FFe: New Upstream bug and security release 0.8.1

Bug #960949 reported by Fabien Lusseau on 2012-03-21
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libav (Ubuntu)
Medium
Micah Gersten
libav-extra (Ubuntu)
Medium
Micah Gersten

Bug Description

LibAV 0.8.1 is released and correct a number of usability bugs and potentials security holes.

Some bugs are pretty annoying for multimedia enthusiasts like this bug preventing MLT to work properly so Kdenlive and OpenShot and a couple of other video editing softwares are not working like they should : http://bugzilla.libav.org/show_bug.cgi?id=221

Upstream changelog:(http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=blob;f=Changelog;h=cb04ee49926d4bf11d9480c2a8cf3092416991f7;hb=HEAD)
version 0.8.1:

- Several bugs and crashes have been fixed in the following codecs: AAC,
  AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio, DCA,
  DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and
  decoder), H.264, huvffyuv, BB JV decoder, Indeo 3, KGV1, LCL, the
  libx264 wrapper, MJPEG, mp3on4, Musepack, MPEG1/2, PNG, QDM2, Qt RLE,
  ROQ, RV10, RV30/RV34/RV40, shorten, smacker, subrip, SVQ3, TIFF,
  Truemotion2, TTA, VC1, VMware Screen codec, Vorbis, VP5, VP6, WMA,
  Westwood SNDx, XXAN.

- This release additionally updates the following codecs to the
  bytestream2 API, and therefore benefit from additional overflow
  checks: XXAN, ALG MM, TQG, SMC, Qt SMC, ROQ, PNG

- Several bugs and crashes have been fixed in the following formats:
  AIFF, ASF, DV, Matroska, NSV, MOV, MPEG-TS, Smacker, Sony OpenMG, RM,
  SWF.

- Libswscale has an potential overflow for large image size fixed.

- The following APIs have been added:

  avcodec_is_open()
  avformat_get_riff_video_tags()
  avformat_get_riff_audio_tags()

  Please see the file doc/APIchanges and the Doxygen documentation for
  further information.

On Wed, Mar 21, 2012 at 09:20:32 (CET), Fabien Lusseau wrote:

> Public bug reported:
>
> LibAV 0.8.1 is released and correct a number of usability bugs and
> potentials security holes.
>
> Some bugs are pretty annoying for multimedia enthusiasts like this bug
> preventing MLT to work properly so Kdenlive and OpenShot and a couple of
> other video editing softwares are not working like they should :
> http://bugzilla.libav.org/show_bug.cgi?id=221
>
> The complete list of changes is on the LibAV project front page:
> http://libav.org/index.html
>
> Please consider to upgrade LibAV before the release.

I'm currently travelling, but I intend to upload libav 0.8.1 to precise
when I get back home on Friday.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Micah Gersten (micahg) on 2012-03-22
summary: - New Upstream bug and security release for 0.8 branch
+ FFe: New Upstream bug and security release 0.8.1
description: updated
Changed in libav (Ubuntu):
importance: Undecided → Medium

Looks like something we probably want. Please check with siretart and see
what he thinks.

Micah Gersten (micahg) on 2012-03-22
security vulnerability: no → yes
Scott Kitterman (kitterman) wrote :

Ack. Approved.

Changed in libav (Ubuntu):
status: New → Triaged
Micah Gersten (micahg) on 2012-03-22
Changed in libav (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
status: Triaged → In Progress
Micah Gersten (micahg) on 2012-03-22
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.1-0ubuntu1

---------------
libav (4:0.8.1-0ubuntu1) precise; urgency=low

  * New upstream bug and security fix release (FFe: LP: #960949)
    - fixes the following CVEs:
      CVE-2012-0848, CVE-2012-0853, CVE-2012-0858, CVE-2011-3929,
      CVE-2011-3936, CVE-2011-3937, CVE-2011-3940, CVE-2011-3945,
      CVE-2011-3947, CVE-2011-3951, CVE-2011-3952

  * Pull fix from Debian git to fix installation of avserver.conf and
    recordshow.sh into libav-tools; Thanks to Julien Cristau for spotting this!
    - update debian/rules
 -- Micah Gersten <email address hidden> Wed, 21 Mar 2012 21:18:24 -0500

Changed in libav (Ubuntu):
status: In Progress → Fix Released
Micah Gersten (micahg) wrote :

We need to upload libav-extra with this.

Changed in libav-extra (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav-extra - 4:0.8.1ubuntu1

---------------
libav-extra (4:0.8.1ubuntu1) precise; urgency=low

  * New upstream libav bug and security fix release (FFe: LP: #960949)
    - fixes the following CVEs:
      CVE-2012-0848, CVE-2012-0853, CVE-2012-0858, CVE-2011-3929,
      CVE-2011-3936, CVE-2011-3937, CVE-2011-3940, CVE-2011-3945,
      CVE-2011-3947, CVE-2011-3951, CVE-2011-3952

  * Bump dependency on libav-source to >= 4:0.8.1 for new upstream version
    - update debian/control
 -- Micah Gersten <email address hidden> Wed, 21 Mar 2012 23:47:49 -0500

Changed in libav-extra (Ubuntu):
status: In Progress → Fix Released

OK

Micah Gersten <email address hidden> wrote:

>We need to upload libav-extra with this.
>
>** Also affects: libav-extra (Ubuntu)
> Importance: Undecided
> Status: New
>
>** Changed in: libav-extra (Ubuntu)
> Importance: Undecided => Medium
>
>** Changed in: libav-extra (Ubuntu)
> Status: New => In Progress
>
>** Changed in: libav-extra (Ubuntu)
> Assignee: (unassigned) => Micah Gersten (micahg)
>
>--
>You received this bug notification because you are a member of Ubuntu
>Release Team, which is subscribed to the bug report.
>https://bugs.launchpad.net/bugs/960949
>
>Title:
> FFe: New Upstream bug and security release 0.8.1
>
>Status in “libav” package in Ubuntu:
> Fix Released
>Status in “libav-extra” package in Ubuntu:
> In Progress
>
>Bug description:
> LibAV 0.8.1 is released and correct a number of usability bugs and
> potentials security holes.
>
> Some bugs are pretty annoying for multimedia enthusiasts like this bug
> preventing MLT to work properly so Kdenlive and OpenShot and a couple
> of other video editing softwares are not working like they should :
> http://bugzilla.libav.org/show_bug.cgi?id=221
>
>Upstream
>changelog:(http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=blob;f=Changelog;h=cb04ee49926d4bf11d9480c2a8cf3092416991f7;hb=HEAD)
> version 0.8.1:
>
>- Several bugs and crashes have been fixed in the following codecs:
>AAC,
>  AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio,
>DCA,
>   DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and
>   decoder), H.264, huvffyuv, BB JV decoder, Indeo 3, KGV1, LCL, the
>  libx264 wrapper, MJPEG, mp3on4, Musepack, MPEG1/2, PNG, QDM2, Qt RLE,
>   ROQ, RV10, RV30/RV34/RV40, shorten, smacker, subrip, SVQ3, TIFF,
>   Truemotion2, TTA, VC1, VMware Screen codec, Vorbis, VP5, VP6, WMA,
>   Westwood SNDx, XXAN.
>
> - This release additionally updates the following codecs to the
>   bytestream2 API, and therefore benefit from additional overflow
>   checks: XXAN, ALG MM, TQG, SMC, Qt SMC, ROQ, PNG
>
> - Several bugs and crashes have been fixed in the following formats:
>  AIFF, ASF, DV, Matroska, NSV, MOV, MPEG-TS, Smacker, Sony OpenMG, RM,
>   SWF.
>
> - Libswscale has an potential overflow for large image size fixed.
>
> - The following APIs have been added:
>
>   avcodec_is_open()
>   avformat_get_riff_video_tags()
>   avformat_get_riff_audio_tags()
>
>   Please see the file doc/APIchanges and the Doxygen documentation for
>   further information.
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ubuntu/+source/libav/+bug/960949/+subscriptions

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.