Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 257380

Summary: media-plugins/gst-plugins-ffmpeg type conversion vulnerability in libavformat/4xm.c (CVE-2009-0385)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: gnome, gstreamer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.trapkit.de/advisories/TKADV2009-004.txt
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 257217    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-02 13:01:01 UTC 
+++ This bug was initially created as a clone of Bug #257217 +++

From the advisory:
FFmpeg contains a type conversion vulnerability while parsing malformed 4X 
movie files. The vulnerability may be exploited by a (remote) attacker to 
execute arbitrary code in the context of FFmpeg or an application using 
the FFmpeg library.

Upstream has fixed this in svn r16846, i haven't found a release yet.
Comment 1 Edward Hervey 2009-02-10 16:29:09 UTC 
git master gst-ffmpeg is already depending on a much more recent ffmpeg revision. gst-ffmpeg-0.10.7 (which is going to be released within the next 2-3 weeks) will have the fix.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 19:20:26 UTC 
Gstreamer/Gnome, we'd like a shorter timeframe for fixing this issue within the gstreamer package. Would it be possible to bump the ffmpeg branch or apply the patch onto an existing release?
Comment 3 Olivier Crete (RETIRED) gentoo-dev 2009-02-18 16:58:39 UTC 
the gst-ffmpeg in the tree uses the media-libs/ffmpeg package, not the internal copy... so this bug is INVALID.