1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2165-1] ffmpeg-debian security update

    From Luciano Bello@1:229/2 to All on Wed Feb 16 15:10:02 2011
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2165-1 [email protected] http://www.debian.org/security/ Luciano Bello February 16, 2011 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : ffmpeg-debian
    Vulnerability : buffer overflow
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-3429 CVE-2010-4704 CVE-2010-4705

    Several vulnerabilities have been discovered in FFmpeg coders, which are used by
    by MPlayer and other applications.


    CVE-2010-3429

    Cesar Bernardini and Felipe Andres Manzano reported an arbitrary offset
    dereference vulnerability in the libavcodec, in particular in the flic file
    format parser. A specific flic file may exploit this vulnerability and execute
    arbitrary code. Mplayer is also affected by this problem, as well as other
    software that use this library.


    CVE-2010-4704

    Greg Maxwell discovered an integer overflow the Vorbis decoder in FFmpeg. A
    specific ogg file may exploit this vulnerability and execute arbitrary code.


    CVE-2010-4705

    A potential integer overflow has been discovered in the Vorbis decoder in
    FFmpeg.


    This upload also fixes an incomplete patch from DSA-2000-1. Michael Gilbert noticed that there was remaining vulnerabilities, which may cause a denial of service and potentially execution of arbitrary code.

    For the oldstable distribution (lenny), this problem has been fixed in
    version 0.svn20080206-18+lenny3.

    We recommend that you upgrade your ffmpeg-debian packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iEYEARECAAYFAk1b2bEACgkQNxpp46476apZfQCgikLMnHum8LZNNkxNTJ3V2AJ2 7ccAoJFdX+ABvUy5ghdchKoPcxNeSegO
    =t0vw
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)