← Back to team overview

desktop-packages team mailing list archive

[Bug 1432610] [NEW] Libav security fixes March 2015

 

*** This bug is a security vulnerability ***

Public security bug reported:

Libav 0.8.17, 9.18 and 11.3 are out that fix a number of security
issues.

version 0.8.17:

- utvideodec: Handle slice_height being zero (CVE-2014-9604)
- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)
- rmenc: limit packet size
- eamad: check for out of bounds read (CID/1257500)
- h264_cabac: Break infinite loops
- matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266)
- gifdec: refactor interleave end handling (CVE-2014-8547)
- smc: fix the bounds check (CVE-2014-8548)
- mmvideo: check frame dimensions (CVE-2014-8543)
- jvdec: check frame dimensions (CVE-2014-8542)
- mov: avoid a memleak when multiple stss boxes are present
- apetag: Fix APE tag size check
- x86: Only use optimizations with cmov if the CPU supports the instruction
- x86: Add CPU flag for the i686 cmov instruction

version 9.18:
- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)
- utvideodec: Handle slice_height being zero (CVE-2014-9604)
- rmenc: limit packet size
- rv10: check size of s->mb_width * s->mb_height
- eamad: check for out of bounds read (CID/1257500)
- arm: Suppress tags about used cpu arch and extensions
- img2dec: correctly use the parsed value from -start_number
- h264_cabac: Break infinite loops
- matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266)
- smc: fix the bounds check (CVE-2014-8548)
- gifdec: refactor interleave end handling (CVE-2014-8547)
- mmvideo: check frame dimensions (CVE-2014-8543)
- jvdec: check frame dimensions (CVE-2014-8542)
- mov: avoid a memleak when multiple stss boxes are present
- mp3enc: fix a triggerable assert
- apetag: Fix APE tag size check

version 11.3:

- utvideodec: Handle slice_height being zero (CVE-2014-9604)
- adxdec: set avctx->channels in adx_read_header
- rmenc: limit packet size
- webp: validate the distance prefix code
- rv10: check size of s->mb_width * s->mb_height
- eamad: check for out of bounds read (CID/1257500)
- mdec: check for out of bounds read (CID/1257501)
- configure: Properly fail when libcdio/cdparanoia is not found
- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)
- aic: Fix decoding files with odd dimensions
- vorbis: Check the vlc value in setup_classifs
- arm: Suppress tags about used cpu arch and extensions
- prores: Extend the padding check to 16bit
- icecast: Do not use chunked post, allows feeding to icecast properly
- img2dec: correctly use the parsed value from -start_number
- h264_cabac: Break infinite loops
- hevc_deblock: Fix compilation with nasm (libav #795)
- h264: initialize H264Context.avctx in init_thread_copy
- h264: Do not share rbsp_buffer across threads
- h264: only ref cur_pic in update_thread_context if it is initialized
- matroskadec: Fix read-after-free in matroska_read_seek() (chromium #427266)
- log: Unbreak no-tty support on 256color terminals

** Affects: libav (Ubuntu)
     Importance: Undecided
         Status: Confirmed

** Affects: libav (Ubuntu Precise)
     Importance: Undecided
     Assignee: Marc Deslauriers (mdeslaur)
         Status: Confirmed

** Affects: libav (Ubuntu Trusty)
     Importance: Undecided
     Assignee: Marc Deslauriers (mdeslaur)
         Status: Confirmed

** Affects: libav (Ubuntu Utopic)
     Importance: Undecided
         Status: Confirmed

** Affects: libav (Ubuntu Vivid)
     Importance: Undecided
         Status: Confirmed

** Also affects: libav (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: libav (Ubuntu Vivid)
   Importance: Undecided
       Status: New

** Also affects: libav (Ubuntu Utopic)
   Importance: Undecided
       Status: New

** Also affects: libav (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: libav (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: libav (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: libav (Ubuntu Utopic)
       Status: New => Confirmed

** Changed in: libav (Ubuntu Vivid)
       Status: New => Confirmed

** Changed in: libav (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: libav (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libav in Ubuntu.
https://bugs.launchpad.net/bugs/1432610

Title:
  Libav security fixes March 2015

Status in libav package in Ubuntu:
  Confirmed
Status in libav source package in Precise:
  Confirmed
Status in libav source package in Trusty:
  Confirmed
Status in libav source package in Utopic:
  Confirmed
Status in libav source package in Vivid:
  Confirmed

Bug description:
  Libav 0.8.17, 9.18 and 11.3 are out that fix a number of security
  issues.

  version 0.8.17:

  - utvideodec: Handle slice_height being zero (CVE-2014-9604)
  - tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)
  - rmenc: limit packet size
  - eamad: check for out of bounds read (CID/1257500)
  - h264_cabac: Break infinite loops
  - matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266)
  - gifdec: refactor interleave end handling (CVE-2014-8547)
  - smc: fix the bounds check (CVE-2014-8548)
  - mmvideo: check frame dimensions (CVE-2014-8543)
  - jvdec: check frame dimensions (CVE-2014-8542)
  - mov: avoid a memleak when multiple stss boxes are present
  - apetag: Fix APE tag size check
  - x86: Only use optimizations with cmov if the CPU supports the instruction
  - x86: Add CPU flag for the i686 cmov instruction

  version 9.18:
  - tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)
  - utvideodec: Handle slice_height being zero (CVE-2014-9604)
  - rmenc: limit packet size
  - rv10: check size of s->mb_width * s->mb_height
  - eamad: check for out of bounds read (CID/1257500)
  - arm: Suppress tags about used cpu arch and extensions
  - img2dec: correctly use the parsed value from -start_number
  - h264_cabac: Break infinite loops
  - matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266)
  - smc: fix the bounds check (CVE-2014-8548)
  - gifdec: refactor interleave end handling (CVE-2014-8547)
  - mmvideo: check frame dimensions (CVE-2014-8543)
  - jvdec: check frame dimensions (CVE-2014-8542)
  - mov: avoid a memleak when multiple stss boxes are present
  - mp3enc: fix a triggerable assert
  - apetag: Fix APE tag size check

  version 11.3:

  - utvideodec: Handle slice_height being zero (CVE-2014-9604)
  - adxdec: set avctx->channels in adx_read_header
  - rmenc: limit packet size
  - webp: validate the distance prefix code
  - rv10: check size of s->mb_width * s->mb_height
  - eamad: check for out of bounds read (CID/1257500)
  - mdec: check for out of bounds read (CID/1257501)
  - configure: Properly fail when libcdio/cdparanoia is not found
  - tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544)
  - aic: Fix decoding files with odd dimensions
  - vorbis: Check the vlc value in setup_classifs
  - arm: Suppress tags about used cpu arch and extensions
  - prores: Extend the padding check to 16bit
  - icecast: Do not use chunked post, allows feeding to icecast properly
  - img2dec: correctly use the parsed value from -start_number
  - h264_cabac: Break infinite loops
  - hevc_deblock: Fix compilation with nasm (libav #795)
  - h264: initialize H264Context.avctx in init_thread_copy
  - h264: Do not share rbsp_buffer across threads
  - h264: only ref cur_pic in update_thread_context if it is initialized
  - matroskadec: Fix read-after-free in matroska_read_seek() (chromium #427266)
  - log: Unbreak no-tty support on 256color terminals

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libav/+bug/1432610/+subscriptions


Follow ups

References