CVE-2009-4631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4631): Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted VP3 file that triggers an out-of-bounds read and possibly memory corruption.
CVE-2009-4632 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4632): oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read. CVE-2009-4633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4633): vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow. CVE-2009-4634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4634): Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. CVE-2009-4635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4635): FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, which causes the mp3 decoder to process a pointer for a video structure, leading to a stack-based buffer overflow. CVE-2009-4636 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4636): FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop. CVE-2009-4637 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4637): FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow. CVE-2009-4638 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4638): Integer overflow in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. CVE-2009-4639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4639): The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. CVE-2009-4640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4640): Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read.
Apart the fact that this CVE and bug report is, at best crappy, all the CVEs point to a bug closed as invalid with a lot of crashing files, lots of them should already be fixed in our stable snapshot, let's try to investigate it: (In reply to comment #1) > CVE-2009-4632 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4632): > oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain > pointer arithmetic, which might allow remote attackers to obtain > sensitive memory contents and cause a denial of service via a crafted > file that triggers an out-of-bounds read. should be this: ------------------------------------------------------------------------ r20014 | reimar | 2009-09-24 18:37:09 +0300 (Thu, 24 Sep 2009) | 6 lines Fix possible buffer over-read in vorbis_comment, fix it double to be sure. First, make s signed, so that comparisons against end - p will not be made as unsigned, making the check incorrectly pass if p is beyond end. Also ensure that p will never be > end, so the code is correct also if buf is not padded. ------------------------------------------------------------------------ already fixed in our stable snapshot (see svn rev) > CVE-2009-4633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4633): > vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a > comparison operator was intended, which might allow remote attackers > to cause a denial of service and possibly execute arbitrary code via > a crafted file that modifies a loop counter and triggers a heap-based > buffer overflow. ------------------------------------------------------------------------ r19982 | michael | 2009-09-23 13:33:49 +0300 (Wed, 23 Sep 2009) | 3 lines = -> == typo. 27_vorbis_residue_loop_error.patch by chrome ------------------------------------------------------------------------ most likely > > CVE-2009-4634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4634): > Multiple integer underflows in FFmpeg 0.5 allow remote attackers to > cause a denial of service and possibly execute arbitrary code via a > crafted file that (1) bypasses a validation check in vorbis_dec.c and > triggers a wraparound of the stack pointer, or (2) access a pointer > from out-of-bounds memory in mov.c, related to an elst tag that > appears before a tag that creates a stream. I don't know; there have been lot of fixes in vorbis_dec.c from chrome at some point (svn rev < 20000) > CVE-2009-4635 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4635): > FFmpeg 0.5 allows remote attackers to cause a denial of service and > possibly execute arbitrary code via a crafted MOV container with > improperly ordered tags that cause (1) mov.c and (2) utils.c to use > inconsistent codec types and identifiers, which causes the mp3 > decoder to process a pointer for a video structure, leading to a > stack-based buffer overflow. can't find what's the exact error and the exact fix but debian patches include mov.c patches which correspond to revs 19793, 19792, 18016, 19259 we already have these in stable > > CVE-2009-4636 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4636): > FFmpeg 0.5 allows remote attackers to cause a denial of service > (hang) via a crafted file that triggers an infinite loop. > > CVE-2009-4637 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4637): > FFmpeg 0.5 allows remote attackers to cause a denial of service > (crash) and possibly execute arbitrary code via unknown vectors that > trigger a stack-based buffer overflow. > > CVE-2009-4638 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4638): > Integer overflow in FFmpeg 0.5 allows remote attackers to cause a > denial of service (crash) and possibly execute arbitrary code via > unknown vectors. not enough information for these 3 > CVE-2009-4639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4639): > The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows > remote attackers to cause a denial of service (crash) via a crafted > AVI file that triggers a divide-by-zero error. maybe: ------------------------------------------------------------------------ r19319 | michael | 2009-07-01 21:50:31 +0300 (Wed, 01 Jul 2009) | 3 lines Make arguments of av_set_pts_info() unsigned. Fixes issue1240/mpeg1/smclockmpeg1.avi.3.1 ------------------------------------------------------------------------ https://roundup.ffmpeg.org/issue1245 > CVE-2009-4640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4640): > Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote > attackers to cause a denial of service and possibly execute arbitrary > code via a crafted Vorbis file that triggers an out-of-bounds read. > again, the debian patches are up to rev 20003 for what I see, we already have rev 20373 stable. (In reply to comment #0) > CVE-2009-4631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4631): > Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows > remote attackers to cause a denial of service and possibly execute > arbitrary code via a crafted VP3 file that triggers an out-of-bounds > read and possibly memory corruption. I don't get this anymore with -9999; please check against stable version. In the end, I don't see what's to be done from media-video@; if I don't have any update from the security team explaining all that mess, I'll remove us from CC.
I think this is superseded by bug #339036 and bug #352481 .
Fixed software stabilized in bug 365273. Added to existing GLSA request.
nothing left to do for media-video@
This issue was resolved and addressed in GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml by GLSA coordinator Sean Amoss (ackle).
