1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2306-1] ffmpeg security update

    From Giuseppe Iuculano@1:229/2 to All on Sun Sep 11 19:40:02 2011
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2306-1 [email protected] http://www.debian.org/security/ Giuseppe Iuculano September 11, 2011 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : ffmpeg
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-3908 CVE-2010-4704 CVE-2011-0480 CVE-2011-0722
    CVE-2011-0723
    Debian Bug : 611495


    Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder.
    The Common Vulnerabilities and Exposures project identifies the following problems:


    CVE-2010-3908

    FFmpeg before 0.5.4, allows remote attackers to cause a denial of service
    (memory corruption and application crash) or possibly execute arbitrary code
    via a malformed WMV file.


    CVE-2010-4704

    libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg allows remote
    attackers to cause a denial of service (application crash) via a crafted
    .ogg file, related to the vorbis_floor0_decode function.


    CVE-2011-0480

    Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFmpeg
    allow remote attackers to cause a denial of service (memory corruption and
    application crash) or possibly have unspecified other impact via a crafted
    WebM file, related to buffers for the channel floor and the channel residue.


    CVE-2011-0722

    FFmpeg allows remote attackers to cause a denial of service (heap memory
    corruption and application crash) or possibly execute arbitrary code via a
    malformed RealMedia file.


    For the stable distribution (squeeze), this problem has been fixed in
    version 4:0.5.4-1.

    Security support for ffmpeg has been discontinued for the oldstable distribution (lenny).
    The current version in oldstable is not supported by upstream anymore
    and is affected by several security issues. Backporting fixes for these
    and any future issues has become unfeasible and therefore we need to
    drop our security support for the version in oldstable.


    We recommend that you upgrade your ffmpeg packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.11 (GNU/Linux)

    iEYEARECAAYFAk5s7SIACgkQNxpp46476aodAQCaAm5VWfGx6I2A9RNw8stjALGK aO0An0Q7J1GF1ylBivmSMYIERy1DMZV1
    =agGR
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)