While going on the faad2 homepage, I found this: 2008-09-16 Security patch Earlier today I was notified of a possible security flaw in the command line frontend for FAAD2, on a specially constructed file the frontend can cause a heap overflow when reading from a buffer returned by the decoder library. A patch can be found here. Note that this only affects the frontend, not the library. Many thanks to ICST-ERCIS (Peking University) for reporting this issue. I don't have more info; I think I could just apply the patch in a new revision. Do you have more information about this (like the impact, a POC, etc.)?
Created attachment 166174 [details, diff] main_overflow.diff Make the thing apply cleanly.
+*faad2-2.6.1-r2 (23 Sep 2008) + + 23 Sep 2008; Peter Alfredsen <loki_val@gentoo.org> + +files/faad2-2.6.1-main-overflow.patch, +faad2-2.6.1-r2.ebuild: + Security bump w/ patch from bug 238445 +
Arches, please test and mark stable media-libs/faad2-2.6.1-r2. Target keywords: "alpha amd64 ~arm hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~x86-fbsd"
amd64 stable
Stable for HPPA.
Sparc stable for -2.6.1-r2.
CVE-2008-4201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4201): Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 before 2.6.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file.
ppc64 stable
alpha/ia64/x86 stable
ppc stable
GLSA request filed.
GLSA 200811-03, thanks everyone, sorry about the delay.