Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 352481 (CVE-2010-4704) - <media-video/ffmpeg-0.7_rc1: multiple vulnerabilities in Vorbis decoder (CVE-2010-{4704,4705})
Summary: <media-video/ffmpeg-0.7_rc1: multiple vulnerabilities in Vorbis decoder (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2010-4704
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-23 09:24 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2013-10-25 19:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-23 09:24:15 UTC
libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. NOTE: this might overlap CVE-2011-0480.

Integer overflow in the vorbis_residue_decode_internal function in libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg, possibly 0.6, has unspecified impact and remote attack vectors, related to the sizes of certain integer data types. NOTE: this might overlap CVE-2011-0480.

There are some upstream patches and bug reports:

https://roundup.ffmpeg.org/issue2322
http://git.ffmpeg.org/?p=ffmpeg.git;a=commit;h=3dde66752d59dfdd0f3727efd66e7202b3c75078
http://git.ffmpeg.org/?p=ffmpeg.git;a=commit;h=366d919016a679d3955f6fe5278fa7ce4f47b81e
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-07-10 23:57:51 UTC
Fixed software stabilized in bug 365273. Added to existing GLSA request.
Comment 2 Alexis Ballier gentoo-dev 2013-08-14 21:13:08 UTC
nothing left to do for media-video@
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:07 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).