Security: Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code
Reported by
nathanb@lenovo-chrome.com,
Feb 21 2018
|
||||||||
Issue descriptionCVE-2012-5359 and CVE-2012-5360 These CVE reports describe vulnerabilities in libavcodec allowing remote attackers to execute arbitrary code via crafted ASF and QT files, respectively. I note that the version of ffmpeg included in Chrome OS is 0.10.3, and (unless I overlooked something) I don't see any patches for this particular issue.
,
Feb 23 2018
Note that the copy in the Chrome OS tree is only used for testing purposes and is not shipped in the production image. Chrome does contain a copy of ffmpeg, but that is recent version: https://cs.chromium.org/chromium/src/third_party/ffmpeg/RELEASE Thus, Chrome OS is not vulnerable to this.
,
Feb 23 2018
Hung-Te, the dependency graph suggests we carry the ffmpeg ebuild for factory. Any chance we can uprev to a more modern version?
,
Feb 23 2018
+stimim I think we have no concern upgrading ffmpeg.
,
Feb 23 2018
Temporarily assign to chenghan@. Cheng-han, can you try upgrade the package?
,
Feb 25 2018
Converting to regular bug - no security impact per comment #2.
,
Sep 28
Triage nag: This Chrome OS bug has an owner but no component. Please add a component so that this can be tracked by the relevant team.
,
Nov 8
<UI triage> Bug owners, please add the appropriate component to your bug. Thanks!
,
Nov 9
,
Jan 11
Setting defect without priority to Pri-2.
,
Jan 11
Setting defect without priority to Pri-2. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by elawrence@chromium.org
, Feb 21 2018Labels: OS-Chrome