Debian Bug report logs - #550442
ffmpeg: deluge of crashes due to missing input sanitization

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: ffmpeg: deluge of crashes due to missing input sanitization

Date: Sat, 10 Oct 2009 01:14:20 -0400

package: ffmpeg
version: 0.cvs20060823-8
severity: serious
tags: security

hi,

ffmpeg has been found to be vulnerable to many crashers [0],[1].  this
may enable remote compromise of a system.

please coordinate with upstream and the security team to push out
updates for these issues.

mike

[0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240
[1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245

Message #10 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Michael S Gilbert <michael.s.gilbert@gmail.com>

Cc: 550442@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Tue, 13 Oct 2009 19:23:26 +0200

Michael S Gilbert <michael.s.gilbert@gmail.com> writes:

> ffmpeg has been found to be vulnerable to many crashers [0],[1].  this
> may enable remote compromise of a system.
>
> please coordinate with upstream and the security team to push out
> updates for these issues.
>
> mike
>
> [0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240
> [1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245

Issue 1240 is as such not usable, as the submitter refused to split out
his findings by single issues. Instead, he insisted on providing a huge
tarball with 73(!) test files that demonstrate crashes. Many of these
file seem to trigger very similar (if not identical) bugs. Issue 1245 is
one of the issues that has been split out. I've imported [2] that patch
already to our packaging branch, and will be part of the next upload.

[2] http://git.debian.org/?p=pkg-multimedia/ffmpeg-debian.git;a=blob;f=debian/patches/issue1245.patch;h=23e180a0972146f650c0254d8677f8a1a4a371eb;hb=c1bc30d1370dab75f103bc6dce0bbe95f482099e

The upstream thread can be read at [3]. After reading the thread it
seems that many of these issues are not exactly security relevant but
merely crashers without potential for remote code execution. Still, the
relevant revision should probably backported to 0.5.

[3] http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/97154

Please note that there is an upstream 0.5 branch (and we are tracking
that branch), but there is not really much activity there. However
AFAIUI, security relevant patches are within submission policy of that
branch. So any security patches we can do within Debian can be proposed
for that branch.

As for this bug, I'm inclined to close this bug with the upload of
[2]. The reason is that this report is way to inprecise. This report
currently reads "the package has been found crashers that might
compromise the system". Sorry, this is just not helpful. We'd really
need at least a list of concrete issues, ideally with reference to the
relevant svn commits (so that commit messages can be reviewed) that can
be processed and backported.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #15 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 550442@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Tue, 13 Oct 2009 17:10:12 -0400

On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote:
> As for this bug, I'm inclined to close this bug with the upload of
> [2]. The reason is that this report is way to inprecise. This report
> currently reads "the package has been found crashers that might
> compromise the system". Sorry, this is just not helpful. We'd really
> need at least a list of concrete issues, ideally with reference to the
> relevant svn commits (so that commit messages can be reviewed) that can
> be processed and backported.

in an ideal world every security issue would come with a complete
prescription and regiment to make it all better.  however, we do not
live in such a place.  the best we can do is track the issue at hand,
follow work being done elsewhere, and potentially spend our own
precious time testing and writing fixes.  obviously this is a lot of
work, but it is the price we pay since there are nefarious peoples
about.  

i would recommend working with the security team to request cve's on
oss-sec for specific issues once they are well-defined, and address each
of them in turn; while keeping this bug open to track the meta-issue
(potentially downgrading to important as to not impede transitions).

note that any of these crashers that show signs of memory corruption
are very much cause for concern (see recent pdf jbig2 decoder issues).
the others can probably be safely discarded.  by "may enable remote
compromise," i mean via user-assisted (social engineered) attack
vectors (i.e. downloading and viewing a malicious video file).  this
is a very legitimate concern since most users are very trusting of
untrustworthy data.

mike

Message #20 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Michael Gilbert <michael.s.gilbert@gmail.com>

Cc: 550442@bugs.debian.org, team@security.debian.org, security@ubuntu.com

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Thu, 15 Oct 2009 13:03:39 +0200

Hello Security Teams,

Michael Gilbert reported in debian bug #550442 that ffmpeg in debian and
ubuntu contained "a deluge of crashes". I have backported a bunch of
fixes from ffmpeg trunk, which now need review, validation and
eventually publishing.

Affected are all distros that ship ffmpeg 0.5, this includes

 - lenny
 - squeeze
 - sid
 - jaunty
 - karmic

earlier version of ffmpeg might be affected as well.

Michael Gilbert <michael.s.gilbert@gmail.com> writes:

> On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote:
>> As for this bug, I'm inclined to close this bug with the upload of
>> [2]. The reason is that this report is way to inprecise. This report
>> currently reads "the package has been found crashers that might
>> compromise the system". Sorry, this is just not helpful. We'd really
>> need at least a list of concrete issues, ideally with reference to the
>> relevant svn commits (so that commit messages can be reviewed) that can
>> be processed and backported.
>
> in an ideal world every security issue would come with a complete
> prescription and regiment to make it all better.  however, we do not
> live in such a place.  the best we can do is track the issue at hand,
> follow work being done elsewhere, and potentially spend our own
> precious time testing and writing fixes.  obviously this is a lot of
> work, but it is the price we pay since there are nefarious peoples
> about.  
>
> i would recommend working with the security team to request cve's on
> oss-sec for specific issues once they are well-defined, and address each
> of them in turn; while keeping this bug open to track the meta-issue
> (potentially downgrading to important as to not impede transitions).
>
> note that any of these crashers that show signs of memory corruption
> are very much cause for concern (see recent pdf jbig2 decoder issues).
> the others can probably be safely discarded.  by "may enable remote
> compromise," i mean via user-assisted (social engineered) attack
> vectors (i.e. downloading and viewing a malicious video file).  this
> is a very legitimate concern since most users are very trusting of
> untrustworthy data.

I've worked on the packaging branch for karmic. The relevant backports
that I produced so far can be found here:

http://git.debian.org/?p=pkg-multimedia/ffmpeg.git;a=tree;f=debian/patches/security;hb=ubuntu.karmic

Most of these patches have been proposed by the chromium developers,
that collect patches for upstream here:

http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/

most of the patches got further polishing by upstream before
applying. In many cases, the chromium developers did rather fix
symptoms, upstream prefers real fixes. Anyway, I went through the list
of chromium patches and managed to locate most patches in ffmpeg trunk

Patches that I couldn't find upstream include:

09_mov_stsz_int_oflow.patch
32_mov_stream_index.patch
35_mov_bad_timings.patch
40_ogg_missing_header.patch

They probably need further investigation.

Michael, could you please check if and what patches I might have missed?

I'd like to ask you (both security teams) to review my patches so far
and if and to what security queues the should be uploaded or not.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #25 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@canonical.com>

To: Reinhard Tartler <siretart@tauware.de>

Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 550442@bugs.debian.org, team@security.debian.org, security@ubuntu.com

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Thu, 29 Oct 2009 14:53:13 -0400

On Thu, 2009-10-15 at 13:03 +0200, Reinhard Tartler wrote:

<snip>

> of chromium patches and managed to locate most patches in ffmpeg trunk
> 
> Patches that I couldn't find upstream include:
> 
> 09_mov_stsz_int_oflow.patch
> 32_mov_stream_index.patch
> 35_mov_bad_timings.patch
> 40_ogg_missing_header.patch
> 
> They probably need further investigation.


09_mov_stsz_int_oflow.patch:

This looks like:
http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=59a7d76f26091bb379e41e546c561d6987b2df3b

32_mov_stream_index.patch:

http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=83b7e34ccb8f63f24d91dfc4dd89a4971f36ce12
http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=b601744633167a1b37bc171d298872d57522400e

40_ogg_missing_header.patch:

http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=7fb2fe280374bcb1c41c2a8e7aa5632d18dc4279


Marc.

Message #30 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Marc Deslauriers <marc.deslauriers@canonical.com>

Cc: 550442@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, team@security.debian.org, security@ubuntu.com

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Sat, 31 Oct 2009 09:12:16 +0100

Marc Deslauriers <marc.deslauriers@canonical.com> writes:

> On Thu, 2009-10-15 at 13:03 +0200, Reinhard Tartler wrote:
>
> <snip>
>
>> of chromium patches and managed to locate most patches in ffmpeg trunk
>> 
>> Patches that I couldn't find upstream include:
>> 
>> 09_mov_stsz_int_oflow.patch
>> 32_mov_stream_index.patch
>> 35_mov_bad_timings.patch
>> 40_ogg_missing_header.patch
>> 
>> They probably need further investigation.
>
>
> 09_mov_stsz_int_oflow.patch:
>
> This looks like:
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=59a7d76f26091bb379e41e546c561d6987b2df3b
>
> 32_mov_stream_index.patch:
>
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=83b7e34ccb8f63f24d91dfc4dd89a4971f36ce12
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=b601744633167a1b37bc171d298872d57522400e
>
> 40_ogg_missing_header.patch:
>
> http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=7fb2fe280374bcb1c41c2a8e7aa5632d18dc4279

excellent catches, they all indeed look very relevant. I've added them
to the packaging branch.

One problem, it breaks build. Therefore, I had to backport svn r18016
aka 'MOV-Support-stz2-Compact-Sample-Size-Box' to fix FTBFS. without
this patch, libavformat/mov.c won't compile, as field_size is introduced
with this commit. While this patch is strictly speaking not in scope of
an security update, it is easier to stick with upstream and backport
this patch in addition.

How to proceed now? In any case, I'll prepare an upload for lucid once
it opens. Will you prepare uploads for stable ubuntu security pockets?

@debian security team: shall I prepare an stable-security upload with
this or do you want some testing in unstable first? NB: I'm blocked with
uploading to unstable by ftp-master@.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #35 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@canonical.com>

To: Reinhard Tartler <siretart@tauware.de>

Cc: 550442@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, team@security.debian.org, security@ubuntu.com

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Sat, 31 Oct 2009 22:20:34 -0400

On Sat, 2009-10-31 at 09:12 +0100, Reinhard Tartler wrote:
> One problem, it breaks build. Therefore, I had to backport svn r18016
> aka 'MOV-Support-stz2-Compact-Sample-Size-Box' to fix FTBFS. without
> this patch, libavformat/mov.c won't compile, as field_size is introduced
> with this commit. While this patch is strictly speaking not in scope of
> an security update, it is easier to stick with upstream and backport
> this patch in addition.

Agreed.

> 
> How to proceed now? In any case, I'll prepare an upload for lucid once
> it opens. Will you prepare uploads for stable ubuntu security pockets?

The next step, IMO, is to get CVE numbers assigned. Since CVE numbers
aren't usually given to client application crashes, someone needs to
analyze each issue to see if it is exploitable or not.

Marc.

Message #40 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Marc Deslauriers <marc.deslauriers@canonical.com>

Cc: 550442@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, team@security.debian.org, security@ubuntu.com

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Sun, 01 Nov 2009 09:00:36 +0100

Marc Deslauriers <marc.deslauriers@canonical.com> writes:
> On Sat, 2009-10-31 at 09:12 +0100, Reinhard Tartler wrote:
>> How to proceed now? In any case, I'll prepare an upload for lucid once
>> it opens. Will you prepare uploads for stable ubuntu security pockets?
>
> The next step, IMO, is to get CVE numbers assigned. Since CVE numbers
> aren't usually given to client application crashes, someone needs to
> analyze each issue to see if it is exploitable or not.

I'm not familiar with the process to get CVE numbers assigned, but this
bug is identified by secunia:

http://secunia.com/advisories/36805/

Debian currently tracks this as:
http://security-tracker.debian.org/tracker/TEMP-0550442-000946

as for reproducability, the chrome guys presented for each issue an
example file demonstrating the crash. I'm not aware of concrete exploits
for these crashes.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #45 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Reinhard Tartler <siretart@tauware.de>

Cc: 550442@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Thu, 3 Dec 2009 22:01:54 +0100

On Sat, Oct 31, 2009 at 09:12:16AM +0100, Reinhard Tartler wrote:
> Marc Deslauriers <marc.deslauriers@canonical.com> writes:
> 
> > On Thu, 2009-10-15 at 13:03 +0200, Reinhard Tartler wrote:
> >
> > <snip>
> >
> >> of chromium patches and managed to locate most patches in ffmpeg trunk
> >> 
> >> Patches that I couldn't find upstream include:
> >> 
> >> 09_mov_stsz_int_oflow.patch
> >> 32_mov_stream_index.patch
> >> 35_mov_bad_timings.patch
> >> 40_ogg_missing_header.patch
> >> 
> >> They probably need further investigation.
> >
> >
> > 09_mov_stsz_int_oflow.patch:
> >
> > This looks like:
> > http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=59a7d76f26091bb379e41e546c561d6987b2df3b
> >
> > 32_mov_stream_index.patch:
> >
> > http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=83b7e34ccb8f63f24d91dfc4dd89a4971f36ce12
> > http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=b601744633167a1b37bc171d298872d57522400e
> >
> > 40_ogg_missing_header.patch:
> >
> > http://git.ffmpeg.org/?p=ffmpeg;a=commit;h=7fb2fe280374bcb1c41c2a8e7aa5632d18dc4279
> 
> excellent catches, they all indeed look very relevant. I've added them
> to the packaging branch.
> 
> One problem, it breaks build. Therefore, I had to backport svn r18016
> aka 'MOV-Support-stz2-Compact-Sample-Size-Box' to fix FTBFS. without
> this patch, libavformat/mov.c won't compile, as field_size is introduced
> with this commit. While this patch is strictly speaking not in scope of
> an security update, it is easier to stick with upstream and backport
> this patch in addition.
> 
> How to proceed now? In any case, I'll prepare an upload for lucid once
> it opens. Will you prepare uploads for stable ubuntu security pockets?
> 
> @debian security team: shall I prepare an stable-security upload with
> this or do you want some testing in unstable first? NB: I'm blocked with
> uploading to unstable by ftp-master@.

Sorry, this slipped through. An update for stable-security would be very
welcome.

Cheers,
        Moritz

Message #50 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 550442@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Sat, 05 Dec 2009 00:33:02 +0100

Moritz Muehlenhoff <jmm@inutil.org> writes:

> Sorry, this slipped through. An update for stable-security would be very
> welcome.

Test packages (both amd64 and i386) with build logs can be found at
http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.

Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
snapshot, not all patches did apply cleanly.  I did my best to backports
all patches, but I needed to drop thee of them:

security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch

The biggest problem is that I haven't tested them yet. Testers very
welcome!

If I get positive feedback, or Moritz asks me to do so, I'll of course
upload to security.debian.org immediately.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #55 received at 550442-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 550442-close@bugs.debian.org

Subject: Bug#550442: fixed in ffmpeg 4:0.5+svn20090706-3

Date: Wed, 06 Jan 2010 18:49:23 +0000

Source: ffmpeg
Source-Version: 4:0.5+svn20090706-3

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive:

ffmpeg-dbg_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/ffmpeg-dbg_0.5+svn20090706-3_amd64.deb
ffmpeg-dbg_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/ffmpeg-dbg_0.5+svn20090706-3_i386.deb
ffmpeg-doc_0.5+svn20090706-3_all.deb
  to main/f/ffmpeg/ffmpeg-doc_0.5+svn20090706-3_all.deb
ffmpeg_0.5+svn20090706-3.diff.gz
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-3.diff.gz
ffmpeg_0.5+svn20090706-3.dsc
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-3.dsc
ffmpeg_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-3_amd64.deb
ffmpeg_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-3_i386.deb
libavcodec-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavcodec-dev_0.5+svn20090706-3_amd64.deb
libavcodec-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavcodec-dev_0.5+svn20090706-3_i386.deb
libavcodec52_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavcodec52_0.5+svn20090706-3_amd64.deb
libavcodec52_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavcodec52_0.5+svn20090706-3_i386.deb
libavdevice-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavdevice-dev_0.5+svn20090706-3_amd64.deb
libavdevice-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavdevice-dev_0.5+svn20090706-3_i386.deb
libavdevice52_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavdevice52_0.5+svn20090706-3_amd64.deb
libavdevice52_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavdevice52_0.5+svn20090706-3_i386.deb
libavfilter-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavfilter-dev_0.5+svn20090706-3_amd64.deb
libavfilter-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavfilter-dev_0.5+svn20090706-3_i386.deb
libavfilter0_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavfilter0_0.5+svn20090706-3_amd64.deb
libavfilter0_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavfilter0_0.5+svn20090706-3_i386.deb
libavformat-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavformat-dev_0.5+svn20090706-3_amd64.deb
libavformat-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavformat-dev_0.5+svn20090706-3_i386.deb
libavformat52_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavformat52_0.5+svn20090706-3_amd64.deb
libavformat52_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavformat52_0.5+svn20090706-3_i386.deb
libavutil-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavutil-dev_0.5+svn20090706-3_amd64.deb
libavutil-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavutil-dev_0.5+svn20090706-3_i386.deb
libavutil49_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libavutil49_0.5+svn20090706-3_amd64.deb
libavutil49_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libavutil49_0.5+svn20090706-3_i386.deb
libpostproc-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libpostproc-dev_0.5+svn20090706-3_amd64.deb
libpostproc-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libpostproc-dev_0.5+svn20090706-3_i386.deb
libpostproc51_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libpostproc51_0.5+svn20090706-3_amd64.deb
libpostproc51_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libpostproc51_0.5+svn20090706-3_i386.deb
libswscale-dev_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libswscale-dev_0.5+svn20090706-3_amd64.deb
libswscale-dev_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libswscale-dev_0.5+svn20090706-3_i386.deb
libswscale0_0.5+svn20090706-3_amd64.deb
  to main/f/ffmpeg/libswscale0_0.5+svn20090706-3_amd64.deb
libswscale0_0.5+svn20090706-3_i386.deb
  to main/f/ffmpeg/libswscale0_0.5+svn20090706-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550442@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 Jan 2010 16:27:40 +0100
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavutil49 libavcodec52 libavdevice52 libavformat52 libavfilter0 libpostproc51 libswscale0 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: all amd64 i386 source 
Version: 4:0.5+svn20090706-3
Distribution: experimental
Urgency: low
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 550442
Description:
 ffmpeg-dbg - Debug symbols for ffmpeg related packages
 ffmpeg-doc - documentation of the ffmpeg API
 ffmpeg     - multimedia player, server and encoder
 libavcodec52 - ffmpeg codec library
 libavcodec-dev - development files for libavcodec
 libavdevice52 - ffmpeg device handling library
 libavdevice-dev - development files for libavdevice
 libavfilter0 - ffmpeg video filtering library
 libavfilter-dev - development files for libavfilter
 libavformat52 - ffmpeg file format library
 libavformat-dev - development files for libavformat
 libavutil49 - ffmpeg utility library
 libavutil-dev - development files for libavutil
 libpostproc51 - ffmpeg video postprocessing library
 libpostproc-dev - development files for libpostproc
 libswscale0 - ffmpeg video scaling library
 libswscale-dev - development files for libswscale
Changes:
 ffmpeg (4:0.5+svn20090706-3) experimental; urgency=low
 .
   [ Loïc Minier ]
   * Disable more autodetecter ARM arch features
   * Enable neon flavour
   * Update NEON confflags to assume v7 and VFP
   * Add backported NEON patches from ffmpeg trunk
   * Pass proper --cpu and --extra-flags on armel
   * Pass -fPIC -DPIC to neon pass
 .
   [ Fabian Greffrath ]
   * Initialize the FLAVORS variable to static instead of appending to
     it. Also, we do not support the internalencoders variable anymore.
 .
   [ Andres Mejia ]
   * Remove unused patches from packaging.
   * Update Vcs-* entries to new location.
   * Bump Standards-Version to 3.8.3.
 .
   [ Reinhard Tartler ]
   * change shlibs file to make applications depend on the -extra- packages
   * loosen dependencies further, so that the -dev packages remain
     installable even if ffmpeg-extra is 'out-of-date'
   * add patch for issue1245: Make arguments of av_set_pts_info() unsigned.
   * Support constant-quant encoding for libtheora, LP: #356322
   * increase swscale compile time width (VOF/VOFW), LP: #443264
   * Backports of various security patches, Closes: #550442, including:
      - backport fixes for vorbis_dec
      - backport oggparsevorbis fix
      - backport vp3 fixes
      - backport ffv1 fix
      - libavcodec/mpegaudiodec.c backports
      - h264 security backports
      - backported libavformat/mov.c security fixes
      - backported libavformat/oggdec.c security fixes
      - backport svn r18016 aka 'MOV-Support-stz2-Compact-Sample-Size-Box'
        to fix FTBFS
   * enable symbol versioning
   * bump shlibs version
   * add README.source describing how this source package manages patches
   * make sure the ${misc:Depends} substvar is used for each binary package
Checksums-Sha1: 
 12b8b27b05a87d95356dde3d131c3c4a340623d6 110850 libswscale-dev_0.5+svn20090706-3_i386.deb
 163b042b7a12d79b17180803d6cd8f418c332cca 702638 libavformat52_0.5+svn20090706-3_i386.deb
 1dee17cd9879dc39556b471f119af9048c236ea0 13923158 ffmpeg-doc_0.5+svn20090706-3_all.deb
 2067052a3522aa1491c51688d6dd2c599642538f 58028 libavdevice-dev_0.5+svn20090706-3_amd64.deb
 21bd0a0751fbd0800252ec0c93d9eeadc7a3d646 56860 libavdevice-dev_0.5+svn20090706-3_i386.deb
 26b8b79fab916280ad1540f24d9b48e7f8b29b95 52536 libavfilter-dev_0.5+svn20090706-3_i386.deb
 28535f8d01b9c190591a1b16bbc9b934003309cf 362128 libavformat52_0.5+svn20090706-3_amd64.deb
 305a748685f98c34325941c7e0843f3a465b055c 91748 libavutil49_0.5+svn20090706-3_i386.deb
 30bc8ad9b440e6dd6a0da8fd17b8ddbe9b95f36e 54642 libpostproc51_0.5+svn20090706-3_amd64.deb
 343e183f1a9dcd5443ef9dc913d2e1ad1eee44b4 46806 libavfilter0_0.5+svn20090706-3_i386.deb
 444a1e044a4052f9f9e0773637125cec64cb91b0 463490 libavformat-dev_0.5+svn20090706-3_amd64.deb
 47169ba35e9b442326a19e6a2e25a6c8dab87ad4 54610 libpostproc-dev_0.5+svn20090706-3_i386.deb
 49175669f1cd4a18bd18c7920a8ecbc949e3c25c 2239578 libavcodec-dev_0.5+svn20090706-3_amd64.deb
 4bf582dde86f3d4fb1c39dcc1a1d626ed4a0842e 46116 libavfilter0_0.5+svn20090706-3_amd64.deb
 59e109508fefdae015f908e033ccf3887254237d 105238 libswscale0_0.5+svn20090706-3_amd64.deb
 5c7aa6320c6a59fcef0a6355c279b93b4448b55d 115578 libswscale-dev_0.5+svn20090706-3_amd64.deb
 2babcf7777d5f456abb4f514b4f92ceee63c9197 2404 ffmpeg_0.5+svn20090706-3.dsc
 7968ed6990f33db5fe78bb0f8bb2ae36ed3fdf15 77992 libavutil-dev_0.5+svn20090706-3_amd64.deb
 87616a4bb46f6cff39de4f71724d0ce81b8c23b0 1964838 libavcodec52_0.5+svn20090706-3_amd64.deb
 89d856f3c3699cbe330ecae56934f48df6a15700 78746 libavutil-dev_0.5+svn20090706-3_i386.deb
 8dc600252419c416cf8c1ed6d67fb1e613cbf0d3 9241700 ffmpeg-dbg_0.5+svn20090706-3_i386.deb
 a20fa002df0b547e3f6022484ec4b9e01419c95c 56498 libavdevice52_0.5+svn20090706-3_amd64.deb
 a438bbf61db30bffa348a00a9048454832500ff3 72218 libavdevice52_0.5+svn20090706-3_i386.deb
 ad07dca0a2f9fdce1b1cc692a5f4dc2eb79f5735 237626 ffmpeg_0.5+svn20090706-3_amd64.deb
 bee32323505b9caf98764611d415439d8d86ffa8 234048 ffmpeg_0.5+svn20090706-3_i386.deb
 c0bbd513ae6b8faa81c348a8f9eb6c2a7c0d45c5 445538 libavformat-dev_0.5+svn20090706-3_i386.deb
 cb1e5252e590af6c4b7ce8573c535dbe5c4d599c 54294 libavfilter-dev_0.5+svn20090706-3_amd64.deb
 cbb4d2e6d803adb93ac8809882965fd04a06e41c 61144 libavutil49_0.5+svn20090706-3_amd64.deb
 cd407f5c394dcae3e2227e33fab3e3c1cb1d6333 5217226 ffmpeg-dbg_0.5+svn20090706-3_amd64.deb
 d3a983a49d60a909a0e9753f5809d2c1db6c301d 103933 ffmpeg_0.5+svn20090706-3.diff.gz
 d449e6dd0891117755801d9075e420e84911791e 3990474 libavcodec52_0.5+svn20090706-3_i386.deb
 dd0357652cc72cc76a73dc6e4f6f85a5192a5cf2 2238706 libavcodec-dev_0.5+svn20090706-3_i386.deb
 e636b1bfd38fe962cd402e0f91b6f4569f81453f 170994 libswscale0_0.5+svn20090706-3_i386.deb
 f511e0101bfa35192d9537e7a291785510770071 68354 libpostproc51_0.5+svn20090706-3_i386.deb
 fd0ee4f5f48287a48443f1a90c41d58cc09692de 55142 libpostproc-dev_0.5+svn20090706-3_amd64.deb
Checksums-Sha256: 
 070c23664edf3ac59269223a4dd092ec34129b1c55e7a4efeef33ed80b3812e3 78746 libavutil-dev_0.5+svn20090706-3_i386.deb
 18c98e8c12b0078a37a44ea154b4777f1d1da80dc0f1948ab88801f634eae038 52536 libavfilter-dev_0.5+svn20090706-3_i386.deb
 32ccd883741ea26e37b3dcc69858c7677eb441c05f16246a7c37e72271adaed4 170994 libswscale0_0.5+svn20090706-3_i386.deb
 340c86f83c67f4d254e4f761a25e20f34996f083dfa99d6eb2a948e9f060a108 234048 ffmpeg_0.5+svn20090706-3_i386.deb
 3dffa539949a4813bbfea31c55687e86f66226679e4a6559d80453400312e5da 61144 libavutil49_0.5+svn20090706-3_amd64.deb
 3e4a3d284212288bdae791528b15867581814b0831960e6d1ba9a85a56deaa87 56860 libavdevice-dev_0.5+svn20090706-3_i386.deb
 454aafd5fb0cfa0f201a5c715e9cce5cf94f2e39073476b5f66f033774fb2117 2238706 libavcodec-dev_0.5+svn20090706-3_i386.deb
 499e2c26b856238e1899e4c017d586755b37d13ad00e488eaf55654100ccb932 77992 libavutil-dev_0.5+svn20090706-3_amd64.deb
 4b798aecca96346ba7d514b4c69a56249a6d1d07dfc077674dcd478a0ce9bc83 58028 libavdevice-dev_0.5+svn20090706-3_amd64.deb
 4baa63e41f35140f61a5a4427719b37d6ec3218213c1e0a85caac20d82d431a0 702638 libavformat52_0.5+svn20090706-3_i386.deb
 745c2b89816715e3e4d77ca7af47c300a3f763c9febe47c89404e73c7afcbf17 55142 libpostproc-dev_0.5+svn20090706-3_amd64.deb
 746afe3cf1f4030b8bcd16c00566ae895ddd01734b9a6c19a1834c6bbc99cff7 445538 libavformat-dev_0.5+svn20090706-3_i386.deb
 7a0573eae207ca7ffb110197a032fd1424a67fca2b11a4bafec0c590f5b48b65 3990474 libavcodec52_0.5+svn20090706-3_i386.deb
 7cab58d953deba6e8d4d9b7a8498c648eef79132bccfa73f89fc421bceef2941 54610 libpostproc-dev_0.5+svn20090706-3_i386.deb
 8210657feb7d11485ad201d90bbc25a9d147cea3689bb271c99f3bfd36eef541 46116 libavfilter0_0.5+svn20090706-3_amd64.deb
 826f08c6a12857eaacb1b2b96b76ebfb72222c697135a6540783e034868ec5e9 56498 libavdevice52_0.5+svn20090706-3_amd64.deb
 8be6a493427c754425d6edb899a74e688879f5fb78ab922479a333a6fd1f93f8 105238 libswscale0_0.5+svn20090706-3_amd64.deb
 a696311a8d7569a08da6b641f07b36119b47bfdc03f39e83beca59b54a48d7b4 362128 libavformat52_0.5+svn20090706-3_amd64.deb
 b42678f5ada3f70ca116e0e23fd2490fa7e2a8dee69f47bf6a747a04ebca5005 2239578 libavcodec-dev_0.5+svn20090706-3_amd64.deb
 bf01f6c76e72364c815d1e63406f227c0201f5396c91e4348ded5c7906b7cc9f 54294 libavfilter-dev_0.5+svn20090706-3_amd64.deb
 c291c57c59d76124a6d9c4974ae4b1b553d92326b2e1b05cd8e3c81220bb3186 91748 libavutil49_0.5+svn20090706-3_i386.deb
 c331f7492fa86a06339952fe4447b5438dd5e9ba8b3458dc90c193b1e0f97403 46806 libavfilter0_0.5+svn20090706-3_i386.deb
 c42d7e03de6028f3fc16055820d8c2afacc32b888b3a2c3f7b01dfe764ed1a9e 1964838 libavcodec52_0.5+svn20090706-3_amd64.deb
 c6ddf2ec245b0a9f15841e7a0641d93056e477e8456d03c33ec06dbb66e58afd 5217226 ffmpeg-dbg_0.5+svn20090706-3_amd64.deb
 c8f863f60844a5171ec98cdc9be04c3226291c2c9d0c024d2cb88c1f5cc9a418 9241700 ffmpeg-dbg_0.5+svn20090706-3_i386.deb
 ca98e044923c81d68c9c592c9bed08dedbe5ea6ffd59b49cd4b8ae44403dfdcc 54642 libpostproc51_0.5+svn20090706-3_amd64.deb
 dad8d5316a50f25474b3801c0fbbb9e2c93568a5b5d9a489bd7996ba29e54029 463490 libavformat-dev_0.5+svn20090706-3_amd64.deb
 dcfa83e5c735b32a4da63df202db1d1275d57e23fc1027d0d1e8fee149e568c9 115578 libswscale-dev_0.5+svn20090706-3_amd64.deb
 e185a894f105db2cd82d4187a7ec404283c9aeeb0bf7d63bcfd90db305142410 68354 libpostproc51_0.5+svn20090706-3_i386.deb
 e7b4aead8b7fb1d7210d3f93b943080896750b8a15db78523fd39bf2dbd7ec9e 103933 ffmpeg_0.5+svn20090706-3.diff.gz
 e9f8450a0a82a604a06d3e3ae2e06f3c4c78e0e820acaa59c74f30f41c5730cb 13923158 ffmpeg-doc_0.5+svn20090706-3_all.deb
 f148e3f024691d4a1ba47089066fa45613523bccae8c03dfe51d3e1a7e9664c7 237626 ffmpeg_0.5+svn20090706-3_amd64.deb
 be8e626575dcddba38ded0905cac94dc0b38f658f7900e701e3f2881a2e7b6d3 2404 ffmpeg_0.5+svn20090706-3.dsc
 f9efa676bbf413f355f9e858b0ddeee4d5300538d12bf7f007f3958a360a18b1 72218 libavdevice52_0.5+svn20090706-3_i386.deb
 fa42acfa022294e9ec0b5363ace7a4faf32843d063ff46555330cbda7e35511e 110850 libswscale-dev_0.5+svn20090706-3_i386.deb
Files: 
 0c03a349e4f64b869736e31ddbe198ea 237626 video optional ffmpeg_0.5+svn20090706-3_amd64.deb
 2124d81592db84d2b4eb4342dac49f6d 91748 libs optional libavutil49_0.5+svn20090706-3_i386.deb
 2665b0e58ec8cfeb8b0cfb456d84b42f 13923158 doc optional ffmpeg-doc_0.5+svn20090706-3_all.deb
 3396e5d61c0300b7d27bb7a8882d84c4 234048 video optional ffmpeg_0.5+svn20090706-3_i386.deb
 33bf9d2f42605b5bacb14c40ca76d86c 54642 libs optional libpostproc51_0.5+svn20090706-3_amd64.deb
 35657183f0d0771ef989308a8c8d143d 58028 libdevel optional libavdevice-dev_0.5+svn20090706-3_amd64.deb
 3951b7ce725c741a844412b8f54f1ab8 77992 libdevel optional libavutil-dev_0.5+svn20090706-3_amd64.deb
 3fac90f34712d6ab24db41408b6e4dd4 68354 libs optional libpostproc51_0.5+svn20090706-3_i386.deb
 403175680f9b17124061c3311690b139 2239578 libdevel optional libavcodec-dev_0.5+svn20090706-3_amd64.deb
 4e6defd22fd5526e7f757817db051752 362128 libs optional libavformat52_0.5+svn20090706-3_amd64.deb
 4f568f63ac8aa1d7d3c59496d65a2477 52536 libdevel optional libavfilter-dev_0.5+svn20090706-3_i386.deb
 52a3555e5276f7fe3afd22d925defd2d 103933 libs optional ffmpeg_0.5+svn20090706-3.diff.gz
 5cb68d992855bcff2e4cd4f6e7dace34 702638 libs optional libavformat52_0.5+svn20090706-3_i386.deb
 6344fc840ce41863dabae492d1ac8c22 46116 libs optional libavfilter0_0.5+svn20090706-3_amd64.deb
 643ca17fbf843b88565cd3de55d6ccaa 46806 libs optional libavfilter0_0.5+svn20090706-3_i386.deb
 6d4d7ffed1406683583edc1637ff43d2 5217226 debug extra ffmpeg-dbg_0.5+svn20090706-3_amd64.deb
 7395e8c3736d178a5cbadf4b23c15ded 463490 libdevel optional libavformat-dev_0.5+svn20090706-3_amd64.deb
 7dc7ce7e610f4d95cf920583694a0f34 2238706 libdevel optional libavcodec-dev_0.5+svn20090706-3_i386.deb
 81e999f96bbeee745c13278e83e73a1b 55142 libdevel optional libpostproc-dev_0.5+svn20090706-3_amd64.deb
 81ef5db2bb2c24bc0c90f6313b2d4857 54610 libdevel optional libpostproc-dev_0.5+svn20090706-3_i386.deb
 3ac202cfa2f309f9d953d0b44ad47839 2404 libs optional ffmpeg_0.5+svn20090706-3.dsc
 9b0c33dfe4622d49768d3988539b2358 54294 libdevel optional libavfilter-dev_0.5+svn20090706-3_amd64.deb
 a299088fcd20adb56df66559acd7ace9 56498 libs optional libavdevice52_0.5+svn20090706-3_amd64.deb
 b2a896242d4a40325909c900a88dc2a2 3990474 libs optional libavcodec52_0.5+svn20090706-3_i386.deb
 c025b820738b0a59fa4765079b46a223 110850 libdevel optional libswscale-dev_0.5+svn20090706-3_i386.deb
 c4eeca45b86cc75595863997cfdce110 61144 libs optional libavutil49_0.5+svn20090706-3_amd64.deb
 cf80fe4d372d737e4bc0b2fb1f7ead87 105238 libs optional libswscale0_0.5+svn20090706-3_amd64.deb
 d26b01908d6e5dc37a85da7ab7bca3c9 72218 libs optional libavdevice52_0.5+svn20090706-3_i386.deb
 d9b9fba8f0accfc355a90a69671b0794 1964838 libs optional libavcodec52_0.5+svn20090706-3_amd64.deb
 e41e11168fef1e636c021a20fc953f5f 115578 libdevel optional libswscale-dev_0.5+svn20090706-3_amd64.deb
 e51bb11ab2c1070d9246b050ca67f626 445538 libdevel optional libavformat-dev_0.5+svn20090706-3_i386.deb
 e640f5179ae0822ad5153f034c3230f2 170994 libs optional libswscale0_0.5+svn20090706-3_i386.deb
 f33e8952b6515b13fb7078f7b2e646b0 78746 libdevel optional libavutil-dev_0.5+svn20090706-3_i386.deb
 fb5663f45f8b6e3d871fd34802a39465 9241700 debug extra ffmpeg-dbg_0.5+svn20090706-3_i386.deb
 fcf4be497fa238ef15e49b054a629121 56860 libdevel optional libavdevice-dev_0.5+svn20090706-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian Powered!

iJwEAQECAAYFAktE00UACgkQ78RAoABp8o8uLgP/aZfdwUyMSuaTNYBK2eL9jN1V
cwv3jQCt51IlnZoPnzfLwO1GhrPUjaOUvKoXyVpql35rMOpdJ/+m/72ywRrzcimV
8U+M5IysNOR41Mhp/jSTdwMnf12sS23a8SYR5nFJkdne+o6Qp6TUqWOubWtU9NtP
hwLR8a40UHBvGYJYGS4=
=FJ4J
-----END PGP SIGNATURE-----

Message #60 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 550442@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Wed, 13 Jan 2010 09:28:43 +0100

found 550442 0.svn20080206-18
stop

On Sa, Dez 05, 2009 at 00:33:02 (CET), Reinhard Tartler wrote:

> Moritz Muehlenhoff <jmm@inutil.org> writes:
>
>> Sorry, this slipped through. An update for stable-security would be very
>> welcome.
>
> Test packages (both amd64 and i386) with build logs can be found at
> http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.
>
> Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
> snapshot, not all patches did apply cleanly.  I did my best to backports
> all patches, but I needed to drop thee of them:
>
> security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
> security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
> security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
>
> The biggest problem is that I haven't tested them yet. Testers very
> welcome!
>
> If I get positive feedback, or Moritz asks me to do so, I'll of course
> upload to security.debian.org immediately.

ping?
Any interest from the security team having this in lenny?

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #67 received at 550442-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 550442-close@bugs.debian.org

Subject: Bug#550442: fixed in ffmpeg 4:0.5+svn20090706-5

Date: Fri, 22 Jan 2010 16:47:45 +0000

Source: ffmpeg
Source-Version: 4:0.5+svn20090706-5

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive:

ffmpeg-dbg_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/ffmpeg-dbg_0.5+svn20090706-5_amd64.deb
ffmpeg-doc_0.5+svn20090706-5_all.deb
  to main/f/ffmpeg/ffmpeg-doc_0.5+svn20090706-5_all.deb
ffmpeg_0.5+svn20090706-5.diff.gz
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-5.diff.gz
ffmpeg_0.5+svn20090706-5.dsc
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-5.dsc
ffmpeg_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/ffmpeg_0.5+svn20090706-5_amd64.deb
libavcodec-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavcodec-dev_0.5+svn20090706-5_amd64.deb
libavcodec52_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavcodec52_0.5+svn20090706-5_amd64.deb
libavdevice-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavdevice-dev_0.5+svn20090706-5_amd64.deb
libavdevice52_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavdevice52_0.5+svn20090706-5_amd64.deb
libavfilter-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavfilter-dev_0.5+svn20090706-5_amd64.deb
libavfilter0_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavfilter0_0.5+svn20090706-5_amd64.deb
libavformat-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavformat-dev_0.5+svn20090706-5_amd64.deb
libavformat52_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavformat52_0.5+svn20090706-5_amd64.deb
libavutil-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavutil-dev_0.5+svn20090706-5_amd64.deb
libavutil49_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libavutil49_0.5+svn20090706-5_amd64.deb
libpostproc-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libpostproc-dev_0.5+svn20090706-5_amd64.deb
libpostproc51_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libpostproc51_0.5+svn20090706-5_amd64.deb
libswscale-dev_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libswscale-dev_0.5+svn20090706-5_amd64.deb
libswscale0_0.5+svn20090706-5_amd64.deb
  to main/f/ffmpeg/libswscale0_0.5+svn20090706-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550442@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Jan 2010 16:04:39 +0000
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavutil49 libavcodec52 libavdevice52 libavformat52 libavfilter0 libpostproc51 libswscale0 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: all amd64 source 
Version: 4:0.5+svn20090706-5
Distribution: unstable
Urgency: medium
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 550442 561956
Description:
 ffmpeg-dbg - Debug symbols for ffmpeg related packages
 ffmpeg-doc - documentation of the ffmpeg API
 ffmpeg     - multimedia player, server and encoder
 libavcodec52 - ffmpeg codec library
 libavcodec-dev - development files for libavcodec
 libavdevice52 - ffmpeg device handling library
 libavdevice-dev - development files for libavdevice
 libavfilter0 - ffmpeg video filtering library
 libavfilter-dev - development files for libavfilter
 libavformat52 - ffmpeg file format library
 libavformat-dev - development files for libavformat
 libavutil49 - ffmpeg utility library
 libavutil-dev - development files for libavutil
 libpostproc51 - ffmpeg video postprocessing library
 libpostproc-dev - development files for libpostproc
 libswscale0 - ffmpeg video scaling library
 libswscale-dev - development files for libswscale
Changes:
 ffmpeg (4:0.5+svn20090706-5) unstable; urgency=medium
 .
   * Upload to unstable
   * Urgency medium because of fixed RC bugs (security issues)
 .
 ffmpeg (4:0.5+svn20090706-4) experimental; urgency=low
 .
   [ Loïc Minier ]
   * Use default toolchain setup on ARM flavors for noopt and only add FPU
     CFLAGS in the VFP and NEON flavors; this is ok since internally, cpu will
     be set to "generic" but -march=generic or -mcpu=generic will NOT be added
     to the build flags.
   * Build all armel flavours with -marm since ffmpeg has a lot of hand crafted
     assembly which doesn't build in the new lucid default mode (Thumb 2);
     LP: #488267
   * Build all armel flavours with -fPIC -DPIC instead of just the neon flavour
     as the new flags/toolchain require this in Ubuntu lucid.
   * Build some assembly test code -- just like configure -- to decide whether
     the *default* toolchain uses vfp or neon to decided whether to build the
     vfp and neon flavors.
   * Drop --disable/--enable opt flags such as --disable-neon or
     --enable-armvfp on ARM since the upstream configure script will do the
     right thing when the proper flags are set.
 .
   [ Reinhard Tartler ]
   * build with PIC on powerpc (Closes: #561956)
 .
 ffmpeg (4:0.5+svn20090706-3) experimental; urgency=low
 .
   [ Loïc Minier ]
   * Disable more autodetecter ARM arch features
   * Enable neon flavour
   * Update NEON confflags to assume v7 and VFP
   * Add backported NEON patches from ffmpeg trunk
   * Pass proper --cpu and --extra-flags on armel
   * Pass -fPIC -DPIC to neon pass
 .
   [ Fabian Greffrath ]
   * Initialize the FLAVORS variable to static instead of appending to
     it. Also, we do not support the internalencoders variable anymore.
 .
   [ Andres Mejia ]
   * Remove unused patches from packaging.
   * Update Vcs-* entries to new location.
   * Bump Standards-Version to 3.8.3.
 .
   [ Reinhard Tartler ]
   * change shlibs file to make applications depend on the -extra- packages
   * loosen dependencies further, so that the -dev packages remain
     installable even if ffmpeg-extra is 'out-of-date'
   * add patch for issue1245: Make arguments of av_set_pts_info() unsigned.
   * Support constant-quant encoding for libtheora, LP: #356322
   * increase swscale compile time width (VOF/VOFW), LP: #443264
   * Backports of various security patches, Closes: #550442, including:
      - backport fixes for vorbis_dec
      - backport oggparsevorbis fix
      - backport vp3 fixes
      - backport ffv1 fix
      - libavcodec/mpegaudiodec.c backports
      - h264 security backports
      - backported libavformat/mov.c security fixes
      - backported libavformat/oggdec.c security fixes
      - backport svn r18016 aka 'MOV-Support-stz2-Compact-Sample-Size-Box'
        to fix FTBFS
   * enable symbol versioning
   * bump shlibs version
   * add README.source describing how this source package manages patches
   * make sure the ${misc:Depends} substvar is used for each binary package
Checksums-Sha1: 
 5bddd10d25a9a4e9ddb36f51fb6f66a6f398f64b 2415 ffmpeg_0.5+svn20090706-5.dsc
 249639932d673341cb0a86cfaa7ab0fbe4467885 73390 ffmpeg_0.5+svn20090706-5.diff.gz
 27048099bd2ce325291f481e2935c600e6dad26e 60866 libavutil49_0.5+svn20090706-5_amd64.deb
 2a6a5910b76fc0af30d68b3c6316ee98f0e0fb59 13924330 ffmpeg-doc_0.5+svn20090706-5_all.deb
 3004cf69dd63d5a6f6311a74286b60fa60e45173 1964516 libavcodec52_0.5+svn20090706-5_amd64.deb
 39ef2912719e01b0c9a1f38b9b4e7ffcd81ac889 57740 libavdevice-dev_0.5+svn20090706-5_amd64.deb
 56393b698f5e91d2bf57177edab8bcc103754515 361868 libavformat52_0.5+svn20090706-5_amd64.deb
 58d47f11a4d2259e8e621b733dfb2306752c35a8 237224 ffmpeg_0.5+svn20090706-5_amd64.deb
 67bf9e038d1901d0658c0a586c08e3033792c20f 115304 libswscale-dev_0.5+svn20090706-5_amd64.deb
 7e2b3a5bc6f69efe8d1f1a47311f285d93a117b8 463222 libavformat-dev_0.5+svn20090706-5_amd64.deb
 83b2907ff9479c4818aafd90c1473b556eee1f35 104902 libswscale0_0.5+svn20090706-5_amd64.deb
 8e7a42d4de64f5239d11ebf5f114007f41e88815 56228 libavdevice52_0.5+svn20090706-5_amd64.deb
 8f55cfdaeaf0596e22f3405716bf83e58151d9da 77694 libavutil-dev_0.5+svn20090706-5_amd64.deb
 9f996fbe062a7cddd9f5cbcc20f497bc678ce905 45834 libavfilter0_0.5+svn20090706-5_amd64.deb
 a54f3d27843a8d9913471a9bbc8cca0efad60773 2239288 libavcodec-dev_0.5+svn20090706-5_amd64.deb
 d065b836aa4439ecfdd9a774ad5a8e88248a367f 54866 libpostproc-dev_0.5+svn20090706-5_amd64.deb
 dba7e8ef8fa56c56886ab683c9b6e6aded66c3b9 53986 libavfilter-dev_0.5+svn20090706-5_amd64.deb
 e31c7301b49168d521e44c8f05d0e1e6f792a447 54362 libpostproc51_0.5+svn20090706-5_amd64.deb
 f98e54a80a33d9e6a5c2d4704214ceb3f6e1a366 5216894 ffmpeg-dbg_0.5+svn20090706-5_amd64.deb
Checksums-Sha256: 
 03aa1be28c0450e305a68471ccf664c8bcf0c25543d8944ab1835bf234541aeb 73390 ffmpeg_0.5+svn20090706-5.diff.gz
 05520bc31044f765b2d128011b63c74dccd12187bbc0dea77627f6ce18143b36 56228 libavdevice52_0.5+svn20090706-5_amd64.deb
 29441110f3010742355a5fe422ef30f80ac9a65a6a48bcd66a3e00e7ee9b3715 115304 libswscale-dev_0.5+svn20090706-5_amd64.deb
 552bf5ba7bbc26f657dbcdd98a47c08b613b8b38b14f690f40caf1a9aef647df 1964516 libavcodec52_0.5+svn20090706-5_amd64.deb
 60d6aa0256b953b9aec78a16a83647018db7a74b284ed5490484f80d2476a4fe 13924330 ffmpeg-doc_0.5+svn20090706-5_all.deb
 736c3f3e74d85fc6431fae2c2d8c8fbac02fea86fe801a6fd451b96238b40112 45834 libavfilter0_0.5+svn20090706-5_amd64.deb
 51ca3e1b214563b8926c25d4b76a3cf5469c97cc3755adb27a419dc263271ba3 2415 ffmpeg_0.5+svn20090706-5.dsc
 81a6a1b0d7fee3a2d60df37ae69ac435b09f13d79cc29ed20f18da326d3db25d 57740 libavdevice-dev_0.5+svn20090706-5_amd64.deb
 8f92ae32270f1061af0c14816a2fbcf34e9fb2f3d779e223b64868b661e8dbc2 77694 libavutil-dev_0.5+svn20090706-5_amd64.deb
 a6082dd9a0ae4ab3f7a16f51cff7b657d41793c0412f0be5cd24edf4d835a495 237224 ffmpeg_0.5+svn20090706-5_amd64.deb
 ac687a7fcb491e56b331d87e72871478538351fea36e018187c8b13279dc31fa 463222 libavformat-dev_0.5+svn20090706-5_amd64.deb
 b036fce46da7667b85acd68f2b5e42c6ed9ac7934bb620fd4b646d1ea5a5846b 54866 libpostproc-dev_0.5+svn20090706-5_amd64.deb
 b3e31748d19c3ff22a71d61c45c0d87e15fd071ba6d025b6ad50ffffa76d949b 2239288 libavcodec-dev_0.5+svn20090706-5_amd64.deb
 bd0eae1fccfed49fbff762d96db92eddda08c30a8c2af52db5ba01e4cc4b7fc9 53986 libavfilter-dev_0.5+svn20090706-5_amd64.deb
 c3d541182a8e41402d1f1fbeaebc77a38e0d9e3069e97dc385d4436138e1fa3f 60866 libavutil49_0.5+svn20090706-5_amd64.deb
 c6838ce37d64fd17d382722ce1b6fb1dc4139cb00df7ebba65cf8f74682f021f 54362 libpostproc51_0.5+svn20090706-5_amd64.deb
 c9dbcad3f4df8bb56bbb4b0d03472266bc0a72893b512aae03a2a2e8d9fab8f2 361868 libavformat52_0.5+svn20090706-5_amd64.deb
 e9187c048b017484dffc5e825a420862bd4e003759db0cc3be41998304e215f0 5216894 ffmpeg-dbg_0.5+svn20090706-5_amd64.deb
 fdd6212b11b4c622965f4002eb1c40e222adb1c53c1e8e8513c248092697b9fa 104902 libswscale0_0.5+svn20090706-5_amd64.deb
Files: 
 2ef8fcda5565e454e8a4830299653577 463222 libdevel optional libavformat-dev_0.5+svn20090706-5_amd64.deb
 4b473c9adb19dd2d761b08634ce92107 57740 libdevel optional libavdevice-dev_0.5+svn20090706-5_amd64.deb
 4befc98f072d161a2c4c35993f4a78a5 54866 libdevel optional libpostproc-dev_0.5+svn20090706-5_amd64.deb
 8d6af4a8328ec33b169229aa3ec26c3a 2415 libs optional ffmpeg_0.5+svn20090706-5.dsc
 587c5f22d3dc714474d9e5fa230aac40 5216894 debug extra ffmpeg-dbg_0.5+svn20090706-5_amd64.deb
 602d1899f1c65eb0ba40044790b37d68 56228 libs optional libavdevice52_0.5+svn20090706-5_amd64.deb
 67bf00c20d75c15f55651f5a44710745 54362 libs optional libpostproc51_0.5+svn20090706-5_amd64.deb
 845c41511d0a9656bc42565c8a31b5ac 53986 libdevel optional libavfilter-dev_0.5+svn20090706-5_amd64.deb
 96464394bc75de4e5fd83ac3da07addf 73390 libs optional ffmpeg_0.5+svn20090706-5.diff.gz
 9971cf18ab3c7d2b73907352bf6d4374 2239288 libdevel optional libavcodec-dev_0.5+svn20090706-5_amd64.deb
 b2be747713f87d2d48de808faa6df8d6 104902 libs optional libswscale0_0.5+svn20090706-5_amd64.deb
 b315a2a3bbfe44cecff89b59d0b5106e 115304 libdevel optional libswscale-dev_0.5+svn20090706-5_amd64.deb
 b8838a3a4dc16373edbef9520f8d317f 1964516 libs optional libavcodec52_0.5+svn20090706-5_amd64.deb
 bee62ee96637462043bec077452d58e8 77694 libdevel optional libavutil-dev_0.5+svn20090706-5_amd64.deb
 c29eb1d546fcb3fe306d98164d31a278 45834 libs optional libavfilter0_0.5+svn20090706-5_amd64.deb
 ca8f8b7d0e8f9ba38c64a267680fc3c7 60866 libs optional libavutil49_0.5+svn20090706-5_amd64.deb
 d9937df266cac5816144caafd54bd804 361868 libs optional libavformat52_0.5+svn20090706-5_amd64.deb
 da2450f97159088361a2bd3f258bd669 13924330 doc optional ffmpeg-doc_0.5+svn20090706-5_all.deb
 fbf67a8cf6194360a906e1790cd02a88 237224 video optional ffmpeg_0.5+svn20090706-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Debian Powered!

iJwEAQECAAYFAktZ0g4ACgkQ78RAoABp8o/2HQP9GKJepTLcLHiWVhV3GIw2AOlG
vsBDx/J5Z98VGRKAmR8Jee196IRpUHDOo8+Xdk8FVW3Fx8vseYt+ezo5om45g2cK
aJ8RSjy+rYayw+AIlYJFNkcLEDxbY0Lg+ajrxj0IxW2EXGAuOX6lmdWH8bnftSdk
S4LPszS0cctmSGPOZY0=
=1kca
-----END PGP SIGNATURE-----

Message #72 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Reinhard Tartler <siretart@tauware.de>

Cc: 550442@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Fri, 22 Jan 2010 18:10:55 +0100

On Wed, Jan 13, 2010 at 09:28:43AM +0100, Reinhard Tartler wrote:
> found 550442 0.svn20080206-18
> stop
> 
> On Sa, Dez 05, 2009 at 00:33:02 (CET), Reinhard Tartler wrote:
> 
> > Moritz Muehlenhoff <jmm@inutil.org> writes:
> >
> >> Sorry, this slipped through. An update for stable-security would be very
> >> welcome.
> >
> > Test packages (both amd64 and i386) with build logs can be found at
> > http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.
> >
> > Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
> > snapshot, not all patches did apply cleanly.  I did my best to backports
> > all patches, but I needed to drop thee of them:
> >
> > security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
> > security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
> > security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
> >
> > The biggest problem is that I haven't tested them yet. Testers very
> > welcome!
> >
> > If I get positive feedback, or Moritz asks me to do so, I'll of course
> > upload to security.debian.org immediately.
> 
> ping?
> Any interest from the security team having this in lenny?

Sorry, I've been busy. I'll test, review and release.

Cheers,
        Moritz

Message #77 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Reinhard Tartler <siretart@tauware.de>

Cc: 550442@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Thu, 28 Jan 2010 22:26:45 +0100

On Fri, Jan 22, 2010 at 06:10:55PM +0100, Moritz Muehlenhoff wrote:
> On Wed, Jan 13, 2010 at 09:28:43AM +0100, Reinhard Tartler wrote:
> > found 550442 0.svn20080206-18
> > stop
> > 
> > On Sa, Dez 05, 2009 at 00:33:02 (CET), Reinhard Tartler wrote:
> > 
> > > Moritz Muehlenhoff <jmm@inutil.org> writes:
> > >
> > >> Sorry, this slipped through. An update for stable-security would be very
> > >> welcome.
> > >
> > > Test packages (both amd64 and i386) with build logs can be found at
> > > http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.
> > >
> > > Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
> > > snapshot, not all patches did apply cleanly.  I did my best to backports
> > > all patches, but I needed to drop thee of them:
> > >
> > > security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
> > > security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
> > > security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
> > >
> > > The biggest problem is that I haven't tested them yet. Testers very
> > > welcome!
> > >
> > > If I get positive feedback, or Moritz asks me to do so, I'll of course
> > > upload to security.debian.org immediately.
> > 
> > ping?
> > Any interest from the security team having this in lenny?
> 
> Sorry, I've been busy. I'll test, review and release.

Updates are tested and building, should appear soon.

Cheers,
       Moritz

Message #82 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 550442@bugs.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Tue, 09 Feb 2010 09:53:46 +0100

On Do, Jan 28, 2010 at 22:26:45 (CET), Moritz Muehlenhoff wrote:

> On Fri, Jan 22, 2010 at 06:10:55PM +0100, Moritz Muehlenhoff wrote:
>> On Wed, Jan 13, 2010 at 09:28:43AM +0100, Reinhard Tartler wrote:
>> > found 550442 0.svn20080206-18
>> > stop
>> > 
>> > On Sa, Dez 05, 2009 at 00:33:02 (CET), Reinhard Tartler wrote:
>> > 
>> > > Moritz Muehlenhoff <jmm@inutil.org> writes:
>> > >
>> > >> Sorry, this slipped through. An update for stable-security would be very
>> > >> welcome.
>> > >
>> > > Test packages (both amd64 and i386) with build logs can be found at
>> > > http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.
>> > >
>> > > Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
>> > > snapshot, not all patches did apply cleanly.  I did my best to backports
>> > > all patches, but I needed to drop thee of them:
>> > >
>> > > security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
>> > > security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
>> > > security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
>> > >
>> > > The biggest problem is that I haven't tested them yet. Testers very
>> > > welcome!
>> > >
>> > > If I get positive feedback, or Moritz asks me to do so, I'll of course
>> > > upload to security.debian.org immediately.
>> > 
>> > ping?
>> > Any interest from the security team having this in lenny?
>> 
>> Sorry, I've been busy. I'll test, review and release.
>
> Updates are tested and building, should appear soon.

ping? I've noticed a failed upload, but no packages in the archive nor
any announcement. are we still on track?

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #87 received at 550442@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Reinhard Tartler <siretart@tauware.de>

Cc: 550442@bugs.debian.org

Subject: Re: Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Date: Tue, 9 Feb 2010 21:34:31 +0100

On Tue, Feb 09, 2010 at 09:53:46AM +0100, Reinhard Tartler wrote:
> On Do, Jan 28, 2010 at 22:26:45 (CET), Moritz Muehlenhoff wrote:
> 
> > On Fri, Jan 22, 2010 at 06:10:55PM +0100, Moritz Muehlenhoff wrote:
> >> On Wed, Jan 13, 2010 at 09:28:43AM +0100, Reinhard Tartler wrote:
> >> > found 550442 0.svn20080206-18
> >> > stop
> >> > 
> >> > On Sa, Dez 05, 2009 at 00:33:02 (CET), Reinhard Tartler wrote:
> >> > 
> >> > > Moritz Muehlenhoff <jmm@inutil.org> writes:
> >> > >
> >> > >> Sorry, this slipped through. An update for stable-security would be very
> >> > >> welcome.
> >> > >
> >> > > Test packages (both amd64 and i386) with build logs can be found at
> >> > > http://pkg-multimedia.alioth.debian.org/ffmpeg-lenny/ for now.
> >> > >
> >> > > Please note that because lenny does *not* ship FFmpeg 0.5 but an earlier
> >> > > snapshot, not all patches did apply cleanly.  I did my best to backports
> >> > > all patches, but I needed to drop thee of them:
> >> > >
> >> > > security/libavcodec/mpegaudiodec/0002-Check-data_size-in-decode_frame_mp3on4.patch
> >> > > security/libavformat/mov/0003-check-stream-existence-before-assignment-fix-1222.patch
> >> > > security/libavcodec/vp3/0003-Make-sure-that-all-memory-allocations-succeed.patch
> >> > >
> >> > > The biggest problem is that I haven't tested them yet. Testers very
> >> > > welcome!
> >> > >
> >> > > If I get positive feedback, or Moritz asks me to do so, I'll of course
> >> > > upload to security.debian.org immediately.
> >> > 
> >> > ping?
> >> > Any interest from the security team having this in lenny?
> >> 
> >> Sorry, I've been busy. I'll test, review and release.
> >
> > Updates are tested and building, should appear soon.
> 
> ping? I've noticed a failed upload, but no packages in the archive nor
> any announcement. are we still on track?

Packages are built on security-master and tested. I'm waiting for CVE
assignment from either CERT or MITRE for more than a week now. If they
don't react soon, I'll just go ahead and release w/o CVE IDs.

Cheers,
        Moritz

Message #92 received at 550442-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 550442-close@bugs.debian.org

Subject: Bug#550442: fixed in ffmpeg 4:0.6.1-3

Date: Sun, 06 Feb 2011 09:33:17 +0000

Source: ffmpeg
Source-Version: 4:0.6.1-3

We believe that the bug you reported is fixed in the latest version of
ffmpeg, which is due to be installed in the Debian FTP archive:

ffmpeg-dbg_0.6.1-3_i386.deb
  to main/f/ffmpeg/ffmpeg-dbg_0.6.1-3_i386.deb
ffmpeg-doc_0.6.1-3_all.deb
  to main/f/ffmpeg/ffmpeg-doc_0.6.1-3_all.deb
ffmpeg_0.6.1-3.diff.gz
  to main/f/ffmpeg/ffmpeg_0.6.1-3.diff.gz
ffmpeg_0.6.1-3.dsc
  to main/f/ffmpeg/ffmpeg_0.6.1-3.dsc
ffmpeg_0.6.1-3_i386.deb
  to main/f/ffmpeg/ffmpeg_0.6.1-3_i386.deb
libavcodec-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavcodec-dev_0.6.1-3_i386.deb
libavcodec52_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavcodec52_0.6.1-3_i386.deb
libavdevice-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavdevice-dev_0.6.1-3_i386.deb
libavdevice52_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavdevice52_0.6.1-3_i386.deb
libavfilter-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavfilter-dev_0.6.1-3_i386.deb
libavfilter1_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavfilter1_0.6.1-3_i386.deb
libavformat-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavformat-dev_0.6.1-3_i386.deb
libavformat52_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavformat52_0.6.1-3_i386.deb
libavutil-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavutil-dev_0.6.1-3_i386.deb
libavutil50_0.6.1-3_i386.deb
  to main/f/ffmpeg/libavutil50_0.6.1-3_i386.deb
libpostproc-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libpostproc-dev_0.6.1-3_i386.deb
libpostproc51_0.6.1-3_i386.deb
  to main/f/ffmpeg/libpostproc51_0.6.1-3_i386.deb
libswscale-dev_0.6.1-3_i386.deb
  to main/f/ffmpeg/libswscale-dev_0.6.1-3_i386.deb
libswscale0_0.6.1-3_i386.deb
  to main/f/ffmpeg/libswscale0_0.6.1-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550442@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated ffmpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 30 Jan 2011 09:22:11 +0100
Source: ffmpeg
Binary: ffmpeg ffmpeg-dbg ffmpeg-doc libavutil50 libavcodec52 libavdevice52 libavformat52 libavfilter1 libpostproc51 libswscale0 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: all i386 source
Version: 4:0.6.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 294422 298095 369127 374931 420230 420231 495274 501891 522449 525385 538082 550442 559712 561553 561956 569727 582274 583728
Description: 
 ffmpeg     - Multimedia player, server, encoder and transcoder
 ffmpeg-dbg - Debug symbols for FFmpeg related packages
 ffmpeg-doc - Documentation of the FFmpeg API
 libavcodec-dev - Development files for libavcodec
 libavcodec52 - FFmpeg codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice52 - FFmpeg device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter1 - FFmpeg video filtering library
 libavformat-dev - Development files for libavformat
 libavformat52 - FFmpeg file format library
 libavutil-dev - Development files for libavutil
 libavutil50 - FFmpeg utility library
 libpostproc-dev - Development files for libpostproc
 libpostproc51 - FFmpeg video postprocessing library
 libswscale-dev - Development files for libswscale
 libswscale0 - Ffmpeg video scaling library
Changes: 
 ffmpeg (4:0.6.1-3) unstable; urgency=low
 .
   * add libxfixes-dev to build depends
   * minor packaging cleanups
   * revised package description
   * detect libopenjpeg and dirac at build-time
   * remove note about packages being "Debian-specific"
   * simplify lintian-overrides
   * Sanitize LDFLAGS variable; it seems that dpkg-buildflags injects
     -Wl,-Bsymbolic-functions to LDFLAGS, which breaks the build on amd64
 .
 ffmpeg (4:0.6.1-2) experimental; urgency=low
 .
   [ Jonas Smedegaard ]
   * Relax mplayer Breaks to permit backports and other early releases.
 .
   [ Reinhard Tartler ]
   * Bump Standards-Version, no changes needed.
 .
   [ Matthias Klose ]
   * Configure with --enable-pic on powerpc. LP: #654666.
 .
 ffmpeg (4:0.6.1-1) experimental; urgency=low
 .
   * Imported Upstream version 0.6.1
   * prepare new upload
   * remove patches merged upstream
   * add gitignore file
 .
 ffmpeg (4:0.6-2) experimental; urgency=low
 .
   [ Fabian Greffrath ]
   * Enable RTMP[E] support via librtmp.
   * Disable aac encoder, see README.Debian.
   * Fix obsolete-relation-form for the internal dependencies.
   * Merge debian/README.Source into debian/README.source and add section
     headers.
   * Remove obsoleted support for the non-free libamr-nb/wb.
 .
   [ Reinhard Tartler ]
   * enable runtime-cpudetect
   * conditionally build against opencore-amr if installed in the build
     environment
   * update upstream url in debian/copyright
   * fix usage documentation in debian/get-orig-source.sh
   * update dep3 headers for debian/patches/900_doxyfile
   * add proper replaces for moving presets back to ffmpeg
   * make debian/patches gbp-pq friendly
   * Add VP80 fourcc to libavformat/riff.c
   * Backport-AAC-HE-v2
   * bump Standards-Version, no changes needed
 .
 ffmpeg (4:0.6-1) experimental; urgency=low
 .
   * new upstream release
     - adds VP8 support via libvpx, Closes: #582274
   * depend on libavfilter-extra-1 instead of -0, Closes: #583728
   * add conflicts to the ffprobe package, it has been merged upstream now
 .
 ffmpeg (4:0.6~svn20100505-1) experimental; urgency=low
 .
   * update to new upstream. Closes: #569727
     - fixes various segfaults and other minor feature improvements
       Closes: #374931, #522449, #501891, #559712, #420231, #369127, #538082,
               #298095, #294422, #561553, #525385, #495274, #420230
       LP: #305286, #457106, #529200, #301723, #305315, #336479, #420230,
           #412063, #428912, #432181, #440591, #453732, #453732, #453732,
    	  #514259, #515243, #521472, #530186, #530186, #197842, #483317,
   	  #483317, #539407, #280098, #331255, #566107, #569823, #570305,
   	  #573190
   * Fixup lintian overrides for new upstream snapshot
   * Bump Standards-Version to 3.8.4
   * Many upstream changes, see upstream Changelog for details
 .
 ffmpeg (4:0.5+svn20090706-5) unstable; urgency=medium
 .
   * Upload to unstable
   * Urgency medium because of fixed RC bugs (security issues)
 .
 ffmpeg (4:0.5+svn20090706-4) experimental; urgency=low
 .
   [ Loïc Minier ]
   * Use default toolchain setup on ARM flavors for noopt and only add FPU
     CFLAGS in the VFP and NEON flavors; this is ok since internally, cpu will
     be set to "generic" but -march=generic or -mcpu=generic will NOT be added
     to the build flags.
   * Build all armel flavours with -marm since ffmpeg has a lot of hand crafted
     assembly which doesn't build in the new lucid default mode (Thumb 2);
     LP: #488267
   * Build all armel flavours with -fPIC -DPIC instead of just the neon flavour
     as the new flags/toolchain require this in Ubuntu lucid.
   * Build some assembly test code -- just like configure -- to decide whether
     the *default* toolchain uses vfp or neon to decided whether to build the
     vfp and neon flavors.
   * Drop --disable/--enable opt flags such as --disable-neon or
     --enable-armvfp on ARM since the upstream configure script will do the
     right thing when the proper flags are set.
 .
   [ Reinhard Tartler ]
   * build with PIC on powerpc (Closes: #561956)
 .
 ffmpeg (4:0.5+svn20090706-3) experimental; urgency=low
 .
   [ Loïc Minier ]
   * Disable more autodetecter ARM arch features
   * Enable neon flavour
   * Update NEON confflags to assume v7 and VFP
   * Add backported NEON patches from ffmpeg trunk
   * Pass proper --cpu and --extra-flags on armel
   * Pass -fPIC -DPIC to neon pass
 .
   [ Fabian Greffrath ]
   * Initialize the FLAVORS variable to static instead of appending to
     it. Also, we do not support the internalencoders variable anymore.
 .
   [ Andres Mejia ]
   * Remove unused patches from packaging.
   * Update Vcs-* entries to new location.
   * Bump Standards-Version to 3.8.3.
 .
   [ Reinhard Tartler ]
   * change shlibs file to make applications depend on the -extra- packages
   * loosen dependencies further, so that the -dev packages remain
     installable even if ffmpeg-extra is 'out-of-date'
   * add patch for issue1245: Make arguments of av_set_pts_info() unsigned.
   * Support constant-quant encoding for libtheora, LP: #356322
   * increase swscale compile time width (VOF/VOFW), LP: #443264
   * Backports of various security patches, Closes: #550442, including:
      - backport fixes for vorbis_dec
      - backport oggparsevorbis fix
      - backport vp3 fixes
      - backport ffv1 fix
      - libavcodec/mpegaudiodec.c backports
      - h264 security backports
      - backported libavformat/mov.c security fixes
      - backported libavformat/oggdec.c security fixes
      - backport svn r18016 aka 'MOV-Support-stz2-Compact-Sample-Size-Box'
        to fix FTBFS
   * enable symbol versioning
   * bump shlibs version
   * add README.source describing how this source package manages patches
   * make sure the ${misc:Depends} substvar is used for each binary package
Checksums-Sha1: 
 273dfe5019431fa32b8cbbf87a3452f2f9a8c61e 2400 ffmpeg_0.6.1-3.dsc
 6884d7ed014b840679f9b6de6f34bd4843768ae9 4412089 ffmpeg_0.6.1.orig.tar.gz
 940e8297ee7dff361f88e671f886132f5674c54f 31179 ffmpeg_0.6.1-3.diff.gz
 8ee9dc5fbb6b19edb3df5b6d86c7863d3f1d4fe6 272272 ffmpeg_0.6.1-3_i386.deb
 a0eaaa270ce1b248ef362b0a197499a7c28c2a0b 12146436 ffmpeg-dbg_0.6.1-3_i386.deb
 9cd697b2c1fd05799c4a23cc36ea6654c2ea7f07 17075574 ffmpeg-doc_0.6.1-3_all.deb
 28368a155206901302a5a14285be4185af1354c9 103004 libavutil50_0.6.1-3_i386.deb
 3e0ce1d3783338f10fedd0502d50534e49fcd8f7 4710296 libavcodec52_0.6.1-3_i386.deb
 b3f70461394372a31a47abeb46732281c444ed48 76316 libavdevice52_0.6.1-3_i386.deb
 17b6491dee7f1084e699c4253130c4ed7200def6 829216 libavformat52_0.6.1-3_i386.deb
 e582ea1949595a3f6ba32a729a7e62bfa02e4d71 78924 libavfilter1_0.6.1-3_i386.deb
 ab8733ede65d8b1436fc357d7fdfa8cf2504c3df 191302 libpostproc51_0.6.1-3_i386.deb
 3f497fdc321ac9f11f41f14da93c1bbf78b105f1 243876 libswscale0_0.6.1-3_i386.deb
 1b3bd341fe79f0f7050c8b9900fbe116f73c0c52 88946 libavutil-dev_0.6.1-3_i386.deb
 7ebb0c80cc730b76c672e9a06f81d5f8b02ebfe8 2659426 libavcodec-dev_0.6.1-3_i386.deb
 f2d5b5d7435c0344d8f9d5df0c5754e815006448 58544 libavdevice-dev_0.6.1-3_i386.deb
 1535d7b2bef9db610095eb8078b3c89efc5544d2 526076 libavformat-dev_0.6.1-3_i386.deb
 4ff1d0c36f3aebf283b5ce1bb9199005a75895b6 69178 libavfilter-dev_0.6.1-3_i386.deb
 444296c9f62387c06f3947f3cc1f1ff96a4dfb22 115378 libpostproc-dev_0.6.1-3_i386.deb
 ea47ec9b45096449b62d127c5cfad65aae6b4db5 152042 libswscale-dev_0.6.1-3_i386.deb
Checksums-Sha256: 
 8f97348ac9dc223551febc8c54e440af068d77ffcd6604667123230eb1ec1b23 2400 ffmpeg_0.6.1-3.dsc
 b4e4644911a4bf81fff43b6b2669a019dfc4824ab55876195508960e59916317 4412089 ffmpeg_0.6.1.orig.tar.gz
 dd40eaaf8f8003f2f7e19c4e997395e1d67b910735380013fe0301962bd4b729 31179 ffmpeg_0.6.1-3.diff.gz
 c5819a9318d8d880cd43b0c82413f1e6e7c87f3886ce19722e4aa91bc0290eb7 272272 ffmpeg_0.6.1-3_i386.deb
 a0445478d588199e3fbbc59a9bb3802a17ac4dc0c35e8ad28bb29909827741f7 12146436 ffmpeg-dbg_0.6.1-3_i386.deb
 a990d06048a0c3d2ba2f82c0c31e1c6afa2d02e6d3dd6c5d74a5c29f4ecd41e3 17075574 ffmpeg-doc_0.6.1-3_all.deb
 000e9ccf723cd4f84fa75a65a7ec35501bee8c139f32f0489173af3354fb9f51 103004 libavutil50_0.6.1-3_i386.deb
 8ea7da84446b28f4cb7ba23a1424ef79430b2bbd09c0ec8ed63d7bd9f93ceb61 4710296 libavcodec52_0.6.1-3_i386.deb
 11d2552e54c2dffad5d94b317085518fa83cc46d9a8110cb51dd3a6b49ff51bb 76316 libavdevice52_0.6.1-3_i386.deb
 b64d1d66550068786f1f0e40ad839cf91723b0323f30a388034fbb086f1c1905 829216 libavformat52_0.6.1-3_i386.deb
 e7f41c14075110204b884283cb2662f1893067aa8b710171eacd1adb49e7dda6 78924 libavfilter1_0.6.1-3_i386.deb
 4a52e5fd9d45ecf7dc94dcfdb80cd39cc1e90b71baa78a4ae0889db8cb3bd77f 191302 libpostproc51_0.6.1-3_i386.deb
 a4e5b9b0c09d79d626f5e9f4ec7e74d2b7eb4f0844b6cc970e0b44f0828eea98 243876 libswscale0_0.6.1-3_i386.deb
 0d7a441ab0a4981c6da41fb19c6ebe0a10f550e8d9d0089edff32b76c0c79a10 88946 libavutil-dev_0.6.1-3_i386.deb
 5a212b032de29065783c3b9e7b62ced90a225f1c6ad6bc2e98b09021ad6df5d4 2659426 libavcodec-dev_0.6.1-3_i386.deb
 e7006e243896adf4f2127383e561583b3e47cc8711f4e6ce46b1f3464307d4a9 58544 libavdevice-dev_0.6.1-3_i386.deb
 2cdb79c968713fdf414065ed30a5ef484ab7aabab65daa04901d7bdd129e7b0c 526076 libavformat-dev_0.6.1-3_i386.deb
 aab07592facb36a6092a10dd20d72ba2061ed14290b8e250a85fe36257a59680 69178 libavfilter-dev_0.6.1-3_i386.deb
 98be7295251dfde38ea4fd03a2398cb67921de04bcfe2a0cd1486a2dcfa0167d 115378 libpostproc-dev_0.6.1-3_i386.deb
 743243f23cc6f4e3b7abd15f276e1b9ba40383aa94837489bea024115f42ef10 152042 libswscale-dev_0.6.1-3_i386.deb
Files: 
 fc014dfae300f25f411fe58624aa8a65 2400 libs optional ffmpeg_0.6.1-3.dsc
 fd45cacbe1294554eb72a5c9a311866f 4412089 libs optional ffmpeg_0.6.1.orig.tar.gz
 3b7f89e618be3d9fb8f2163e18f9b228 31179 libs optional ffmpeg_0.6.1-3.diff.gz
 9c25845e3f3bd93d9a001cf29e01720c 272272 video optional ffmpeg_0.6.1-3_i386.deb
 0213fe5caffb42115da3a9b0c1307fbb 12146436 debug extra ffmpeg-dbg_0.6.1-3_i386.deb
 82106198859a6d22c8a0c333d4e5e339 17075574 doc optional ffmpeg-doc_0.6.1-3_all.deb
 39e134d3ca6dea4e9015dd8f520071dd 103004 libs optional libavutil50_0.6.1-3_i386.deb
 f35e8e065290ed61d18345657519a9f5 4710296 libs optional libavcodec52_0.6.1-3_i386.deb
 7c8edd13d6c7d170c645b7a86195ae52 76316 libs optional libavdevice52_0.6.1-3_i386.deb
 127fea74a04c922dff4e2a5962f6d6f1 829216 libs optional libavformat52_0.6.1-3_i386.deb
 d2df2e253d24cc82962953831b3fa914 78924 libs optional libavfilter1_0.6.1-3_i386.deb
 5eab34e9814e84cdac1073cea92b7d0a 191302 libs optional libpostproc51_0.6.1-3_i386.deb
 4b136583ee20abf1a7e58c56b8c1ed2e 243876 libs optional libswscale0_0.6.1-3_i386.deb
 ee825dacd660f661c4f18a07762d0f6b 88946 libdevel optional libavutil-dev_0.6.1-3_i386.deb
 5cc006984fa71ce36668de245b6ea86d 2659426 libdevel optional libavcodec-dev_0.6.1-3_i386.deb
 46c6d7b052a4976fd695795d89d4cbc1 58544 libdevel optional libavdevice-dev_0.6.1-3_i386.deb
 7d4abdff80fbbe2d557b48607445937e 526076 libdevel optional libavformat-dev_0.6.1-3_i386.deb
 754ddec04e94224f1204a495af6c4195 69178 libdevel optional libavfilter-dev_0.6.1-3_i386.deb
 b2ca5ff5ae150cf4b0d9f76dd24cfe08 115378 libdevel optional libpostproc-dev_0.6.1-3_i386.deb
 d3d37fef138f925ed485ac6daaad91e6 152042 libdevel optional libswscale-dev_0.6.1-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Debian Powered!

iJwEAQECAAYFAk1OU9wACgkQ78RAoABp8o8biQQAgxIwNU4xfjBO2cQX9DYrw4w0
D1ldYtx94odgkgpBKmxYDD8DJfm1lHktXhH4kdLs6p5ciUFOXXaKQObYIAzS4MVt
oTvYEONBr1dlEj8IYpH2Rx4CzF+Ei15JHE7D/XBPkKB5Wvhp6f8ttjbQwFcrRkNO
Gw3rjiiYIxyn6nbCf1g=
=zeIk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.