Ubuntu
ffmpeg package

security backports

Bug #537297 reported by Reinhard Tartler
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ffmpeg (Debian)
Fix Released
Unknown
ffmpeg (Ubuntu)
Fix Released
Medium
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Won't Fix
Undecided
Unassigned
Karmic
Won't Fix
Undecided
Unassigned
Lucid
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: ffmpeg

various versions of the ffmepg package contain security issues that have fixes in the upstream 0.5 release branch

lucid ships 0.5.1 which has all known patches included.

karmic and jaunty ship the 0.5 release. For these packages, this can be solved either by updating to 0.5.1 by or applying the patches from svn://ffmpeg.org/ffmpeg/branches/0.5

intrepid ships an pre 0.5 version of ffmpeg. For this, I've backported some of those patches, which eventually ended up as DSA-2000: http://www.debian.org/security/2010/dsa-2000

See original description
Revision history for this message
Reinhard Tartler (siretart) wrote :

debian mentions these CVE references: CVE-2009-4631, CVE-2009-4632, CVE-2009-4633, CVE-2009-4634, CVE-2009-4635, CVE-2009-4636, CVE-2009-4637, CVE-2009-4638, CVE-2009-4640

description: updated
Revision history for this message
Reinhard Tartler (siretart) wrote :

the most annoying part of this work was to identify which of the issues are exploitable crashers and which were just DoS issues. I've done my best to identify the security relevant crashers. Please notify me if I missed some crash that is fixed in trunk

Marc Deslauriers (mdeslaur)
visibility: private → public
Changed in ffmpeg (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Reinhard Tartler (siretart)
Changed in ffmpeg (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in ffmpeg (Ubuntu Karmic):
status: New → Confirmed
Changed in ffmpeg (Ubuntu Jaunty):
status: New → Confirmed
Changed in ffmpeg (Ubuntu Intrepid):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in ffmpeg (Debian):
status: Unknown → Fix Released
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in ffmpeg (Ubuntu Intrepid):
status: Confirmed → Invalid
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010. The bug is marked as fixed in later versions of Ubuntu

Changed in ffmpeg (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ffmpeg (Ubuntu Karmic):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.