FS#54613 - [faad2] denial of service (CVE-2017-92((57..53)) CVE-2017-92((23..18)))
Attached to Project:
Arch Linux
Opened by Santiago Torres (sangy) - Tuesday, 27 June 2017, 16:52 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 09:24 GMT
Opened by Santiago Torres (sangy) - Tuesday, 27 June 2017, 16:52 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 09:24 GMT
|
Details
Summary
======= The package faad2 is vulnerable to denial of service via CVE-2017-9257, CVE-2017-9256, CVE-2017-9255, CVE-2017-9254, CVE-2017-9253, CVE-2017-9223, CVE-2017-9222, CVE-2017-9221, CVE-2017-9220, CVE-2017-9219 and CVE-2017-9218. Guidance ======== There doesn't seem to be an upstream release underway, so we will probably have to find and backport/write our own. References ========== https://security.archlinux.org/AVG-328 http://seclists.org/fulldisclosure/2017/Jun/32 |
This task depends upon
Closed by Jan de Groot (JGC)
Tuesday, 15 August 2017, 09:24 GMT
Reason for closing: Fixed
Additional comments about closing: This was fixed in 2.8.1-1.
Tuesday, 15 August 2017, 09:24 GMT
Reason for closing: Fixed
Additional comments about closing: This was fixed in 2.8.1-1.
In the last case try to check if is possible to drop faad2 without loss the option to decode faad2 archives (another package provide the functionality?) to aleviate the acumulating issues.
Checking Debian bugtracker page point that no one of the CVE-2017 are fixed yet on 2.8.1-1, so look like or we find an active fork like debian or we drop it unless we are ok with this security hole- oh yea dont forget all the CVE-2017 listed here are remoteables.
Also you beat me since this bug was not showing on the Security tab on Arch page.