Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257380 - media-plugins/gst-plugins-ffmpeg type conversion vulnerability in libavformat/4xm.c (CVE-2009-0385)
Summary: media-plugins/gst-plugins-ffmpeg type conversion vulnerability in libavformat...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.trapkit.de/advisories/TKAD...
Whiteboard: B2 [ebuild]
Keywords:
Depends on: CVE-2009-0385
Blocks:
  Show dependency tree
 
Reported: 2009-02-02 13:01 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-17 00:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-02 13:01:01 UTC
+++ This bug was initially created as a clone of Bug #257217 +++

From the advisory:
FFmpeg contains a type conversion vulnerability while parsing malformed 4X 
movie files. The vulnerability may be exploited by a (remote) attacker to 
execute arbitrary code in the context of FFmpeg or an application using 
the FFmpeg library.

Upstream has fixed this in svn r16846, i haven't found a release yet.
Comment 1 Edward Hervey 2009-02-10 16:29:09 UTC
git master gst-ffmpeg is already depending on a much more recent ffmpeg revision. gst-ffmpeg-0.10.7 (which is going to be released within the next 2-3 weeks) will have the fix.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 19:20:26 UTC
Gstreamer/Gnome, we'd like a shorter timeframe for fixing this issue within the gstreamer package. Would it be possible to bump the ffmpeg branch or apply the patch onto an existing release?
Comment 3 Olivier Crete (RETIRED) gentoo-dev 2009-02-18 16:58:39 UTC
the gst-ffmpeg in the tree uses the media-libs/ffmpeg package, not the internal copy... so this bug is INVALID.