svn commit: r404693 - head/security/vuxml
Jan Beich
jbeich at FreeBSD.org
Mon Dec 28 18:21:19 UTC 2015
Author: jbeich
Date: Mon Dec 28 18:21:17 2015
New Revision: 404693
URL: https://svnweb.freebsd.org/changeset/ports/404693
Log:
Document recent ffmpeg vulnerabilities
Modified:
head/security/vuxml/vuln.xml (contents, props changed)
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Mon Dec 28 18:20:40 2015 (r404692)
+++ head/security/vuxml/vuln.xml Mon Dec 28 18:21:17 2015 (r404693)
@@ -58,6 +58,120 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="4bae544d-06a3-4352-938c-b3bcbca89298">
+ <topic>ffmpeg -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>libav</name>
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>gstreamer-ffmpeg</name>
+ <!-- gst-ffmpeg-0.10.13 has libav-0.7.2 (0.7.7 in freebsd port) -->
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>handbrake</name>
+ <!-- handbrake-0.10.2 has libav-10.1 -->
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>ffmpeg</name>
+ <range><ge>2.8,1</ge><lt>2.8.4,1</lt></range>
+ <range><lt>2.7.4,1</lt></range>
+ </package>
+ <package>
+ <name>ffmpeg26</name>
+ <range><lt>2.6.6</lt></range>
+ </package>
+ <package>
+ <name>ffmpeg25</name>
+ <range><lt>2.5.9</lt></range>
+ </package>
+ <package>
+ <name>ffmpeg24</name>
+ <range><lt>2.4.12</lt></range>
+ </package>
+ <package>
+ <name>ffmpeg-devel</name>
+ <name>ffmpeg23</name>
+ <name>ffmpeg2</name>
+ <name>ffmpeg1</name>
+ <name>ffmpeg-011</name>
+ <name>ffmpeg0</name>
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>avidemux</name>
+ <name>avidemux2</name>
+ <name>avidemux26</name>
+ <!-- avidemux-2.6.10 has ffmpeg-2.6.1 -->
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>kodi</name>
+ <!-- kodi-15.2 has ffmpeg-2.6.4 -->
+ <range><lt>16.0</lt></range>
+ </package>
+ <package>
+ <name>mplayer</name>
+ <name>mencoder</name>
+ <!-- mplayer-1.2.r20151219 has ffmpeg-2.8.3 -->
+ <range><lt>1.2.r20151219_1</lt></range>
+ </package>
+ <package>
+ <name>mythtv</name>
+ <name>mythtv-frontend</name>
+ <!-- mythtv-0.27.0.20140121 has ffmpeg-1.2.2+ (snapshot, f9c8726) -->
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ <package>
+ <name>plexhometheater</name>
+ <!-- plexhometheater-1.4.1 has ffmpeg-0.10.2 fork -->
+ <!-- no known fixed version -->
+ <range><ge>0</ge></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NVD reports:</p>
+ <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8662">
+ <p>The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in
+ FFmpeg before 2.8.4 does not validate the number of
+ decomposition levels before proceeding with Discrete Wavelet
+ Transform decoding, which allows remote attackers to cause a
+ denial of service (out-of-bounds array access) or possibly
+ have unspecified other impact via crafted JPEG 2000
+ data.</p>
+ </blockquote>
+ <blockquote cite="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8663">
+ <p>The ff_get_buffer function in libavcodec/utils.c in
+ FFmpeg before 2.8.4 preserves width and height values after
+ a failure, which allows remote attackers to cause a denial
+ of service (out-of-bounds array access) or possibly have
+ unspecified other impact via a crafted .mov file.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2015-8662</cvename>
+ <cvename>CVE-2015-8663</cvename>
+ <url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5</url>
+ <url>https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=abee0a1c60612e8638640a8a3738fffb65e16dbf</url>
+ <url>https://ffmpeg.org/security.html</url>
+ </references>
+ <dates>
+ <discovery>2015-12-20</discovery>
+ <entry>2015-12-28</entry>
+ </dates>
+ </vuln>
+
<vuln vid="10f7bc76-0335-4a88-b391-0b05b3a8ce1c">
<topic>NSS -- MD5 downgrade in TLS 1.2 signatures</topic>
<affects>
@@ -1796,16 +1910,23 @@ Notes:
</package>
<package>
<name>ffmpeg</name>
- <range><lt>2.8.3,1</lt></range>
+ <range><ge>2.8,1</ge><lt>2.8.3,1</lt></range>
+ <range><lt>2.7.3,1</lt></range>
</package>
<package>
<name>ffmpeg26</name>
<range><lt>2.6.5</lt></range>
</package>
<package>
- <name>ffmpeg-devel</name>
<name>ffmpeg25</name>
+ <range><lt>2.5.9</lt></range>
+ </package>
+ <package>
<name>ffmpeg24</name>
+ <range><lt>2.4.12</lt></range>
+ </package>
+ <package>
+ <name>ffmpeg-devel</name>
<name>ffmpeg23</name>
<name>ffmpeg2</name>
<name>ffmpeg1</name>
@@ -1941,6 +2062,7 @@ Notes:
<dates>
<discovery>2015-11-27</discovery>
<entry>2015-12-02</entry>
+ <modified>2015-12-28</modified>
</dates>
</vuln>
More information about the svn-ports-all
mailing list