FFe: New Upstream bug and security release 0.8.1

Bug #960949 reported by Fabien Lusseau
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libav (Ubuntu)
Medium
Micah Gersten
libav-extra (Ubuntu)
Medium
Micah Gersten

Bug Description

LibAV 0.8.1 is released and correct a number of usability bugs and potentials security holes.

Some bugs are pretty annoying for multimedia enthusiasts like this bug preventing MLT to work properly so Kdenlive and OpenShot and a couple of other video editing softwares are not working like they should : http://bugzilla.libav.org/show_bug.cgi?id=221

Upstream changelog:(http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=blob;f=Changelog;h=cb04ee49926d4bf11d9480c2a8cf3092416991f7;hb=HEAD)
version 0.8.1:

- Several bugs and crashes have been fixed in the following codecs: AAC,
  AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio, DCA,
  DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and
  decoder), H.264, huvffyuv, BB JV decoder, Indeo 3, KGV1, LCL, the
  libx264 wrapper, MJPEG, mp3on4, Musepack, MPEG1/2, PNG, QDM2, Qt RLE,
  ROQ, RV10, RV30/RV34/RV40, shorten, smacker, subrip, SVQ3, TIFF,
  Truemotion2, TTA, VC1, VMware Screen codec, Vorbis, VP5, VP6, WMA,
  Westwood SNDx, XXAN.

- This release additionally updates the following codecs to the
  bytestream2 API, and therefore benefit from additional overflow
  checks: XXAN, ALG MM, TQG, SMC, Qt SMC, ROQ, PNG

- Several bugs and crashes have been fixed in the following formats:
  AIFF, ASF, DV, Matroska, NSV, MOV, MPEG-TS, Smacker, Sony OpenMG, RM,
  SWF.

- Libswscale has an potential overflow for large image size fixed.

- The following APIs have been added:

  avcodec_is_open()
  avformat_get_riff_video_tags()
  avformat_get_riff_audio_tags()

  Please see the file doc/APIchanges and the Doxygen documentation for
  further information.

Revision history for this message
Reinhard Tartler (siretart) wrote : Re: [Bug 960949] [NEW] New Upstream bug and security release for 0.8 branch

On Wed, Mar 21, 2012 at 09:20:32 (CET), Fabien Lusseau wrote:

> Public bug reported:
>
> LibAV 0.8.1 is released and correct a number of usability bugs and
> potentials security holes.
>
> Some bugs are pretty annoying for multimedia enthusiasts like this bug
> preventing MLT to work properly so Kdenlive and OpenShot and a couple of
> other video editing softwares are not working like they should :
> http://bugzilla.libav.org/show_bug.cgi?id=221
>
> The complete list of changes is on the LibAV project front page:
> http://libav.org/index.html
>
> Please consider to upgrade LibAV before the release.

I'm currently travelling, but I intend to upload libav 0.8.1 to precise
when I get back home on Friday.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Revision history for this message
Fabien Lusseau (fabien-beosfrance) wrote : Re: New Upstream bug and security release for 0.8 branch

Thanks a lot !

Micah Gersten (micahg)
summary: - New Upstream bug and security release for 0.8 branch
+ FFe: New Upstream bug and security release 0.8.1
description: updated
Changed in libav (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 960949] [NEW] FFe: New Upstream bug and security release 0.8.1

Looks like something we probably want. Please check with siretart and see
what he thinks.

Revision history for this message
Micah Gersten (micahg) wrote :
Micah Gersten (micahg)
security vulnerability: no → yes
Revision history for this message
Scott Kitterman (kitterman) wrote :

Ack. Approved.

Changed in libav (Ubuntu):
status: New → Triaged
Micah Gersten (micahg)
Changed in libav (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
status: Triaged → In Progress
Micah Gersten (micahg)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.1-0ubuntu1

---------------
libav (4:0.8.1-0ubuntu1) precise; urgency=low

  * New upstream bug and security fix release (FFe: LP: #960949)
    - fixes the following CVEs:
      CVE-2012-0848, CVE-2012-0853, CVE-2012-0858, CVE-2011-3929,
      CVE-2011-3936, CVE-2011-3937, CVE-2011-3940, CVE-2011-3945,
      CVE-2011-3947, CVE-2011-3951, CVE-2011-3952

  * Pull fix from Debian git to fix installation of avserver.conf and
    recordshow.sh into libav-tools; Thanks to Julien Cristau for spotting this!
    - update debian/rules
 -- Micah Gersten <email address hidden> Wed, 21 Mar 2012 21:18:24 -0500

Changed in libav (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

We need to upload libav-extra with this.

Changed in libav-extra (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav-extra - 4:0.8.1ubuntu1

---------------
libav-extra (4:0.8.1ubuntu1) precise; urgency=low

  * New upstream libav bug and security fix release (FFe: LP: #960949)
    - fixes the following CVEs:
      CVE-2012-0848, CVE-2012-0853, CVE-2012-0858, CVE-2011-3929,
      CVE-2011-3936, CVE-2011-3937, CVE-2011-3940, CVE-2011-3945,
      CVE-2011-3947, CVE-2011-3951, CVE-2011-3952

  * Bump dependency on libav-source to >= 4:0.8.1 for new upstream version
    - update debian/control
 -- Micah Gersten <email address hidden> Wed, 21 Mar 2012 23:47:49 -0500

Changed in libav-extra (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 960949] Re: FFe: New Upstream bug and security release 0.8.1

OK

Micah Gersten <email address hidden> wrote:

>We need to upload libav-extra with this.
>
>** Also affects: libav-extra (Ubuntu)
> Importance: Undecided
> Status: New
>
>** Changed in: libav-extra (Ubuntu)
> Importance: Undecided => Medium
>
>** Changed in: libav-extra (Ubuntu)
> Status: New => In Progress
>
>** Changed in: libav-extra (Ubuntu)
> Assignee: (unassigned) => Micah Gersten (micahg)
>
>--
>You received this bug notification because you are a member of Ubuntu
>Release Team, which is subscribed to the bug report.
>https://bugs.launchpad.net/bugs/960949
>
>Title:
> FFe: New Upstream bug and security release 0.8.1
>
>Status in “libav” package in Ubuntu:
> Fix Released
>Status in “libav-extra” package in Ubuntu:
> In Progress
>
>Bug description:
> LibAV 0.8.1 is released and correct a number of usability bugs and
> potentials security holes.
>
> Some bugs are pretty annoying for multimedia enthusiasts like this bug
> preventing MLT to work properly so Kdenlive and OpenShot and a couple
> of other video editing softwares are not working like they should :
> http://bugzilla.libav.org/show_bug.cgi?id=221
>
>Upstream
>changelog:(http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=blob;f=Changelog;h=cb04ee49926d4bf11d9480c2a8cf3092416991f7;hb=HEAD)
> version 0.8.1:
>
>- Several bugs and crashes have been fixed in the following codecs:
>AAC,
>  AC-3, ADPCM, AMR (both NB and WB), ATRAC3, CAVC, Cook, camstudio,
>DCA,
>   DPCM, DSI CIN, DV, EA TGQ, FLAC, fraps, G.722 (both encoder and
>   decoder), H.264, huvffyuv, BB JV decoder, Indeo 3, KGV1, LCL, the
>  libx264 wrapper, MJPEG, mp3on4, Musepack, MPEG1/2, PNG, QDM2, Qt RLE,
>   ROQ, RV10, RV30/RV34/RV40, shorten, smacker, subrip, SVQ3, TIFF,
>   Truemotion2, TTA, VC1, VMware Screen codec, Vorbis, VP5, VP6, WMA,
>   Westwood SNDx, XXAN.
>
> - This release additionally updates the following codecs to the
>   bytestream2 API, and therefore benefit from additional overflow
>   checks: XXAN, ALG MM, TQG, SMC, Qt SMC, ROQ, PNG
>
> - Several bugs and crashes have been fixed in the following formats:
>  AIFF, ASF, DV, Matroska, NSV, MOV, MPEG-TS, Smacker, Sony OpenMG, RM,
>   SWF.
>
> - Libswscale has an potential overflow for large image size fixed.
>
> - The following APIs have been added:
>
>   avcodec_is_open()
>   avformat_get_riff_video_tags()
>   avformat_get_riff_audio_tags()
>
>   Please see the file doc/APIchanges and the Doxygen documentation for
>   further information.
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ubuntu/+source/libav/+bug/960949/+subscriptions

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.