Libav security fixes Jul 2014
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | libav (Ubuntu) |
High
|
Reinhard Tartler | ||
| | Precise |
Undecided
|
Marc Deslauriers | ||
| | Saucy |
Undecided
|
Marc Deslauriers | ||
| | Trusty |
Undecided
|
Unassigned | ||
| | Utopic |
High
|
Reinhard Tartler | ||
Bug Description
trusty should get Libav 9.14:
version 9.14:
- adpcm: Write the proper predictor in trellis mode in IMA QT
- adpcm: Avoid reading out of bounds in the IMA QT trellis encoder
- Check mp3 header before calling avpriv_
- Check if an mp3 header is using a reserved sample rate
- lzo: Handle integer overflow (bug/704)
- avconv: make -shortest work with streamcopy
The lzo issue is claimed to be exploitable (remote code execution) on i386.
| Reinhard Tartler (siretart) wrote : | #1 |
| Changed in libav (Ubuntu): | |
| assignee: | nobody → Reinhard Tartler (siretart) |
| importance: | Undecided → High |
| status: | New → In Progress |
| Changed in libav (Ubuntu Trusty): | |
| status: | New → In Progress |
| Changed in libav (Ubuntu Precise): | |
| status: | New → In Progress |
| Changed in libav (Ubuntu Saucy): | |
| status: | New → In Progress |
| Changed in libav (Ubuntu Precise): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in libav (Ubuntu Saucy): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Reinhard Tartler (siretart) wrote : | #2 |
Utopic already has the latest upstream release including all fixes so far in utopic-proposed. I'm not sure why the transition is stuck at this point, though.
| Changed in libav (Ubuntu Utopic): | |
| status: | In Progress → Fix Committed |
| Marc Deslauriers (mdeslaur) wrote : | #3 |
Thanks for the package!
They are currently building and I will release them when they're done.
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package libav - 6:9.14-
---------------
libav (6:9.14-
* New upstream release 9.14:
- Many security fixes issues LP: #1341216
- adpcm: Write the proper predictor in trellis mode in IMA QT
- adpcm: Avoid reading out of bounds in the IMA QT trellis encoder
- Check mp3 header before calling avpriv_
- Check if an mp3 header is using a reserved sample rate
- lzo: Handle integer overflow (bug/704)
- avconv: make -shortest work with streamcopy
* Drop broken dpkg-maintscript, LP: #1315672
-- Reinhard Tartler <email address hidden> Sat, 12 Jul 2014 18:33:45 -0400
| Changed in libav (Ubuntu Trusty): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package libav - 6:0.8.13-
---------------
libav (6:0.8.
* Update to 0.8.13 to fix multiple security issues (LP: #1341216)
-- Marc Deslauriers <email address hidden> Tue, 15 Jul 2014 07:31:39 -0400
| Changed in libav (Ubuntu Saucy): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package libav - 4:0.8.13-
---------------
libav (4:0.8.
* Update to 0.8.13 to fix multiple security issues (LP: #1341216)
-- Marc Deslauriers <email address hidden> Tue, 15 Jul 2014 07:24:55 -0400
| Changed in libav (Ubuntu Precise): | |
| status: | In Progress → Fix Released |
| Reinhard Tartler (siretart) wrote : | #7 |
utopic already works with libav 10, nothing left to do here
| Changed in libav (Ubuntu Utopic): | |
| status: | Fix Committed → Fix Released |
I have uploaded a proposed package to ppa:siretart/ppa (trusty).
Ubuntu-