Ubuntu

February 2014 libav security tracking bug

Reported by Marc Deslauriers on 2014-02-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libav (Ubuntu)
Status tracked in Trusty
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
High
David

Bug Description

This is a bug to track the February 2014 libav security updates:

version 0.8.10:

- oggparseogm: check timing variables
- mathematics: remove asserts from av_rescale_rnd()
- vc1: Always reset numref when parsing a new frame header.
- h264: reset num_reorder_frames if it is invalid
- h264: check that an IDR NAL only contains I slices
- mov: Free an earlier allocated array if allocating a new one
- segafilm: fix leaks if reading the header fails
- h264_cavlc: check the size of the intra PCM data.
- cavs: Check for negative cbp
- avi: DV in AVI must be considered single stream
- avutil: use align == 0 for default alignment in audio sample buffer functions
- flashsv: Check diff_start diff_height values
- dsputil/pngdsp: fix signed/unsigned type in end comparison
- vqavideo: check chunk sizes before reading chunks
- avi: directly resync on DV in AVI read failure
- get_bits: change the failure condition in init_get_bits
- twinvq: Cope with gcc-4.8.2 miscompilation
- pthread: Avoid spurious wakeups
- pthread: Fix deadlock during thread initialization
- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
- vc1dec: Don't decode slices when the latest slice header failed to decode
- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
- r3d: Add more input value validation
- fraps: Make the input buffer size checks more strict
- svq3: Avoid a division by zero
- rmdec: Validate the fps value
- twinvqdec: Check the ibps parameter separately
- asfdec: Check the return value of asf_read_stream_properties
- mxfdec: set audio timebase to 1/samplerate
- pcx: Check the packet size before assuming it fits a palette
- rpza: Fix a buffer size check
- xxan: Disallow odd width
- xan: Only read within the data that actually was initialized
- xan: Use bytestream2 to limit reading to within the buffer
- pcx: Consume the whole packet if giving up due to missing palette
- pngdec: Stop trying to decode once inflate returns Z_STREAM_END
- mov: Make sure the read sample count is nonnegative
- bfi: Add some very basic sanity checks for input packet sizes
- bfi: Avoid divisions by zero
- electronicarts: Add more sanity checking for the number of channels
- riffdec: Add sanity checks for the sample rate
- mvi: Add sanity checking for the audio frame size
- xwma: Avoid division by zero
- avidec: Make sure a packet is large enough before reading its data
- vqf: Make sure the bitrate is in the valid range
- vqf: Make sure sample_rate is set to a valid value
- vc1dec: Undo mpegvideo initialization if unable to allocate tables
- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
- wnv1: Make sure the input packet is large enough
- dca: Validate the lfe parameter
- rl2: Avoid a division by zero
- wtv: Add more sanity checks for a length read from the file
- segafilm: Validate the number of audio channels
- qpeg: Add checks for running out of rows in qpeg_decode_inter
- mpegaudiodec: Validate that the number of channels fits at the given offset
- asv1: Verify the amount of extradata
- idroqdec: Make sure a video stream has been allocated before returning packets
- rv10: Validate the dimensions set from the container
- xmv: Add more sanity checks for parameters read from the bitstream
- ffv1: Make sure at least one slice context is initialized
- truemotion2: Use av_freep properly in an error path
- eacmv: Make sure a reference frame exists before referencing it
- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
- ivi_common: Make sure color planes have been initialized
- oggparseogm: Convert to use bytestream2
- rv34: Check the return value from ff_rv34_decode_init
- matroskadec: Verify realaudio codec parameters
- mace: Make sure that the channel count is set to a valid value
- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
- vp3: Check the framerate for validity
- cavsdec: Make sure a sequence header has been decoded before decoding pictures
- sierravmd: Do sanity checking of frame sizes
- omadec: Properly check lengths before incrementing the position
- mpc8: Make sure the first stream exists before parsing the seek table
- mpc8: Check the seek table size parsed from the bitstream
- zmbvdec: Check the buffer size for uncompressed data
- ape: Don't allow the seektable to be omitted
- shorten: Break out of loop looking for fmt chunk if none is found
- shorten: Use a checked bytestream reader for the wave header
- smacker: Make sure we don't fill in huffman codes out of range
- smacker: Avoid integer overflow when allocating packets
- smacker: Don't return packets in unallocated streams
- dsicin: Add some basic sanity checks for fields read from the file
- roqvideodec: check dimensions validity
- qdm2: check array index before use, fix out of array accesses
- alsdec: check block length

Changed in libav (Ubuntu Precise):
status: New → Confirmed
Changed in libav (Ubuntu Quantal):
status: New → Confirmed
Changed in libav (Ubuntu Saucy):
status: New → Confirmed
Changed in libav (Ubuntu Trusty):
status: New → Confirmed
Changed in libav (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:0.8.10-0ubuntu0.13.10.1

---------------
libav (6:0.8.10-0ubuntu0.13.10.1) saucy-security; urgency=medium

  * Update to 0.8.10 to fix multiple security issues (LP: #1277173)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 12:06:04 -0500

Changed in libav (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:0.8.10-0ubuntu0.12.10.1

---------------
libav (6:0.8.10-0ubuntu0.12.10.1) quantal-security; urgency=medium

  * Update to 0.8.10 to fix multiple security issues (LP: #1277173)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 12:09:43 -0500

Changed in libav (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.10-0ubuntu0.12.04.1

---------------
libav (4:0.8.10-0ubuntu0.12.04.1) precise-security; urgency=medium

  * Update to 0.8.10 to fix multiple security issues (LP: #1277173)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 12:10:23 -0500

Changed in libav (Ubuntu Precise):
status: Confirmed → Fix Released
David (eggheadbeaver) on 2014-02-14
Changed in libav (Ubuntu Trusty):
assignee: nobody → David (eggheadbeaver)
Changed in libav (Ubuntu Trusty):
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers