Home page logo
/

bugtraq logo Bugtraq mailing list archives

[ MDVSA-2011:062 ] ffmpeg
From: security () mandriva com
Date: Fri, 01 Apr 2011 23:21:00 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:062
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ffmpeg
 Date    : April 1, 2011
 Affected: 2010.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been identified and fixed in ffmpeg:
 
 FFmpeg 0.5 allows remote attackers to cause a denial of service (hang)
 via a crafted file that triggers an infinite loop. (CVE-2009-4636)
 
 flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer
 and other products, allows remote attackers to execute arbitrary code
 via a crafted flic file, related to an arbitrary offset dereference
 vulnerability. (CVE-2010-3429)
 
 libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1
 and earlier allows remote attackers to cause a denial of service
 (application crash) via a crafted .ogg file, related to the
 vorbis_floor0_decode function. (CVE-2010-4704)
 
 Fix heap corruption crashes (CVE-2011-0722)
 
 Fix invalid reads in VC-1 decoding (CVE-2011-0723)
 
 And several additional vulnerabilites originally discovered by Google
 Chrome developers were also fixed with this advisory.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4636
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0722
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0723
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 b4db9e819fe581e61ad59225fe630a25  2010.1/i586/ffmpeg-0.6-0.22960.5.1mdv2010.2.i586.rpm
 b2ba7998b8549d1a0434d51ff76ddfed  2010.1/i586/libavformats52-0.6-0.22960.5.1mdv2010.2.i586.rpm
 ce8964529073304413e3591f8d0de20b  2010.1/i586/libavutil50-0.6-0.22960.5.1mdv2010.2.i586.rpm
 da9b5200a498933bd3a1e5e000937a90  2010.1/i586/libffmpeg52-0.6-0.22960.5.1mdv2010.2.i586.rpm
 64a5a0c59fba081b54f7538fd658f66f  2010.1/i586/libffmpeg-devel-0.6-0.22960.5.1mdv2010.2.i586.rpm
 e6fa096ebf765e1258a13bd578a8de68  2010.1/i586/libffmpeg-static-devel-0.6-0.22960.5.1mdv2010.2.i586.rpm
 4cc7830f9684161826518db3077ca207  2010.1/i586/libpostproc51-0.6-0.22960.5.1mdv2010.2.i586.rpm
 be1e63a9da0a1b48308390ce48dc30cb  2010.1/i586/libswscaler0-0.6-0.22960.5.1mdv2010.2.i586.rpm 
 87155585e9ad3413d3210489a539a62f  2010.1/SRPMS/ffmpeg-0.6-0.22960.5.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 f26e9389ab90769c9d41379063b44052  2010.1/x86_64/ffmpeg-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 c1f7175cad48f46cfdd2b0d57c5f1d82  2010.1/x86_64/lib64avformats52-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 da8802f10ae716e344a85d27061716e2  2010.1/x86_64/lib64avutil50-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 abe637a5f54bf30b8738bc77d3a505cd  2010.1/x86_64/lib64ffmpeg52-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 528f1d86498f7c6d975aaa58c30715d6  2010.1/x86_64/lib64ffmpeg-devel-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 c77efb105b06ee700d1094e0f468bc6d  2010.1/x86_64/lib64ffmpeg-static-devel-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 2b46dcebe1a563aed2e9949f5869be8b  2010.1/x86_64/lib64postproc51-0.6-0.22960.5.1mdv2010.2.x86_64.rpm
 e1f77931ce1aa23bbc8f1b8f607548ff  2010.1/x86_64/lib64swscaler0-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 
 87155585e9ad3413d3210489a539a62f  2010.1/SRPMS/ffmpeg-0.6-0.22960.5.1mdv2010.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNlhb3mqjQ0CJFipgRAn9IAJ9Yxk/y7oQNkzbAf0CXuET3XPRYYwCdF7V6
mAdlwouwYl64jARlHgI/M2w=
=AyKF
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [ MDVSA-2011:062 ] ffmpeg security (Apr 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]