Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <52151B59.3060702@redhat.com>
Date: Wed, 21 Aug 2013 13:56:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Michael Niedermayer <michaelni@....at>, ffmpeg-security@...peg.org
Subject: Re: CVE Request: FFmpeg 2.0.1 multiple problems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/20/2013 06:25 PM, Michael Niedermayer wrote:
> Hi
> 
> Id like to request CVE(s) for FFmpeg 2.0.1, for the changes below:
> 
> 
> https://github.com/FFmpeg/FFmpeg/commit/e43a0a232dbf6d3c161823c2e07c52e76227a1bc
>
> 
Out of array (on heap) write
> Found-by: wm4

Please use CVE-2013-4263 for this issue.

> https://github.com/FFmpeg/FFmpeg/commit/2960576378d17d71cc8dccc926352ce568b5eec1
>
> 
https://trac.ffmpeg.org/ticket/2842
> testcase and valgrind output on bugtracker above Out of array (on
> heap) write Found-by: Piotr Bandurski <ami_stuff@...pl>

Please use CVE-2013-4264 for this issue.

> https://github.com/FFmpeg/FFmpeg/commit/c94f9e854228e0ea00e1de8769d8d3f7cab84a55
>
> 
Found-by: Laurent Butti <laurentb@...il.com>
> Wrong return code that could lead to NULL+offset to be written to
> after memory allocation failure

Please use CVE-2013-4265 for this issue.

> Thanks
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSFRtZAAoJEBYNRVNeJnmTJCcQAIUHn6MA6rAD9Bbg/+GPx3GP
VL547+wrqu2qo+9nObJNn6ax7x0MUufcVK0W1aXnNqqhPsFaivo208lvxRAFho66
F+lusaSJP7HoUz6EG8AxSdcyf0ScoXJGHXnZ89FP33SgLh6bOX6UjsnTF87KLMtY
7NZpMyDpKtDp80toyVWVAyLEsJEJYM9KkWhuD9SzleaEW2I7zRzZO2QDv9DqazVL
jrVrAU/4JbR8mwOUj66cM7Gddae0Y+52YclszkbiO+5KV4Um3CJAB3cSxMUzxhh5
bMT/gPpCh0e2380pRM6pCz7p0fgrb6mQd01FYN5C0aJTJA2XIpdsZsn4nFp8xl22
xRhueV3lSOgq+HYiMJW202mLNF7eeurMh+sOJ53Spz+7vxjQpv2BOZ9fgdYzqiua
yGqzm25zcjY0yVOHxHZH0ktkRfkp/2KGJWcWvo0ly9Kql7D3LcYv8iOABy5rymJt
sIJJZXKvfD6ZbgWQ/iAj9dOOAmHCZFsrzJNqP/35m39Rst0N45x6/6aujSOJrXzG
WTxR8jDqITvCOc6NOU+qNKW6ZanVXAGjoqae0q1j41fHq4dnUKhg19aEOdNaD6Vg
xE8kFAqcmg0zmmx+DeA4El9Y9IuWw2feIv27J4KnwGVpL1IhDvwKn8qPjKtutkEk
4R/BgFMU27Ds2b4MyauY
=wW2e
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.