Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454420 - <media-video/ffmpeg-1.0.2: multiple vulnerabilities (CVE-2012-{6615,6616,6617,6618})
Summary: <media-video/ffmpeg-1.0.2: multiple vulnerabilities (CVE-2012-{6615,6616,6617...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/51964/
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-28 12:27 UTC by Agostino Sarubbo
Modified: 2014-01-05 02:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-28 12:27:17 UTC
From $URL :

Description
Multiple vulnerabilities with unknown impacts have been reported in FFmpeg.

The vulnerabilities are caused due to unspecified errors. No further information is currently 
available.

The vulnerabilities are reported in versions prior to 1.0.2.


Solution
Update to version 1.0.2.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://freecode.com/projects/ffmpeg/releases/351527
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-08 22:36:35 UTC
Nothing in the 1.0 branch <1.0.2 is in tree.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:59 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-01-05 02:47:14 UTC
CVE-2012-6618 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6618):
  The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before
  1.0.2, when running with certain -probesize values, allows remote attackers
  to cause a denial of service (crash) via a crafted MP3 file, possibly
  related to frame size or lack of sufficient "frames to estimate rate."

CVE-2012-6617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6617):
  The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2
  allows remote attackers to cause a denial of service (crash) via vectors
  related to the rtp format.

CVE-2012-6616 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6616):
  The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpeg
  before 1.0.2 allows remote attackers to cause a denial of service
  (out-of-bounds read and crash) via crafted 3GPP TS 26.245 data.

CVE-2012-6615 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6615):
  The ff_ass_split_override_codes function in libavcodec/ass_split.c in FFmpeg
  before 1.0.2 allows remote attackers to cause a denial of service (NULL
  pointer dereference and crash) via a subtitle dialog without text.