc2338a340675d4697a2ff2b810dcd9dd500 25471736 
libav-source_0.7-1_all.deb
 5db82327fa391ad0abde689be3327b76405aa44a14a940f1ca08dc0dbb70f819 36932 
ffmpeg-doc_0.7-1_all.deb
 638b9033a367b451b22018c76bee3c3ab7d9f844cd869df02c745160cfcb4119 20095888 
libav-doc_0.7-1_all.deb
 b7ee96fbfc615f3d4b988c33790b2ea77827a670c172d7839492385223184548 90518 
libavutil51_0.7-1_amd64.deb
 e523bdce9ebda56efb0e9f83b65e5349e73517195ff0183ba260950823ce3f87 2697134 
libavcodec53_0.7-1_amd64.deb
 a2076feecd76c30dfbbc9c4743db7816329b0fab26cd1c6b2b0f27d90a46fc81 59604 
libavdevice53_0.7-1_amd64.deb
 c934256369a2320d791fbc32e9767f9d4a8216b5d0676f07caaebd2d9d82d523 490072 
libavformat53_0.7-1_amd64.deb
 b967a4cf9b7c908eb716e9de6fe351717b1b880d9466ed250f2b714e45ccec0e 92428 
libavfilter2_0.7-1_amd64.deb
 6cfba7f189628daf7172363d588c979227065b3e8c97a4fd03a880482b7264a1 97524 
libpostproc52_0.7-1_amd64.deb
 255d0757c6cac17e29bda58733a00468204698a8ae12b95a6e7af19d8dcb66e6 118676 
libswscale2_0.7-1_amd64.deb
 e4fba42e621adc6fbe718c322aee8a1a6b48711c59b0140a56b5c46f7033d87f 134334 
libavutil-dev_0.7-1_amd64.deb
 3f832f381497db812f360909ed5990110facaf3e5d1ac20dd7d6b931f53ea77a 3135542 
libavcodec-dev_0.7-1_amd64.deb
 ce9e996b5088797e0d90b8366a77b9aa44283df2852f95ed79bb7ae3ca865d0e 61462 
libavdevice-dev_0.7-1_amd64.deb
 43fc8a3b5113f3073a4480d2c110c081134da672f5bcefbaafb206d1814a6640 649844 
libavformat-dev_0.7-1_amd64.deb
 17107d1c0eba384c81f78fa7589bd36514adedae71abbe49a9a7b3279004aed0 118404 
libavfilter-dev_0.7-1_amd64.deb
 330d3b71dbc0894dad7c3cd0dc34ee4efb2cd9016bb40ae18d106bba90e0acae 98028 
libpostproc-dev_0.7-1_amd64.deb
 ad1a1d0d0382c28f39b0770321bbf1c23872bf61c3f15b20a1a5f9e02de52d28 136320 
libswscale-dev_0.7-1_amd64.deb
Files: 
 1efd164a2c42d5326dbd8400aaae6332 2371 libs optional libav_0.7-1.dsc
 ac31895757745bbd23f5eb386e9a46ca 4918413 libs optional libav_0.7.orig.tar.gz
 ad8f67aa208fb4fb818d6a8c4f6afbc6 34651 libs optional libav_0.7-1.debian.tar.gz
 2aee264f2f238e8093c9b00f9087978c 445276 video optional ffmpeg_0.7-1_amd64.deb
 dbd903bf2a4659b5fb7f1839cb2fe76d 36966 debug extra ffmpeg-dbg_0.7-1_amd64.deb
 ab58333de1bd144dbc394ddd881914f2 9418840 debug extra libav-dbg_0.7-1_amd64.deb
 b9c5296116c934b2df4b614e8c5c708c 25471736 devel optional 
libav-source_0.7-1_all.deb
 3b5d80e6664a3da9b6cf5319ee173e4c 36932 doc optional ffmpeg-doc_0.7-1_all.deb
 453747a5212dff1201963620c2c25c10 20095888 doc optional libav-doc_0.7-1_all.deb
 990559b904655d8204bc0babcc38b4d4 90518 libs optional 
libavutil51_0.7-1_amd64.deb
 4dc7cde531d9d5926cf0e3d14c7d1c70 2697134 libs optional 
libavcodec53_0.7-1_amd64.deb
 8b7bd9549d57b113b98b97c4c1844d0d 59604 libs optional 
libavdevice53_0.7-1_amd64.deb
 1c78d9a7cccf68d039b52c234ac55720 490072 libs optional 
libavformat53_0.7-1_amd64.deb
 d01605385b8980a8da73ba4c0be6cfe6 92428 libs optional 
libavfilter2_0.7-1_amd64.deb
 1522967e3a25ae40fff7520977b0fe52 97524 libs optional 
libpostproc52_0.7-1_amd64.deb
 a7c93ce57f7ad8d1884ac5589023edb9 118676 libs optional 
libswscale2_0.7-1_amd64.deb
 805cfcdf61e7dd883df01d41282a50ae 134334 libdevel optional 
libavutil-dev_0.7-1_amd64.deb
 bb9081b1ad805b3eb7af5831bbe0ed46 3135542 libdevel optional 
libavcodec-dev_0.7-1_amd64.deb
 cf30a2ffb3ae7915526bb02939cb5797 61462 libdevel optional 
libavdevice-dev_0.7-1_amd64.deb
 a6fd1a3ad34e59818cd93c07eadb89f4 649844 libdevel optional 
libavformat-dev_0.7-1_amd64.deb
 5e3cbddc6dd66f174c14606d51167d04 118404 libdevel optional 
libavfilter-dev_0.7-1_amd64.deb
 11bb5ae4c1310ad342a32499a95fd998 98028 libdevel optional 
libpostproc-dev_0.7-1_amd64.deb
 be1be94a7a69a2731ea7e1330d0c52aa 136320 libdevel optional 
libswscale-dev_0.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAk4Af/oACgkQmAg1RJRTSKQ9hACeLwEVbF7t/+3Bg1SRE1JTcajY
+c4An0fARA0TPWBr5pvDp1s/WkHdabDB
=hYV8
-----END PGP SIGNATURE-----

--- End Message ---