[USN-1320-1] FFmpeg vulnerabilities
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Jan 5 15:23:20 UTC 2012
==========================================================================
Ubuntu Security Notice USN-1320-1
January 05, 2012
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
FFmpeg could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- ffmpeg: multimedia player, server and encoder
Details:
Steve Manzuik discovered that FFmpeg incorrectly handled certain malformed
Matroska files. If a user were tricked into opening a crafted Matroska
file, an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2011-3504)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed QDM2 streams. If a user were tricked into opening a crafted QDM2
stream file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4351)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed VP3 streams. If a user were tricked into opening a crafted file,
an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. This issue only affected Ubuntu 10.10. (CVE-2011-4352)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed VP5 and VP6 streams. If a user were tricked into opening a
crafted file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4353)
It was discovered that FFmpeg incorrectly handled certain malformed VMD
files. If a user were tricked into opening a crafted VMD file, an attacker
could cause a denial of service via application crash, or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2011-4364)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed SVQ1 streams. If a user were tricked into opening a crafted SVQ1
stream file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4579)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
libavcodec52 4:0.6-2ubuntu6.3
libavformat52 4:0.6-2ubuntu6.3
Ubuntu 10.04 LTS:
libavcodec52 4:0.5.1-1ubuntu1.3
libavformat52 4:0.5.1-1ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1320-1
CVE-2011-3504, CVE-2011-4351, CVE-2011-4352, CVE-2011-4353,
CVE-2011-4364, CVE-2011-4579
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/4:0.6-2ubuntu6.3
https://launchpad.net/ubuntu/+source/ffmpeg/4:0.5.1-1ubuntu1.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120105/08d4e4ac/attachment.sig>
More information about the ubuntu-security-announce
mailing list