Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 439054 (CVE-2012-5359)

Summary: <media-video/ffmpeg-1.0.7: multiple vulnerabilities (CVE-2012-{5359,5360,5361})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/50963/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-10-20 10:25:39 UTC 
1) Some errors within the libavcodec library when parsing ASF, QT, and WMV files can be exploited to corrupt memory.

2) An error within the "ff_compute_band_indexes()" function (libavcodec/mpegaudiodec.c) can be exploited to corrupt memory. 

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Solution
Upgrade to version 1.0.
Comment 1 Alexis Ballier gentoo-dev 2012-10-20 21:11:15 UTC 
0.10.5 should have all the sec fixes from 1.0; did you check? 1.0 is certainly not ready to go stable.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-23 23:44:54 UTC 
(In reply to comment #1)
> 0.10.5 should have all the sec fixes from 1.0; did you check? 1.0 is
> certainly not ready to go stable.

At least #2 in c0 is not fixed in 0.10.5. Upstream commit:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=94041febc53a6da10e34c2bfff9ff1d580fdce60
Comment 3 Alexis Ballier gentoo-dev 2012-10-24 19:10:47 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > 0.10.5 should have all the sec fixes from 1.0; did you check? 1.0 is
> > certainly not ready to go stable.
> 
> At least #2 in c0 is not fixed in 0.10.5. Upstream commit:
> http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;
> h=94041febc53a6da10e34c2bfff9ff1d580fdce60

well, this commit mentions the problem was introduced by:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b37d945dd4213cb8e92146571b0374cd45d52286

which neither is in 0.10.5
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:57 UTC 
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).