Potential bugs in gstreamer0.10-ffmpeg

Jiyong Jang jiyongj at cmu.edu
Wed Nov 9 22:04:32 UTC 2011

We are involved in a software security research project called ReDebug
out of Carnegie Mellon University. We believe we have found vulnerable
code in a project you maintain related to CVE-2008-3230, CVE-2008-4610, CVE-2008-4866.  
This email and the attachment describes the vulnerability.   We apologize for the
form-letterness of this email; we found over 11,000 such
vulnerabilities in our research project, and are trying to get the
word out to all developers.   What we hope to get from you is a
confirmation whether the identified problem is real for a paper we are

The goal of ReDebug is to find unpatched code clones at OS
distribution-sized code bases.  An unpatched code clone occurs when
code is copied from a project, but later patches to that project are
not propagated to the copies.  As part of this research, we downloaded
over 1.7 billion lines of code, including all source code from Debian,
Ubuntu, and all C code from SourceForge.  ReDebug identified 11,287
unpatched code clones for patches associated with Debian security
advisories in about 6 hours on a MacBook Pro Laptop.

Our attached file is a snapshot from our database that first shows the
patch to the original package, and then shows unpatched code clones in
the package we think you may maintain. The unpatched code has been
patched in other packages per a Debian security advisory.

The attached web page shows:
- A patch, with the appropriate CVE number or other identifier as
part of the file name. You can google the CVE to find more
information, or consult the Debian security archive for the patch.
- A list of code snippets showing the identified unpatched code.

We understand you are very busy, but it would very much help our
research if you could reply with confirmation on whether  the
identified problem(s) are really bugs.

Take care,
- Jiyong Jang, Abeer Agrawal, and David Brumley

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gstreamer-maintainers/attachments/20111109/790b9381/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gstreamer0.10-ffmpeg.zip
Type: application/zip
Size: 5681 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gstreamer-maintainers/attachments/20111109/790b9381/attachment.zip>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gstreamer-maintainers/attachments/20111109/790b9381/attachment-0001.html>

More information about the pkg-gstreamer-maintainers mailing list