Mailinglist Archive: opensuse-updates (174 mails)

< Previous Next >
openSUSE-SU-2015:2120-1: moderate: Security update for ffmpeg
openSUSE Security Update: Security update for ffmpeg
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:2120-1
Rating: moderate
References: #955346 #955347 #955348 #955350
Cross-References: CVE-2015-8216 CVE-2015-8217 CVE-2015-8218
CVE-2015-8219
Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

The ffmpeg package was updated to version 2.8.2 to fix the following
security and non security issues:

- CVE-2015-8216: Fixed the ljpeg_decode_yuv_scan function in
libavcodec/mjpegdec.c which could cause a denial of service
(out-of-bounds array access) (bnc#955346).
- CVE-2015-8217: Fixed the ff_hevc_parse_sps function in
libavcodec/hevc_ps.c which could cause a denial of service
(out-of-bounds array access) (bnc#955347).
- CVE-2015-8218: Fixed the decode_uncompressed function in
libavcodec/faxcompr.c which could cause a denial of service
(out-of-bounds array access) (bnc#955348).
- CVE-2015-8219: Fixed the init_tile function in libavcodec/jpeg2000dec.c
which could cause a denial of service (out-of-bounds array access)
(bnc#955350).

- Update to new upstream release 2.8.2
* various fixes in the aac_fixed decoder
* various fixes in softfloat
* swresample/resample: increase precision for compensation
* lavf/mov: add support for sidx fragment indexes
* avformat/mxfenc: Only store user comment related tags when needed
* ffmpeg: Don't try and write sdp info if none of the outputs had an rtp
format.
* apng: use correct size for output buffer
* jvdec: avoid unsigned overflow in comparison
* avcodec/jpeg2000dec: Clip all tile coordinates
* avcodec/microdvddec: Check for string end in 'P' case
* avcodec/dirac_parser: Fix undefined memcpy() use
* avformat/xmv: Discard remainder of packet on error
* avformat/xmv: factor return check out of if/else
* avcodec/mpeg12dec: Do not call show_bits() with invalid bits
* avcodec/faxcompr: Add missing runs check in decode_uncompressed()
* libavutil/channel_layout: Check strtol*() for failure
* avformat/mpegts: Only start probing data streams within probe_packets
* avcodec/hevc_ps: Check chroma_format_idc
* avcodec/ffv1dec: Check for 0 quant tables
* avcodec/mjpegdec: Reinitialize IDCT on BPP changes
* avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using
it
* avcodec/h264_slice: Disable slice threads if there are multiple access
units in a packet
* avformat/hls: update cookies on setcookie response
* opusdec: Don't run vector_fmul_scalar on zero length arrays
* avcodec/opusdec: Fix extra samples read index
* avcodec/ffv1: Initialize vlc_state on allocation
* avcodec/ffv1dec: update progress in case of broken pointer chains
* avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice
header decoding fails for other reasons
* rtsp: Allow $ as interleaved packet indicator before a complete
response header
* videodsp: don't overread edges in vfix3 emu_edge.
* avformat/mp3dec: improve junk skipping heuristic
* concatdec: fix file_start_time calculation regression
* avcodec: loongson optimize h264dsp idct and loop filter with mmi
* avcodec/jpeg2000dec: Clear properties in jpeg2000_dec_cleanup() too
* avformat/hls: add support for EXT-X-MAP
* avformat/hls: fix segment selection regression on track changes of
live streams
* configure: Require libkvazaar < 0.7.
* avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
- Drop ffmpeg-mov-sidx-fragment.patch, fixed upstream.

- Update to new upstream release 2.8.1
* Minor bugfix release
* Includes all changes from. Ffmpeg-mt, libav master of 2015-08-28,
libav 11 as of 2015-08-28
- Add ffmpeg-mov-sidx-fragment.patch to add sidx fragment indexes. Needed
for new mpv release.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2015-821=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.1 (i586 x86_64):

ffmpeg-2.8.2-3.1
ffmpeg-debuginfo-2.8.2-3.1
ffmpeg-debugsource-2.8.2-3.1
ffmpeg-devel-2.8.2-3.1
libavcodec-devel-2.8.2-3.1
libavcodec56-2.8.2-3.1
libavcodec56-debuginfo-2.8.2-3.1
libavdevice-devel-2.8.2-3.1
libavdevice56-2.8.2-3.1
libavdevice56-debuginfo-2.8.2-3.1
libavfilter-devel-2.8.2-3.1
libavfilter5-2.8.2-3.1
libavfilter5-debuginfo-2.8.2-3.1
libavformat-devel-2.8.2-3.1
libavformat56-2.8.2-3.1
libavformat56-debuginfo-2.8.2-3.1
libavresample-devel-2.8.2-3.1
libavresample2-2.8.2-3.1
libavresample2-debuginfo-2.8.2-3.1
libavutil-devel-2.8.2-3.1
libavutil54-2.8.2-3.1
libavutil54-debuginfo-2.8.2-3.1
libpostproc-devel-2.8.2-3.1
libpostproc53-2.8.2-3.1
libpostproc53-debuginfo-2.8.2-3.1
libswresample-devel-2.8.2-3.1
libswresample1-2.8.2-3.1
libswresample1-debuginfo-2.8.2-3.1
libswscale-devel-2.8.2-3.1
libswscale3-2.8.2-3.1
libswscale3-debuginfo-2.8.2-3.1

- openSUSE Leap 42.1 (x86_64):

libavcodec56-32bit-2.8.2-3.1
libavcodec56-debuginfo-32bit-2.8.2-3.1
libavdevice56-32bit-2.8.2-3.1
libavdevice56-debuginfo-32bit-2.8.2-3.1
libavfilter5-32bit-2.8.2-3.1
libavfilter5-debuginfo-32bit-2.8.2-3.1
libavformat56-32bit-2.8.2-3.1
libavformat56-debuginfo-32bit-2.8.2-3.1
libavresample2-32bit-2.8.2-3.1
libavresample2-debuginfo-32bit-2.8.2-3.1
libavutil54-32bit-2.8.2-3.1
libavutil54-debuginfo-32bit-2.8.2-3.1
libpostproc53-32bit-2.8.2-3.1
libpostproc53-debuginfo-32bit-2.8.2-3.1
libswresample1-32bit-2.8.2-3.1
libswresample1-debuginfo-32bit-2.8.2-3.1
libswscale3-32bit-2.8.2-3.1
libswscale3-debuginfo-32bit-2.8.2-3.1


References:

https://www.suse.com/security/cve/CVE-2015-8216.html
https://www.suse.com/security/cve/CVE-2015-8217.html
https://www.suse.com/security/cve/CVE-2015-8218.html
https://www.suse.com/security/cve/CVE-2015-8219.html
https://bugzilla.suse.com/955346
https://bugzilla.suse.com/955347
https://bugzilla.suse.com/955348
https://bugzilla.suse.com/955350


< Previous Next >
This Thread
  • No further messages