Bug#703200: marked as done (libav: CVE-2013-0894 CVE-2013-2277 CVE-2013-2495 CVE-2013-2496)

[Debian Bug Tracking System]

Your message dated Sun, 24 Mar 2013 18:03:12 +0000
with message-id <e1ujpgc-0007jk...@franck.debian.org>
and subject line Bug#703200: fixed in libav 6:9.4-1
has caused the Debian Bug report #703200,
regarding libav: CVE-2013-0894 CVE-2013-2277 CVE-2013-2495 CVE-2013-2496
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
703200: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703200
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

package: src:libav
severity: grave
version: 6:0.8.5-1

Hi, the following vulnerabilities were published for libav.  These are
currently unfixed in 0.8.5-1.

CVE-2013-0894[0]:
| Buffer overflow in the vorbis_parse_setup_hdr_floors function in the
| Vorbis decoder in vorbisdec.c in libavcodec in FFmpeg through 1.1.3,
| as used in Google Chrome before 25.0.1364.97 on Windows and Linux and
| before 25.0.1364.99 on Mac OS X and other products, allows remote
| attackers to cause a denial of service (divide-by-zero error or
| out-of-bounds array access) or possibly have unspecified other impact
| via vectors involving a zero value for a bark map size.

CVE-2013-2277[1]:
| The ff_h264_decode_seq_parameter_set function in h264_ps.c in
| libavcodec in FFmpeg before 1.1.3 does not validate the relationship
| between luma depth and chroma depth, which allows remote attackers to
| cause a denial of service (out-of-bounds array access and application
| crash) or possibly have unspecified other impact via crafted H.264
| data.

CVE-2013-2495[2]:
| The iff_read_header function in iff.c in libavformat in FFmpeg through
| 1.1.3 does not properly handle data sizes for Interchange File Format
| (IFF) data during operations involving a CMAP chunk or a video codec,
| which allows remote attackers to cause a denial of service (integer
| overflow, out-of-bounds array access, and application crash) or
| possibly have unspecified other impact via a crafted header.

CVE-2013-2496[3]:
| The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in
| FFmpeg through 1.1.3 does not properly determine certain end pointers,
| which allows remote attackers to cause a denial of service
| (out-of-bounds array access and application crash) or possibly have
| unspecified other impact via crafted Microsoft RLE data.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0894
    http://security-tracker.debian.org/tracker/CVE-2013-0894
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2277
    http://security-tracker.debian.org/tracker/CVE-2013-2277
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2495
    http://security-tracker.debian.org/tracker/CVE-2013-2495
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2496
    http://security-tracker.debian.org/tracker/CVE-2013-2496

--- End Message ---

--- Begin Message ---

Source: libav
Source-Version: 6:9.4-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 703...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 Mar 2013 07:30:01 +0100
Source: libav
Binary: libav-tools libav-dbg libav-doc libavutil52 libavcodec54 libavdevice53 
libavformat54 libavfilter3 libswscale2 libavutil-dev libavcodec-dev 
libavdevice-dev libavformat-dev libavfilter-dev libswscale-dev 
libavresample-dev libavresample1 libavutil-extra-52 libavcodec-extra-54 
libavdevice-extra-53 libavfilter-extra-3 libavformat-extra-54 libswscale-extra-2
Architecture: source i386 all
Version: 6:9.4-1
Distribution: experimental
Urgency: low
Maintainer: Reinhard Tartler <siret...@debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Description: 
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-tools - Multimedia player, server, encoder and transcoder
 libavcodec-dev - Development files for libavcodec
 libavcodec-extra-54 - Libav codec library (additional codecs)
 libavcodec54 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice-extra-53 - Libav device handling library (transitional package)
 libavdevice53 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter-extra-3 - Libav filter library (transitional package)
 libavfilter3 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat-extra-54 - Libav file format library (transitional package)
 libavformat54 - Libav file format library
 libavresample-dev - Development files for libavresample
 libavresample1 - Libav audo resampling library
 libavutil-dev - Development files for libavutil
 libavutil-extra-52 - Libav utility library (transitional package)
 libavutil52 - Libav utility library
 libswscale-dev - Development files for libswscale
 libswscale-extra-2 - Libav video software scaling library (transitional 
package)
 libswscale2 - Libav video scaling library
Closes: 703200
Changes: 
 libav (6:9.4-1) experimental; urgency=low
 .
   * Imported Upstream version 9.4
     - h264: check for luma and chroma bit dept being equal (CVE-2013-2277)
     - iff: validate CMAP palette size (CVE-2013-2495)
     - Thus, closes: #703200
   * debian/watch: download xz files and  tigthen checks
Checksums-Sha1: 
 ca1708ea5d2cb8fc1d7b94c3b5b390bd57a2c72c 3470 libav_9.4-1.dsc
 201816477403173f7f0d73383874ec609998f193 4066184 libav_9.4.orig.tar.xz
 d25c1c5c9eddf90c6f3fd98b567f654cbcad044b 47117 libav_9.4-1.debian.tar.gz
 56a7bc2cd975577e9f6d1e01017f6ed04eb90f2c 3414716 libav-tools_9.4-1_i386.deb
 2af1d2d517523faa80735b1f014d6ea77a489d93 53290966 libav-dbg_9.4-1_i386.deb
 f8dbcdff1167df4ce5c8daad771fd6f28947e1d6 14159748 libav-doc_9.4-1_all.deb
 eba10271b173b2f529b27a6c49accb3a9720d877 123162 libavutil52_9.4-1_i386.deb
 2b1d03418541eb3a939fdd4a67178a9be38c81be 3110224 libavcodec54_9.4-1_i386.deb
 1e6c7028c9a961c6436f48b5571cb37d94af075e 78896 libavdevice53_9.4-1_i386.deb
 d824a1cb4fea1d7342ddb9477f5b69b8467a3cb2 660992 libavformat54_9.4-1_i386.deb
 5f17fd4543aa9ea69d56adc9dd43e866df314632 161166 libavfilter3_9.4-1_i386.deb
 ff5818c159e285abd3e03aae73543c559d7e27bd 148338 libswscale2_9.4-1_i386.deb
 208047438571ba34917d3c457d4d2bc59fe3937a 152992 libavutil-dev_9.4-1_i386.deb
 8e993f57e3752031f7cad38548b0098f7efaa023 2693042 libavcodec-dev_9.4-1_i386.deb
 fc2e30f72cf36f17d70a1c474dc409c01194bea7 77242 libavdevice-dev_9.4-1_i386.deb
 5782088de9cc45d890290311fef659d1a4da7638 613754 libavformat-dev_9.4-1_i386.deb
 3c3c32c15f506d3fb74b2093956631da26e3633f 162712 libavfilter-dev_9.4-1_i386.deb
 d64f875ff1930d170e78bb9198a149f7609607db 141290 libswscale-dev_9.4-1_i386.deb
 6cae368b071324e988949e371442d62b212df28a 91456 libavresample-dev_9.4-1_i386.deb
 f1c87da68de5061357cf5c3f83f2e73341d1bfc3 89126 libavresample1_9.4-1_i386.deb
 a608bf77ccba6ca04d72c8fc52f840c4fd49df65 50442 libavutil-extra-52_9.4-1_all.deb
 845cf041cd353fed7d48ab031595df65d8928957 3114352 
libavcodec-extra-54_9.4-1_i386.deb
 a6f1833caa7a272e6405234a7ae4126db85395fa 50462 
libavdevice-extra-53_9.4-1_all.deb
 b7a8cf45efb3d1a8d7accfe2718828c381a6ceee 50446 
libavfilter-extra-3_9.4-1_all.deb
 1c3c13d216e6a2fdbfd3c8f7e95aee7a6b80692a 50448 
libavformat-extra-54_9.4-1_all.deb
 e2bb039dc648a1779371b8b38f3f3de8642cd9a4 50458 libswscale-extra-2_9.4-1_all.deb
Checksums-Sha256: 
 80b6e057bea1a3f0721bc0746aeb39bb5e010e706d726e51291bf2741f7e88da 3470 
libav_9.4-1.dsc
 cd7156315a03a9ebe95d2425765074e779979eaf194ad9e52d76b90ffef56d13 4066184 
libav_9.4.orig.tar.xz
 1262eaf6386d920d9458fe148a3bcbb25c2b3c30b1e099b4d875b52613b25a3f 47117 
libav_9.4-1.debian.tar.gz
 7a0c24eae507e4e9dfdf84085a4ba9cca5e05a35763cd5a48eadb2c23ebd03f2 3414716 
libav-tools_9.4-1_i386.deb
 04942a44707e503571dd661bdb8ec02e95dc5d728973f9ea087f265a43a3ee20 53290966 
libav-dbg_9.4-1_i386.deb
 b81eea2eb6b485a56b2cb3c6effdadbf5b7495a17d4aece4222fa2af399d7dd7 14159748 
libav-doc_9.4-1_all.deb
 41edeeda9192289a167dcae9d0fd46a20f3d97fe186f1fac05ef5230da22505f 123162 
libavutil52_9.4-1_i386.deb
 7d129b8887da4240308ad4e9f554df32eb72917c7c188c3725593e469a333d87 3110224 
libavcodec54_9.4-1_i386.deb
 8c42e41d722085901caf195148832758842b7b8448243ba5237c046d3b0f1a89 78896 
libavdevice53_9.4-1_i386.deb
 21d511c20ef883314eedd0cb959ca03cab71a1415a9e2a99a2cd8d0d97edfe3e 660992 
libavformat54_9.4-1_i386.deb
 2a256a2d12685686416904de5520b5232844b7627ce2c83192f4cd09ee98895b 161166 
libavfilter3_9.4-1_i386.deb
 999bc3e22fb3306e9ac9bc4ba8517027e27e63b3965ee01f73e0b44c1d12a8e0 148338 
libswscale2_9.4-1_i386.deb
 9c50f266851e4b90cb85430241f9884fa668a88ae332c9bf98ff93626966fd88 152992 
libavutil-dev_9.4-1_i386.deb
 610f405241cf3e71186ee3025aa0021028c38625c1f4055d337fbcc9589baadc 2693042 
libavcodec-dev_9.4-1_i386.deb
 e7964ebe66bec8bac23453047ecfa45a0be9c356bc4d71e2f7bee38226b51d31 77242 
libavdevice-dev_9.4-1_i386.deb
 8fb635606f0ef67b38a7d1c208c1efa6af0058e4810709ce048cfb0800f3f2a9 613754 
libavformat-dev_9.4-1_i386.deb
 313cc96d11a0045f317e9701b900eec0b96680ce8b461331c55119ea39addc83 162712 
libavfilter-dev_9.4-1_i386.deb
 2267502761fe8409123ceec7c2ffd7d639c2165bf8a49776c6623de82ff6d65f 141290 
libswscale-dev_9.4-1_i386.deb
 68d29f3dcd86497046847b05eff255697894c1518c7ef7c7e7dc6da919915abb 91456 
libavresample-dev_9.4-1_i386.deb
 c77594ce011b9f7e4784f524a172580252c30e5a5675027047cee1d88863822f 89126 
libavresample1_9.4-1_i386.deb
 a9fefe60489ee7e2498d51600f2844173d81b750570611d7054fdc438c88c8d4 50442 
libavutil-extra-52_9.4-1_all.deb
 fdcaf76be32c6ea64a54700846851d409498bd677cc522f3ff1ee59178bdb4e2 3114352 
libavcodec-extra-54_9.4-1_i386.deb
 efd461a52a39c49688d1552fdf13bbfeac71846e1c46c5c16650ba1ab22c5b90 50462 
libavdevice-extra-53_9.4-1_all.deb
 50aa9bc56020f5cb02f966fa95b76d58e03b4e720c3e62e7af982af265457b03 50446 
libavfilter-extra-3_9.4-1_all.deb
 2c9837467c04543bd6e9a85b5198f5f16b8fa37f7aff897c16e1cf6ba79ee045 50448 
libavformat-extra-54_9.4-1_all.deb
 94d2ea7e6ae1964138d2e1729b5cbdc17930160c677d54f19e39fac24cbcc78c 50458 
libswscale-extra-2_9.4-1_all.deb
Files: 
 871ee1ef33660f02119e210c95c88500 3470 libs optional libav_9.4-1.dsc
 3e31b80744022d00af05f638db38e83f 4066184 libs optional libav_9.4.orig.tar.xz
 eb6e394e19717afedb7d041330ebb9ab 47117 libs optional libav_9.4-1.debian.tar.gz
 2c1f182214d70469233d5d949451dded 3414716 video optional 
libav-tools_9.4-1_i386.deb
 feacfaafcce60686501080a71b60b671 53290966 debug extra libav-dbg_9.4-1_i386.deb
 ed0875ca8fc7078b9518de17857ee71b 14159748 doc optional libav-doc_9.4-1_all.deb
 64dedb1ad70add9af99c420d59cd3a71 123162 libs optional 
libavutil52_9.4-1_i386.deb
 ec4729e97dd26d8a4cd2e159d56267af 3110224 libs optional 
libavcodec54_9.4-1_i386.deb
 3326ce7b955167fe451f5a3ffeceef37 78896 libs optional 
libavdevice53_9.4-1_i386.deb
 d138dd22089f99a693837785094479fa 660992 libs optional 
libavformat54_9.4-1_i386.deb
 5e09593c93079da5c42a43ed5fc26c72 161166 libs optional 
libavfilter3_9.4-1_i386.deb
 9459e36e5a344ac6aaff11eed39dcd0c 148338 libs optional 
libswscale2_9.4-1_i386.deb
 9c0970a8f628e9f7d7e0d1ebce0fda76 152992 libdevel optional 
libavutil-dev_9.4-1_i386.deb
 22bf6f87df2b57baadab0d8d0fda012e 2693042 libdevel optional 
libavcodec-dev_9.4-1_i386.deb
 b5d89ba9951ce1478afc3fd357d28289 77242 libdevel optional 
libavdevice-dev_9.4-1_i386.deb
 0fee3ceb4135b28b0dc39fe3ecefccb2 613754 libdevel optional 
libavformat-dev_9.4-1_i386.deb
 1fc5bbf98d7d176c6f577bdc36f7f306 162712 libdevel optional 
libavfilter-dev_9.4-1_i386.deb
 d40d2b7264937ffcc6fd13f4b6b5b9c0 141290 libdevel optional 
libswscale-dev_9.4-1_i386.deb
 0ee414bfdceb7152b59bc23150b56848 91456 libdevel optional 
libavresample-dev_9.4-1_i386.deb
 be32307a9b2867ff3d05bff87583a1f4 89126 libs optional 
libavresample1_9.4-1_i386.deb
 2923bf8f8c09f494daf1fee92cbbf94b 50442 oldlibs extra 
libavutil-extra-52_9.4-1_all.deb
 f0a91008fc8d7ab9aacf856a2429d2db 3114352 libs optional 
libavcodec-extra-54_9.4-1_i386.deb
 228d771576eedfd5b2dc8746c3011899 50462 oldlibs extra 
libavdevice-extra-53_9.4-1_all.deb
 bcc5905c4d294e991bc0bf566cc14d02 50446 oldlibs extra 
libavfilter-extra-3_9.4-1_all.deb
 4b1decd4d0aaff7d4a5336862ddd7b02 50448 oldlibs extra 
libavformat-extra-54_9.4-1_all.deb
 e611e267a917bef2cead92dd702be172 50458 oldlibs extra 
libswscale-extra-2_9.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAlFPOgIACgkQmAg1RJRTSKRRbQCggxmYJuYqs3ZlwHN0u2vJqw7j
z3cAnRBM/MJcr2nRHb8FFvWmqU4FhMIy
=fDsJ
-----END PGP SIGNATURE-----

--- End Message ---