oss-sec mailing list archives
Re: new FFMpeg stuff
From: Moritz Muehlenhoff <jmm () inutil org>
Date: Tue, 9 Jul 2013 06:49:34 +0200
Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugs.gentoo.org/show_bug.cgi?id=476218 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=38229362529ed1619d8ebcc81ecde85b23b45895 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e30b068ef79f604ff439418da07f7e2efd01d4ea http://git.videolan.org/?p=ffmpeg.git;a=commit;h=6765ee7b9cba46818a45b051438b2552f0a1b70a http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b36e1893ef3430f039c1eaddeedcbb378f9c4444 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7388c0c58601477db076e2e74e8b11f8a644384a http://git.videolan.org/?p=ffmpeg.git;a=commit;h=95a57d26d8653d21f0dab1aff3558ee944853dbf http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b564784a207b1395d2b5a41e580539df04651096 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=78962d3df49afe5011b572656ecfe940bd5fbf2e http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cf04af2086be105ff86088357b83d672d38417d9 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eae63e3c156f784ee0612422f0c95131ea913c14 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fd54dd028bc9f7bfb80ebf823a533dc84b73f936 Correct me if I'm wrong but most of these seem to deserve CVEs and none have been assigned, correct? http://ffmpeg.org/security.html
These appear to be new, but I'm not sure how previous CVE IDs were assigned for ffmpeg/libav.
E.g. CVE-2013-0878 seems to be from a Google CNA, right? (At least CVE-2013-0879 is for Chrome)
All these issues (and all the ones in previous rounds) were found through fuzzing done
at Google by Mateusz "j00ru" Jurczyk and Gynvael Coldwind.
It would be very, very welcome if CVE assignments from either ffmpeg or libav for any
such issues would have a reference to the filename of the fuzzed file triggering the problem.
With the diverging code bases between ffmpeg and libav [1] it becomes very complicated
to properly track down if one of the two is affected.
Cheers,
Moritz
[1] http://en.wikipedia.org/wiki/Libav#Fork_from_FFmpeg
Current thread:
- new FFMpeg stuff Kurt Seifried (Jul 08)
- Re: new FFMpeg stuff Moritz Muehlenhoff (Jul 08)
- Re: new FFMpeg stuff Michael Niedermayer (Jul 09)
- Re: new FFMpeg stuff Kurt Seifried (Jul 25)
- Re: new FFMpeg stuff Jean-Baptiste Kempf (Jul 25)
- Re: new FFMpeg stuff Kurt Seifried (Jul 25)
- Re: new FFMpeg stuff RĂ©mi Denis-Courmont (Jul 25)
- Re: new FFMpeg stuff Jean-Baptiste Kempf (Jul 25)
- Re: new FFMpeg stuff Michael Niedermayer (Jul 09)
- Re: new FFMpeg stuff Moritz Muehlenhoff (Jul 08)