Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 411369 - <media-video/ffmpeg-0.10.2 : Multiple vulnerabilities
Summary: <media-video/ffmpeg-0.10.2 : Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48770/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-3929
  Show dependency tree
 
Reported: 2012-04-09 18:06 UTC by Agostino Sarubbo
Modified: 2013-10-25 19:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-09 18:06:15 UTC
From secunia advisory at $URL:

Description
Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to compromise an application using the library.

1) A format string error exists within the "srt_to_ass()" function (libavcodec/srtdec.c) when parsing certain parameters.

2) An integer overflow error exists within the "dirac_unpack_block_motion_data()" function (libavcodec/diracdec.c) when handling certain motion data.

3) An integer overflow error exists within the "sws_init_context()" function (libswscale/utils.c) when decoding certain scale data.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 0.10.1.


Solution
Update to version 0.10.1 or later.
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-09 18:06:57 UTC
@aballier, is 0.10.2 ready to go to stable?
Comment 2 Alexis Ballier gentoo-dev 2012-04-09 18:31:48 UTC
(In reply to comment #1)
> @aballier, is 0.10.2 ready to go to stable?

i'd say yes, the api/abi should be similar, however, to be on the safe side, a tinderbox run would be better

you can revert http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/media-video/ffmpeg/ffmpeg-0.10.2.ebuild?r1=1.2&r2=1.3 if you wish, but then people may hit bug #405083
Comment 3 Agostino Sarubbo gentoo-dev 2012-04-09 19:32:18 UTC
Arches, please test and mark stable:                                                                                                                                                
=media-video/ffmpeg-0.10.2                                                                                                                                                          
Target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-04-10 08:14:19 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-10 14:12:04 UTC
(In reply to comment #3)
> Arches, please test and mark stable:                                        
> 
> =media-video/ffmpeg-0.10.2                                                  

How about virtual/ffmpeg-0.10.2?
Comment 6 Alexis Ballier gentoo-dev 2012-04-10 14:16:39 UTC
(In reply to comment #5)
> (In reply to comment #3)
> > Arches, please test and mark stable:                                        
> > 
> > =media-video/ffmpeg-0.10.2                                                  
> 
> How about virtual/ffmpeg-0.10.2?

only when it'll be needed, otherwise updating world will force libav users to go back to ffmpeg.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-11 14:21:45 UTC
(In reply to comment #6)
> > How about virtual/ffmpeg-0.10.2?
> 
> only when it'll be needed, otherwise updating world will force libav users
> to go back to ffmpeg.

OK, removing amd64 again.

Stable for HPPA.
Comment 8 Andreas Schürch gentoo-dev 2012-04-12 12:23:12 UTC
Finally, x86 stable! Thanks all!!
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-04-15 18:18:38 UTC
alpha/arm/ia64/sparc stable
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2012-05-13 19:21:51 UTC
ppc/ppc64 done
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-13 23:07:37 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 12 Alexis Ballier gentoo-dev 2013-08-14 21:16:20 UTC
nothing left to do for media-video@
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:48 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).