Ubuntu
libav package

Libav security fixes Aug 2014

Bug #1354755 reported by Reinhard Tartler on 2014-08-09

10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	libav (Ubuntu)	Fix Released	Undecided	Unassigned
	Precise	Fix Released	High	Marc Deslauriers
	Trusty	Fix Released	High	Marc Deslauriers
	libav-extra (Ubuntu)	Invalid	Undecided	Unassigned
	Precise	Fix Released	High	Marc Deslauriers
	Trusty	Invalid	Undecided	Unassigned

Bug Description

Trusty should get version 9.16:

version 9.16:
- vp3: Copy all 3 frames for thread updates (CVE-2011-3934)
- mpegts: Do not try to write a PMT larger than SECTION_SIZE (CVE-2014-2263)
- mpegts: Define the section length with a constant
- error_concealment: avoid using the picture if not fully setup (CVE-2013-0860)
- svq1: do not modify the input packet
- cdgraphics: do not return 0 from the decode function
- cdgraphics: switch to bytestream2 (CVE-2013-3674)
- huffyuvdec: check width size for yuv422p (CVE-2013-0848)
- mmvideo: check horizontal coordinate too (CVE-2013-3672)
- wmalosslessdec: fix mclms_coeffs* array size (CVE-2014-2098)
- lavc: Check the image size before calling get_buffer (CVE-2011-3935)
- huffyuv: Check and propagate function return values (CVE-2013-0868)
- h264: prevent theoretical infinite loop in SEI parsing (CVE-2011-3946)
- h264_sei: check SEI size
- pgssubdec: Check RLE size before copying (CVE-2013-0852)
- fate: Add dependencies for dct/fft/mdct/rdft tests
- video4linux2: Avoid a floating point exception
- vf_select: Drop a debug av_log with an unchecked double to enum conversion
- eamad: use the bytestream2 API instead of AV_RL (CVE-2013-0851)

Related branches

lp:ubuntu/precise-security/libav

Revision history for this message

Reinhard Tartler (siretart) wrote on 2014-08-09:

#1

a fixed package should appear in ppa:siretart shortly

Revision history for this message

Reinhard Tartler (siretart) wrote on 2014-08-10:

#2

Package built fine: https://launchpad.net/~siretart/+archive/ubuntu/ppa?field.series_filter=trusty

Changed in libav (Ubuntu Trusty):
importance:	Undecided → High

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-08-10:

#3

Thanks for the Trusty package, looks good, ACK. Uploading for building now and will release tomorrow.

Thanks!

Changed in libav (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in libav (Ubuntu Trusty):
status:	New → In Progress
Changed in libav (Ubuntu Precise):
importance:	Undecided → High
Changed in libav (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-08-11:

#4

This bug was fixed in the package libav - 4:0.8.15-0ubuntu0.12.04.1

---------------
libav (4:0.8.15-0ubuntu0.12.04.1) precise-security; urgency=medium

  * Update to 0.8.15 to fix multiple security issues (LP: #1354755)
  * debian/patches/fix_ftbfs_ff_get_buffer.patch: Add more missing
    #includes for ff_get_buffer() to fix ftbfs.
-- Marc Deslauriers <email address hidden> Sun, 10 Aug 2014 09:59:10 -0400

Changed in libav (Ubuntu Precise):
status:	In Progress → Fix Released

Revision history for this message

Antec (info-janmob) wrote on 2014-08-12:

#5

Problems with Libav dependencies for ubuntu precise, the files in question are 5 packets,
(libavcodec53, 4:0.8.15-0ubuntu0.12.04.1),
(libavdevice53, 4:0.8.15-0ubuntu0.12.04.1),
(libavformat53, 4:0.8.15-0ubuntu0.12.04.1),
(libpostproc52, 4:0.8.15-0ubuntu0.12.04.1),
(libswscale2, 4:0.8.15-0ubuntu0.12.04.1)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-08-12:

#6

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libav (Ubuntu):
status:	New → Confirmed

Revision history for this message

Reinhard Tartler (siretart) wrote on 2014-08-12:

#7

At least for precise, libav-extra also needs to be updated to 0.8.15

Changed in libav-extra (Ubuntu Trusty):
status:	New → Invalid
Changed in libav-extra (Ubuntu Precise):
importance:	Undecided → High
status:	New → Confirmed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-08-12:

#8

Ah, yes, I seem to have forgotten to update libav-extra once again. I'll push out an update in a few minutes.

Changed in libav-extra (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Trusty):
status:	In Progress → Fix Released
Changed in libav (Ubuntu):
status:	Confirmed → Fix Released
Changed in libav-extra (Ubuntu):
status:	New → Invalid

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-08-12:

#9

OK, updated libav-extra has been published.

Changed in libav-extra (Ubuntu Precise):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.