Your message dated Thu, 12 Jan 2012 20:47:41 +0000
with message-id <e1rlryj-0005q5...@franck.debian.org>
and subject line Bug#654573: fixed in libav 4:0.8~beta2-1
has caused the Debian Bug report #654573,
regarding CVE-2011-3895: heap-based buffer overflow in vorbis decoder
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
654573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libav
Version: 4:0.7.3-2
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.
CVE-2011-3892[0]:
| Double free vulnerability in the Theora decoder in Google Chrome
| before 15.0.874.120 allows remote attackers to cause a denial of
| service or possibly have unspecified other impact via a crafted
| stream.
CVE-2011-3893[1]:
| Google Chrome before 15.0.874.120 does not properly implement the MKV
| and Vorbis media handlers, which allows remote attackers to cause a
| denial of service (out-of-bounds read) via unspecified vectors.
CVE-2011-3895[2]:
| Heap-based buffer overflow in the Vorbis decoder in Google Chrome
| before 15.0.874.120 allows remote attackers to cause a denial of
| service or possibly have unspecified other impact via a crafted
| stream.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
This issues also very likely affect ffmpeg in squeeze and before,
but I haven't checked that.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3892
http://security-tracker.debian.org/tracker/CVE-2011-3892
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3893
http://security-tracker.debian.org/tracker/CVE-2011-3893
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3895
http://security-tracker.debian.org/tracker/CVE-2011-3895
--- End Message ---
--- Begin Message ---
Source: libav
Source-Version: 4:0.8~beta2-1
We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive:
ffmpeg-dbg_0.8~beta2-1_amd64.deb
to main/liba/libav/ffmpeg-dbg_0.8~beta2-1_amd64.deb
ffmpeg-doc_0.8~beta2-1_all.deb
to main/liba/libav/ffmpeg-doc_0.8~beta2-1_all.deb
ffmpeg_0.8~beta2-1_all.deb
to main/liba/libav/ffmpeg_0.8~beta2-1_all.deb
libav-dbg_0.8~beta2-1_amd64.deb
to main/liba/libav/libav-dbg_0.8~beta2-1_amd64.deb
libav-doc_0.8~beta2-1_all.deb
to main/liba/libav/libav-doc_0.8~beta2-1_all.deb
libav-source_0.8~beta2-1_all.deb
to main/liba/libav/libav-source_0.8~beta2-1_all.deb
libav-tools_0.8~beta2-1_amd64.deb
to main/liba/libav/libav-tools_0.8~beta2-1_amd64.deb
libav_0.8~beta2-1.debian.tar.gz
to main/liba/libav/libav_0.8~beta2-1.debian.tar.gz
libav_0.8~beta2-1.dsc
to main/liba/libav/libav_0.8~beta2-1.dsc
libav_0.8~beta2.orig.tar.gz
to main/liba/libav/libav_0.8~beta2.orig.tar.gz
libavcodec-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libavcodec-dev_0.8~beta2-1_amd64.deb
libavcodec53_0.8~beta2-1_amd64.deb
to main/liba/libav/libavcodec53_0.8~beta2-1_amd64.deb
libavdevice-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libavdevice-dev_0.8~beta2-1_amd64.deb
libavdevice53_0.8~beta2-1_amd64.deb
to main/liba/libav/libavdevice53_0.8~beta2-1_amd64.deb
libavfilter-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libavfilter-dev_0.8~beta2-1_amd64.deb
libavfilter2_0.8~beta2-1_amd64.deb
to main/liba/libav/libavfilter2_0.8~beta2-1_amd64.deb
libavformat-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libavformat-dev_0.8~beta2-1_amd64.deb
libavformat53_0.8~beta2-1_amd64.deb
to main/liba/libav/libavformat53_0.8~beta2-1_amd64.deb
libavutil-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libavutil-dev_0.8~beta2-1_amd64.deb
libavutil51_0.8~beta2-1_amd64.deb
to main/liba/libav/libavutil51_0.8~beta2-1_amd64.deb
libpostproc-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libpostproc-dev_0.8~beta2-1_amd64.deb
libpostproc52_0.8~beta2-1_amd64.deb
to main/liba/libav/libpostproc52_0.8~beta2-1_amd64.deb
libswscale-dev_0.8~beta2-1_amd64.deb
to main/liba/libav/libswscale-dev_0.8~beta2-1_amd64.deb
libswscale2_0.8~beta2-1_amd64.deb
to main/liba/libav/libswscale2_0.8~beta2-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 654...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated libav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 11 Jan 2012 16:45:28 +0100
Source: libav
Binary: libav-tools ffmpeg ffmpeg-dbg libav-dbg libav-source ffmpeg-doc
libav-doc libavutil51 libavcodec53 libavdevice53 libavformat53 libavfilter2
libpostproc52 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev
libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: source amd64 all
Version: 4:0.8~beta2-1
Distribution: unstable
Urgency: low
Maintainer: Reinhard Tartler <siret...@debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Description:
ffmpeg - Multimedia player, server, encoder and transcoder (transitional p
ffmpeg-dbg - Debug symbols for Libav related packages
ffmpeg-doc - Documentation of the Libav API (transitional package)
libav-dbg - Debug symbols for Libav related packages
libav-doc - Documentation of the Libav API
libav-source - Patched Libav sources
libav-tools - Multimedia player, server, encoder and transcoder
libavcodec-dev - Development files for libavcodec
libavcodec53 - Libav codec library
libavdevice-dev - Development files for libavdevice
libavdevice53 - Libav device handling library
libavfilter-dev - Development files for libavfilter
libavfilter2 - Libav video filtering library
libavformat-dev - Development files for libavformat
libavformat53 - Libav file format library
libavutil-dev - Development files for libavutil
libavutil51 - Libav utility library
libpostproc-dev - Development files for libpostproc
libpostproc52 - Libav video postprocessing library
libswscale-dev - Development files for libswscale
libswscale2 - Libav video scaling library
Closes: 619530 647824 654303 654534 654571 654572 654573 654984
Changes:
libav (4:0.8~beta2-1) unstable; urgency=low
.
* New Upstream version 0.8~beta2:
- Confirm that this release does not inhibit the following security issues:
- DoS in MKV demuxer,
- CVE-2011-3893, Closes: #654572
- Double free vuln in the Theora decoder,
- CVE-2011-3892, Closes: #654571
- heap-based buffer overflow in vorbis decoder:
- CVE-2011-3895, Closes: #654573
- Closes: #654534
- Bug fix: "libswscale crashes when upscaling pictures using
hyscale_fast2, MMX variant on amd64 with gcc-4.6 and later",
thanks to Harald Dunkel (Closes: #647824).
- Clarify that libavutil/avutil.h doesn't include mathematics.h any more in
APIchanges documentation. Thanks: Jonathan Nieder <jrnie...@gmail.com>,
Closes: #654303
* Disable configuration mismatch warnings (Closes: #619530)
* Rename package libav to libav-tools (Closes: #654984)
* Refresh patches
Checksums-Sha1:
895d5945e28dae737e8932a54fd52b0b2c3b343c 3065 libav_0.8~beta2-1.dsc
e926345a9881fdcc5bc9a0be6e03797444499dca 5430888 libav_0.8~beta2.orig.tar.gz
c27f8f73436e07dcdd3fc35e705402457dd694eb 35781 libav_0.8~beta2-1.debian.tar.gz
e0c69d44406ffb3e53d412b343e080f764176ca9 646636
libav-tools_0.8~beta2-1_amd64.deb
35a8ac5ef495c9b41beac877123dfc6e1aaa353f 37892 ffmpeg_0.8~beta2-1_all.deb
40136cf7d2928c438c59268b6b065f69edad6f9f 37964 ffmpeg-dbg_0.8~beta2-1_amd64.deb
577e4c53230fa61de189aa582daf42e4f57c9e97 9963088
libav-dbg_0.8~beta2-1_amd64.deb
5254cbc7212387ec21123e3d48c5f7418ed08945 27359424
libav-source_0.8~beta2-1_all.deb
11d81d90d1090b2dd2dec9b5b2e7838f8199faf8 37930 ffmpeg-doc_0.8~beta2-1_all.deb
0d8eee066229a00f974f5dc157704bae4d47271d 21635254 libav-doc_0.8~beta2-1_all.deb
92af6fed0da190f74f7ab5f96cb80a8a4e4618ae 95250
libavutil51_0.8~beta2-1_amd64.deb
459b4eea14dd4d6289a540932a2eae04329a3b24 2940706
libavcodec53_0.8~beta2-1_amd64.deb
e3297af57bdde2b9c88ba908f1b1644877fccc1d 65336
libavdevice53_0.8~beta2-1_amd64.deb
6c6c6cf7511c36ec4ad49f1d2f9152e298dc2641 517654
libavformat53_0.8~beta2-1_amd64.deb
742c01571e7a909c23cac58266da7450b806dc37 116902
libavfilter2_0.8~beta2-1_amd64.deb
6a3b50ef0258f395aca011ab0308ca186908976e 99422
libpostproc52_0.8~beta2-1_amd64.deb
b4761f256fd11c180fb320683da7870e6c4016f2 127700
libswscale2_0.8~beta2-1_amd64.deb
75f9015b619e441728d9de9bd3c5866f6d9f851e 145670
libavutil-dev_0.8~beta2-1_amd64.deb
d02f2113b6f3849a5518827d158f5d7ddda499b1 3445470
libavcodec-dev_0.8~beta2-1_amd64.deb
091e067b6fed78365717ed068808e747e928fd74 68246
libavdevice-dev_0.8~beta2-1_amd64.deb
043015e907044a1ccfc071d21bbc60b49e02ddf3 697146
libavformat-dev_0.8~beta2-1_amd64.deb
aaa4c8733c1e7f93c08ed2801b72540ee157bf78 148442
libavfilter-dev_0.8~beta2-1_amd64.deb
4f1307c232622cecb06d26bf97b233cd37db18c6 100104
libpostproc-dev_0.8~beta2-1_amd64.deb
205ff5639f91a4d25091b4bc92ed27fe5567ddd0 149450
libswscale-dev_0.8~beta2-1_amd64.deb
Checksums-Sha256:
a1f2199cb46249bd8ddbc6a2561cf00856d09a49bc2336e437d72f291b8f682f 3065
libav_0.8~beta2-1.dsc
461a03dd6335ea9ae2c7a1ec80588718af183cda03b44153fdc960683a3e6ec2 5430888
libav_0.8~beta2.orig.tar.gz
afeecc26de43d160042bbf57553895977819b21381271e8e32ea9781b907c78a 35781
libav_0.8~beta2-1.debian.tar.gz
34ded3566974dcc5c20c606117104f73e7155cdd647471f1108bb45accb195cf 646636
libav-tools_0.8~beta2-1_amd64.deb
b4222e1b93b925057ba5f2f9e25027dfd704e9c3c4b35804da31619f1de2480d 37892
ffmpeg_0.8~beta2-1_all.deb
f3e9f48a1d7fb5ee4d13fb2f74f1c78d647932708735d3b95010204d6b9e950b 37964
ffmpeg-dbg_0.8~beta2-1_amd64.deb
683ed6a8e0cd45e2bdf52db5555dbd7a51dd1858fb882f997aa835ee50c9b63c 9963088
libav-dbg_0.8~beta2-1_amd64.deb
1b45be94e78dc9299eece197e494ddcf69bb8c253924fc7e5412df501541b219 27359424
libav-source_0.8~beta2-1_all.deb
a68a1e7a37f53da15995409618a43e811482740749a5bf7c33fc3f12a330809c 37930
ffmpeg-doc_0.8~beta2-1_all.deb
30b2befe6107ba082aee222476ca48ca52750a79dbdca97da20d9fb11ab31a7c 21635254
libav-doc_0.8~beta2-1_all.deb
8f626d02c2d0993684ab075db8e03695c01f8d925df84f52bfe245be5d93c35e 95250
libavutil51_0.8~beta2-1_amd64.deb
48169501ed5a70faa5dad19250bb51f160c4d8de34f84881e459125d2aa52084 2940706
libavcodec53_0.8~beta2-1_amd64.deb
4203384df45c6350e55e8257e12794c46e227a5b70f3574614611e5beef1a2af 65336
libavdevice53_0.8~beta2-1_amd64.deb
dc6c2863cb6f293b07d2effc3e2c874ee242b1391cb1755bc947ed7ef2fb1924 517654
libavformat53_0.8~beta2-1_amd64.deb
c6e9fda0d6487545cac83cca89173480d7d3d9d9f4d2248b5df44c3f13ee38fa 116902
libavfilter2_0.8~beta2-1_amd64.deb
d806a8a2b77a7d0747c8daec066c8a7d481ba8315cfba4989f6cbe773de4c4e2 99422
libpostproc52_0.8~beta2-1_amd64.deb
49419ca9dc40ab45707ac5c0a6c6f40b0e745e55da5ff1d9f9a9ec5759dffbc4 127700
libswscale2_0.8~beta2-1_amd64.deb
aed94eba41b475576a09d4d4905ddf21efeb4e4f310fba1dd1c9b9b56e57f544 145670
libavutil-dev_0.8~beta2-1_amd64.deb
8a1098f723f5469a501a8e379d12f851bf0f0900f6f89941c09d7e2c296a8a93 3445470
libavcodec-dev_0.8~beta2-1_amd64.deb
be2e5683d113b20fd5b4305aaf883de3833ad3dbe1166a179bf36f81de20ef8b 68246
libavdevice-dev_0.8~beta2-1_amd64.deb
bbb19292f81a623859af9c9f05c9fdb2de4ccda36927f6208d4b35840160f40b 697146
libavformat-dev_0.8~beta2-1_amd64.deb
79f2405fe13af47efbd05828657ae336e0b4fc4a9e078859a1df61b8716ce653 148442
libavfilter-dev_0.8~beta2-1_amd64.deb
8cb4a2592acad8a55dac7cddfc194e8f88e91d3eadb047102a1616a4a625f252 100104
libpostproc-dev_0.8~beta2-1_amd64.deb
aec21c0e9bc665f882c1f165ac039ec96c6e351d7a02ed1cb54bb4b848336fb8 149450
libswscale-dev_0.8~beta2-1_amd64.deb
Files:
1dbe34bb179825616731dbe0c9059e56 3065 libs optional libav_0.8~beta2-1.dsc
50d91a2a3cc6f959ae17db85e134098a 5430888 libs optional
libav_0.8~beta2.orig.tar.gz
b7a2620e208572d4268f7a2603aed858 35781 libs optional
libav_0.8~beta2-1.debian.tar.gz
66d859065d455addeede5c0dc9d32f7f 646636 video optional
libav-tools_0.8~beta2-1_amd64.deb
3b6ec6860b8692740a59606e7a265a17 37892 video optional
ffmpeg_0.8~beta2-1_all.deb
518d0d54b39dab993354cee3409109d5 37964 debug extra
ffmpeg-dbg_0.8~beta2-1_amd64.deb
662d197b4d13ee3e95cf26aee6f8849c 9963088 debug extra
libav-dbg_0.8~beta2-1_amd64.deb
5995d6062406bb05592c07882bcd5e4b 27359424 devel optional
libav-source_0.8~beta2-1_all.deb
b53282b4e239f4f7215c56065c582d62 37930 doc optional
ffmpeg-doc_0.8~beta2-1_all.deb
b374e443e14b91a78a447c420cadbd66 21635254 doc optional
libav-doc_0.8~beta2-1_all.deb
f2d7fd5375b025865712d8fc85e44c83 95250 libs optional
libavutil51_0.8~beta2-1_amd64.deb
20393b85bcf2bdf731927c3bcbb115e0 2940706 libs optional
libavcodec53_0.8~beta2-1_amd64.deb
f6eac4acec830f3a0983aa763c06e123 65336 libs optional
libavdevice53_0.8~beta2-1_amd64.deb
450b607f3e78865cbc78e7eedd6ca410 517654 libs optional
libavformat53_0.8~beta2-1_amd64.deb
c0264edb7a3c0914af8a10287220c8d5 116902 libs optional
libavfilter2_0.8~beta2-1_amd64.deb
aeb557b2b2c7a2bdb5cde0d757cb307f 99422 libs optional
libpostproc52_0.8~beta2-1_amd64.deb
d2cb3a5ce601e961c9bdd69e40b38f6f 127700 libs optional
libswscale2_0.8~beta2-1_amd64.deb
63e4d04ddf4b09f68daadd69a192b414 145670 libdevel optional
libavutil-dev_0.8~beta2-1_amd64.deb
0ad3b9345ab597f9c07ceab3a4f1abf4 3445470 libdevel optional
libavcodec-dev_0.8~beta2-1_amd64.deb
f5ac0c08a203c6d46a96f8a17c998821 68246 libdevel optional
libavdevice-dev_0.8~beta2-1_amd64.deb
1a6d0bba1f5e00f6135866daacd4aac7 697146 libdevel optional
libavformat-dev_0.8~beta2-1_amd64.deb
fd46e674bb460ac4ea6aefaba04131a7 148442 libdevel optional
libavfilter-dev_0.8~beta2-1_amd64.deb
7c3099c544807cd703bd6233d28c7754 100104 libdevel optional
libpostproc-dev_0.8~beta2-1_amd64.deb
c6d42a2dbcc5daecf17ff8f92397ec64 149450 libdevel optional
libswscale-dev_0.8~beta2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Debian Powered!
iEYEARECAAYFAk8NtGAACgkQmAg1RJRTSKQ60gCeJMyBe4n7kRMgGn4kba46Ckme
qAIAn30A0GCAOK9X3klolYjAeD5tnTR0
=APQR
-----END PGP SIGNATURE-----
--- End Message ---
