Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 492742

Summary: <media-video/ffmpeg-2.2.12: Multiple vulnerabilities (CVE-2013-{0860,0861,0862,0863,0864,0865,0866,0867,0868,0872,0873,0874,0875,0876,0877,0878,4263,4264,4265})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 22:21:41 UTC 
CVE-2013-4265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4265):
  The av_reallocp_array function in libavutil/mem.c in FFmpeg before 2.0.1 has
  an unspecified impact and remote vectors related to a "wrong return code"
  and a resultant NULL pointer dereference.

CVE-2013-4264 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4264):
  The kempf_decode_tile function in libavcodec/g2meet.c in FFmpeg before 2.0.1
  allows remote attackers to cause a denial of service (out-of-bounds heap
  write) via a G2M4 encoded file.

CVE-2013-4263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4263):
  libavfilter in FFmpeg before 2.0.1 allows has unspecified impact and remote
  vectors related to a crafted "plane," which triggers an out-of-bounds heap
  write.

CVE-2013-0878 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0878):
  The advance_line function in libavcodec/targa.c in FFmpeg before 1.1.3
  allows remote attackers to have an unspecified impact via crafted Targa
  image data, related to an out-of-bounds array access.

CVE-2013-0877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0877):
  The old_codec37 function in libavcodec/sanm.c in FFmpeg before 1.1.3 allows
  remote attackers to have an unspecified impact via crafted LucasArts Smush
  data that has a large size when decoded, related to an out-of-bounds array
  access.

CVE-2013-0876 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0876):
  Multiple integer overflows in the (1) old_codec37 and (2) old_codec47
  functions in libavcodec/sanm.c in FFmpeg before 1.1.3 allow remote attackers
  to have an unspecified impact via crafted LucasArts Smush data, which
  triggers an out-of-bounds array access.

CVE-2013-0875 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0875):
  The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in FFmpeg
  before 1.1.3 allows remote attackers to have an unspecified impact via a
  crafted PNG image, related to an out-of-bounds array access.

CVE-2013-0874 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0874):
  The (1) doubles2str and (2) shorts2str functions in libavcodec/tiff.c in
  FFmpeg before 1.1.3 allow remote attackers to have an unspecified impact via
  a crafted TIFF image, related to an out-of-bounds array access.

CVE-2013-0873 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0873):
  The read_header function in libavcodec/shorten.c in FFmpeg before 1.1.3
  allows remote attackers to have an unspecified impact via an invalid channel
  count, related to "freeing invalid addresses."

CVE-2013-0872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0872):
  The swr_init function in libswresample/swresample.c in FFmpeg before 1.1.3
  allows remote attackers to have an unspecified impact via an invalid or
  unsupported (1) input or (2) output channel layout, related to an
  out-of-bounds array access.

CVE-2013-0868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0868):
  libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers to
  have an unspecified impact via crafted Huffyuv data, related to an
  out-of-bounds write and (1) unchecked return codes from the init_vlc
  function and (2) "len==0 cases."

CVE-2013-0867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0867):
  The decode_slice_header function in libavcodec/h264.c in FFmpeg before 1.1.2
  does not properly check when the pixel format changes, which allows remote
  attackers to have unspecified impact via crafted H.264 video data, related
  to an out-of-bounds array access.

CVE-2013-0866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0866):
  The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1.0.4
  and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact
  via a large number of channels in an AAC file, which triggers an
  out-of-bounds array access.

CVE-2013-0865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0865):
  The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before
  1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified
  impact via a large (1) cbp0 or (2) cbpz chunk in Westwood Studios VQA Video
  file, which triggers an out-of-bounds write.

CVE-2013-0864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0864):
  The gif_copy_img_rect function in libavcodec/gifdec.c in FFmpeg before 1.1.2
  performs an incorrect calculation for an "end pointer," which allows remote
  attackers to have an unspecified impact via crafted GIF data that triggers
  an out-of-bounds array access.

CVE-2013-0863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0863):
  Buffer overflow in the rle_decode function in libavcodec/sanm.c in FFmpeg
  before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
  unspecified impact via crafted LucasArts Smush video data.

CVE-2013-0862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0862):
  Multiple integer overflows in the process_frame_obj function in
  libavcodec/sanm.c in FFmpeg before 1.1.2 allow remote attackers to have an
  unspecified impact via crafted image dimensions in LucasArts Smush video
  data, which triggers an out-of-bounds array access.

CVE-2013-0861 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0861):
  The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg before
  1.0.4 and 1.1.x before 1.1.1 allows remote attackers to trigger memory
  corruption via vectors related to the channel layout.

CVE-2013-0860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0860):
  The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg
  before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a frame is
  fully initialized, which allows remote attackers to trigger a NULL pointer
  dereference via crafted picture data.


Filing a lump bug because there is no obvious correlation between these and the existing "fixed in Git" bugs. Looks like DoS/user-assisted AcE, A2.
Comment 1 Alexis Ballier gentoo-dev 2015-02-15 10:35:25 UTC 
not sure if it's fixed in current stable, but 2.2.12+ is certainly enough
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-07-01 13:17:18 UTC 
Since 1.1.X and 1.2.X is no longer maintained and 
2.2.14 is being stabilized, but higher version without bugs is 2.2.15. Once stabilized we can clean up 1.1.x and 1.2.x

Setting dependency on: 548006
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:20:48 UTC 
This issue was resolved and addressed in
 GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06
by GLSA coordinator Kristian Fiskerstrand (K_F).