Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1611-2 libav

Debian Security Advisory

DLA-1611-2 libav -- LTS security update

Date Reported:

21 Dec 2018

Affected Packages:

libav

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-6822, CVE-2015-6823, CVE-2015-6824.

More information:

Two more security issues have been corrected in the libav multimedia library. This is a follow-up announcement for DLA-1611-1.

• CVE-2015-6823

  The allocate_buffers function in libavcodec/alac.c did not initialize certain context data, which allowed remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data. This issues has now been addressed by clearing pointers in avcodec/alac.c's allocate_buffers().

  Other than stated in debian/changelog of upload 6:11.12-1~deb8u2, this issue only now got fixed with upload of 6:11.12-1~deb8u3.

• CVE-2015-6824

  The sws_init_context function in libswscale/utils.c did not initialize certain pixbuf data structures, which allowed remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted video data. In swscale/utils.c now these pix buffers get cleared which fixes use of uninitialized memory.

  Other than stated in debian/changelog of upload 6:11.12-1~deb8u2, this issue only now got fixed with upload of 6:11.12-1~deb8u3.

For Debian 8 Jessie, these problems have been fixed in version 6:11.12-1~deb8u3.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS