Security Information / 2011 / Security Information -- DSA-2165-1 ffmpeg-debian

Debian Security Advisory

DSA-2165-1 ffmpeg-debian -- buffer overflow

Date Reported:

16 Feb 2011

Affected Packages:

ffmpeg-debian

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2010-3429, CVE-2010-4704, CVE-2010-4705.

More information:

Several vulnerabilities have been discovered in FFmpeg coders, which are used by MPlayer and other applications.

• CVE-2010-3429

  Cesar Bernardini and Felipe Andres Manzano reported an arbitrary offset dereference vulnerability in the libavcodec, in particular in the FLIC file format parser. A specific FLIC file may exploit this vulnerability and execute arbitrary code. Mplayer is also affected by this problem, as well as other software that use this library.

• CVE-2010-4704

  Greg Maxwell discovered an integer overflow the Vorbis decoder in FFmpeg. A specific Ogg file may exploit this vulnerability and execute arbitrary code.

• CVE-2010-4705

  A potential integer overflow has been discovered in the Vorbis decoder in FFmpeg.

This upload also fixes an incomplete patch from DSA-2000-1. Michael Gilbert noticed that there was remaining vulnerabilities, which may cause a denial of service and potentially execution of arbitrary code.

For the oldstable distribution (lenny), this problem has been fixed in version 0.svn20080206-18+lenny3.

We recommend that you upgrade your ffmpeg-debian packages.