Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: ffmpeg
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 06 Dec 2011 17:31:44 -0700



Sure!

The 3 other issues got CVEs assigned here:

http://marc.info/?l=oss-security&m=132205107221272&w=2

CVE-2011-4351 - An error within the QDM2 decoder (libavcodec/qdm2.c) can
be exploited to cause a buffer overflow.

Seems to be the following commits in libavcodec/qdm2.c (at least the
last one, the others seem to be a bit older):
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=491eaf35ae1f9b619441314bec33766e31580184
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=291d74a46d32183653db07818c7b3407fd50a288
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7d49f79f1cd47783a963a757a6563b9cac29db62
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=14db3af4f26dad8e6ddf2147e96ccc710952ad4d
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=895d258e9ba065d035dd30dbc622423031f0185c

Last commit says this fixes NGS00144

CVE-2011-4352 - An integer overflow error within the "vp3_dequant()"
function (libavcodec/vp3.c) can be exploited to cause a buffer overflow.

Seems to be the following commit in libavcodec/vp3.c:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eef5c35b4352ec49ca41f6198bee8a976b1f81e5

Commit says this fixes NGS00145

CVE-2011-4353 - Errors within the "av_image_fill_pointers()", the
"vp5_parse_coeff()", and the "vp6_parse_coeff()" functions can be
exploited to trigger out-of-bounds reads.

Seems to be the following commits in libavutil/imgutils.c,
libavcodec/vp5.c, libavcodec/vp6.c:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c693aa6f71b4f539cf9df67ba42f4b1932981687
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=bb4b0ad83b13c3af57675e80163f3f333adef96f
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e0966eb140b3569b3d6b5b5008961944ef229c06


So, the fourth issue, which is fixed by the following commit that
matches the description doesn't seem to have a CVE number, and doesn't
seem to be related to the others:

"An error within the "svq1_decode_frame()" function
(libavcodec/svq1dec.c) can be exploited to corrupt memory."

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2

Commit says it fixes NGS00148.

Marc.

Thanks, context is king =). Please use CVE-2011-4579 for this new issue
( svq1_decode_frame() )

-- 

-Kurt Seifried / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault