Libav security fixes Jul 2014

Bug #1341216 reported by Reinhard Tartler on 2014-07-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libav (Ubuntu)
High
Reinhard Tartler
Precise
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Unassigned
Utopic
High
Reinhard Tartler

Bug Description

trusty should get Libav 9.14:

version 9.14:
- adpcm: Write the proper predictor in trellis mode in IMA QT
- adpcm: Avoid reading out of bounds in the IMA QT trellis encoder
- Check mp3 header before calling avpriv_mpegaudio_decode_header() (bug/705)
- Check if an mp3 header is using a reserved sample rate
- lzo: Handle integer overflow (bug/704)
- avconv: make -shortest work with streamcopy

The lzo issue is claimed to be exploitable (remote code execution) on i386.

Reinhard Tartler (siretart) wrote :

I have uploaded a proposed package to ppa:siretart/ppa (trusty).

Ubuntu-security-sponsors, please copy it to trusty-security

Changed in libav (Ubuntu):
assignee: nobody → Reinhard Tartler (siretart)
importance: Undecided → High
status: New → In Progress
Changed in libav (Ubuntu Trusty):
status: New → In Progress
Changed in libav (Ubuntu Precise):
status: New → In Progress
Changed in libav (Ubuntu Saucy):
status: New → In Progress
Changed in libav (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Reinhard Tartler (siretart) wrote :

Utopic already has the latest upstream release including all fixes so far in utopic-proposed. I'm not sure why the transition is stuck at this point, though.

Changed in libav (Ubuntu Utopic):
status: In Progress → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

Thanks for the package!

They are currently building and I will release them when they're done.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:9.14-0ubuntu0.14.04.1

---------------
libav (6:9.14-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * New upstream release 9.14:
    - Many security fixes issues LP: #1341216
    - adpcm: Write the proper predictor in trellis mode in IMA QT
    - adpcm: Avoid reading out of bounds in the IMA QT trellis encoder
    - Check mp3 header before calling avpriv_mpegaudio_decode_header() (bug/705)
    - Check if an mp3 header is using a reserved sample rate
    - lzo: Handle integer overflow (bug/704)
    - avconv: make -shortest work with streamcopy
  * Drop broken dpkg-maintscript, LP: #1315672
 -- Reinhard Tartler <email address hidden> Sat, 12 Jul 2014 18:33:45 -0400

Changed in libav (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:0.8.13-0ubuntu0.13.10.1

---------------
libav (6:0.8.13-0ubuntu0.13.10.1) saucy-security; urgency=medium

  * Update to 0.8.13 to fix multiple security issues (LP: #1341216)
 -- Marc Deslauriers <email address hidden> Tue, 15 Jul 2014 07:31:39 -0400

Changed in libav (Ubuntu Saucy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.13-0ubuntu0.12.04.1

---------------
libav (4:0.8.13-0ubuntu0.12.04.1) precise-security; urgency=medium

  * Update to 0.8.13 to fix multiple security issues (LP: #1341216)
 -- Marc Deslauriers <email address hidden> Tue, 15 Jul 2014 07:24:55 -0400

Changed in libav (Ubuntu Precise):
status: In Progress → Fix Released
Reinhard Tartler (siretart) wrote :

utopic already works with libav 10, nothing left to do here

Changed in libav (Ubuntu Utopic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers