From: Raspbian forward pporter <root@raspbian.org>
Date: Mon, 24 Dec 2018 17:36:50 +0000 (+0000)
Subject: Merge version 6:11.12-1~deb8u1+rpi1 and 6:11.12-1~deb8u3 to produce 6:11.12-1~deb8u3... 
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u3+rpi1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=2a1083870a8ec763e0fddbee13570a5651028777;p=libav.git

Merge version 6:11.12-1~deb8u1+rpi1 and 6:11.12-1~deb8u3 to produce 6:11.12-1~deb8u3+rpi1
---

43e63aa2f2fc82ec6d5811db60b0332b5c020a95
diff --cc debian/changelog
index f1141b0,3d84e79..5dbb87f
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,19 -1,54 +1,71 @@@
- libav (6:11.12-1~deb8u1+rpi1) jessie-staging; urgency=medium
++libav (6:11.12-1~deb8u3+rpi1) jessie-staging; urgency=medium
 +
 +  [changes brought forward from 6:11.3-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Sun, 29 Mar 2015 02:07:33 +0000]
 +  * Add special case handling for Raspbian (and any derivatives thereof) (Closes: 738760)
 +    + Disable armv6t2
 +      - note: the thumb2 variant of arv6 seems to be very rare, the Pi certainly
 +        doesn't have it.
 +    + Disable neon in the main build.
 +    + Don't build a seperate neon flavour either.
 +
 +  [changes brought forward from 6:11.4-1~deb8u1+rpi2 by Peter Michael Green <plugwash@raspbian.org> at Thu, 11 Feb 2016 15:58:25 +0000]
 +  * Re-enable specific neon build.
 +  * Move armv6t2 and neon disabling from overall configure flags to static
 +    and shared configure flags so they don't impact the neon-specific build.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Wed, 21 Feb 2018 03:02:59 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Mon, 24 Dec 2018 17:36:49 +0000
++
+ libav (6:11.12-1~deb8u3) jessie-security; urgency=medium
+ 
+   * Non-maintainer upload by the Debian LTS Team.
+   * debian/patches:
+     + Rename CVE-2015-6822+6823+6824.patch to CVE-2015-6822.patch..
+   * CVE-2015-6823: avcodec/alac: Clear pointers in allocate_buffers().
+   * CVE-2015-6824: swscale/utils: Clear pix buffers. Fixes use of
+     uninitialized memory.
+ 
+  -- Mike Gabriel <sunweaver@debian.org>  Thu, 20 Dec 2018 22:56:40 +0100
+ 
+ libav (6:11.12-1~deb8u2) jessie-security; urgency=medium
+ 
+   * Non-maintainer upload by the Debian LTS Team.
+   * CVE-2014-9317: avcodec/pngdec: Check IHDR/IDAT order. Prevent remote
+     attackers from causing a denial of service (out-of-bounds heap access)
+     and possibly have other unspecified impact via an IDAT before an IHDR 
+     in a PNG file.
+   * CVE-2015-6761: avcodec/vp8: Do not use num_coeff_partitions in
+     thread/buffer setup. The variable is not a constant and can lead to
+     race conditions.
+   * CVE-2015-6818: avcodec/pngdec: Only allow one IHDR chunk. Multiple IHDR
+     chunks are forbidden in PNG. Fixes inconsistency and out of array accesses.
+   * CVE-2015-6820: avcodec/aacsbr: check that the element type matches before
+     applying SBR. Fixes out of array access.
+   * CVE-2015-6821: avcodec/mpegvideo: Clear pointers in ff_mpv_common_init().
+     This ensures that no stale pointers leak through on any path.
+   * CVE-2015-6822, CVE-2015-6823, CVE-2015-6824: avcodec/sanm: Reset sizes in
+     destroy_buffers().
+   * CVE-2015-6825: avcodec/pthread_frame: clear priv_data, avoid stale pointer
+     in error case.
+   * CVE-2015-6826: avcodec/rv34: Clear pointers in
+     ff_rv34_decode_init_thread_copy(). Avoids leaving stale pointers.
+   * CVE-2015-8216: avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan()
+     before using it. Fixes out of array access.
+   * CVE-2015-8217: avcodec/hevc_ps: Check chroma_format_idc. Fixes out of
+     array access.
+   * CVE-2015-8363: avcodec/jpeg2000dec: Check for duplicate SIZ marker.
+   * CVE-2015-8364: avcodec/ivi: Check image dimensions. Fixes integer overflow.
+   * CVE-2015-8661: avcodec/h264_slice: Limit max_contexts when
+     slice_context_count is initialized. Fixes out of array access.
+   * CVE-2015-8662: avcodec/jpeg2000dwt: Check ndeclevels before calling
+     dwt_decode*(). Fixes out of array access.
+   * CVE-2015-8663: avcodec/utils: Clear dimensions in ff_get_buffer() on
+     failure. Fixes out of array access.
+   * CVE-2016-10190: http: make length/offset-related variables unsigned.
+     Required cherry-picking 3668701f and 362c17e6 from ffmpeg.git.
+   * CVE-2016-10191: avformat/rtmppkt: Check for packet size mismatches.
+     Fixes out of array access.
+ 
+  -- Mike Gabriel <sunweaver@debian.org>  Wed, 19 Dec 2018 14:31:49 +0100
  
  libav (6:11.12-1~deb8u1) jessie-security; urgency=medium