Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231834 - <media-plugins/gst-plugins-ffmpeg-0.10.5 FFmpeg psxstr.c Buffer overflow (CVE-2008-3162)
Summary: <media-plugins/gst-plugins-ffmpeg-0.10.5 FFmpeg psxstr.c Buffer overflow (CVE...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2008-3162 245291
Blocks:
  Show dependency tree
 
Reported: 2008-07-15 03:21 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-20 08:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch (gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch,2.95 KB, patch)
2008-07-15 03:22 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:21:11 UTC
media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that statically. Is it generally possible to have it link to a system-provided version?


+++ This bug was initially created as a clone of Bug #231831 +++

CVE-2008-3162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162):
  Stack-based buffer overflow in the str_read_packet function in
  libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause
  a denial of service (application crash) or execute arbitrary code via a
  crafted STR file that interleaves audio and video sectors.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:22:03 UTC
Created attachment 160413 [details, diff]
gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch
Comment 2 Mart Raudsepp gentoo-dev 2008-07-19 20:07:31 UTC
(In reply to comment #0)
> media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that
> statically. Is it generally possible to have it link to a system-provided
> version?

That is not supported by upstream.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 18:43:32 UTC
(In reply to comment #2)
> (In reply to comment #0)
> > media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that
> > statically. Is it generally possible to have it link to a system-provided
> > version?
> 
> That is not supported by upstream.

In this case we need to rebase their ffmpeg or patch this issue (you can find a patch in comment 1).
Comment 4 Edward Hervey 2008-12-09 13:40:16 UTC
Why not just use a more recent version of gst-ffmpeg ?

0.10.6 ships with r15750
0.10.5 ships with r15004

Any version above (and including) 0.10.5 has this issue fixed.
Comment 5 Samuli Suominen gentoo-dev 2008-12-20 12:04:30 UTC
Please CC archteams and fix status whiteboard as needed.. not sure if I got it right. Archteams don't seem to realize they are not handling several bugs..
Comment 6 nixnut (RETIRED) gentoo-dev 2008-12-21 14:37:24 UTC
ppc stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-12-21 16:14:40 UTC
Sparc stable --- forgot to note it on the bug.
Comment 8 Samuli Suominen gentoo-dev 2008-12-22 14:34:02 UTC
Security: All archteams are done, and old versions have been removed from tree.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-20 08:31:22 UTC
GLSA 200903-33