[go: up one dir, main page]

Debian Bug report logs - #498766
ffmpeg-debian: vulnerable to denial-of-service attack (CVE-2008-3230)

version graph

Package: ffmpeg; Maintainer for ffmpeg is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for ffmpeg is src:ffmpeg (PTS, buildd, popcon).

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sat, 13 Sep 2008 03:24:01 UTC

Severity: important

Tags: security

Found in version ffmpeg/0.cvs20060823-8

Done: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#498764; Package ffmpeg-debian. (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ffmpeg-debian: vulnerable to denial-of-service attack (CVE-2008-3230)
Date: Fri, 12 Sep 2008 22:59:31 -0400
Package: ffmpeg-debian
Version: 0.svn20080206-12
Severity: grave
Tags: security
Justification: user security hole

according to the debian security tracker [1], ffmpeg is known to be
vulnerable to a denial-of-service attack [2].  the description of the
CVE is

  The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial 
  of service (application crash) via a crafted GIF file, possibly related 
  to gstreamer, as demonstrated by lol-giftopnm.gif.

i'm reporting this here to make you aware of the issue, and so the issue
can be tracked as release-critical for etch.  this affects stable, testing, 
and unstable.

thanks for the hard work.

[1] http://security-tracker.debian.net/tracker/CVE-2008-3230
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3230

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Bug 498764 cloned as bug 498766. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 13 Sep 2008 04:12:04 GMT) (full text, mbox, link).

Bug reassigned from package `ffmpeg-debian' to `ffmpeg'. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 13 Sep 2008 04:12:06 GMT) (full text, mbox, link).

Bug marked as found in version 0.cvs20060823-8. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 13 Sep 2008 04:12:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#498766; Package ffmpeg. (full text, mbox, link).

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #16 received at 498766@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: 498766@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, control@bugs.debian.org
Subject: client dos not grave
Date: Sat, 13 Sep 2008 14:30:29 +0200
[Message part 1 (text/plain, inline)]
severity 498766 important
thanks

Hi,

> The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial 
> of service (application crash)

while inconvenient such crashes are not grave bugs (compare to a browser 
crashing on some specific web page).


Thijs

[Message part 2 (application/pgp-signature, inline)]

Severity set to `important' from `grave' Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sat, 13 Sep 2008 14:48:12 GMT) (full text, mbox, link).

Reply sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
You have taken responsibility. (Wed, 08 Apr 2009 15:42:09 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Wed, 08 Apr 2009 15:42:13 GMT) (full text, mbox, link).

Message #23 received at 498766-close@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: 498766-close@bugs.debian.org
Subject: closing
Date: Wed, 8 Apr 2009 11:39:53 -0400
the ffmpeg source package has been remove from the archive, and these
issues are currently fixed in ffmpeg-debian, so there is no reason to
continue to track this issue (see http://bugs.debian.org/498764).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 May 2009 07:31:51 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 15 07:14:32 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.