Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257217 (CVE-2009-0385) - media-video/ffmpeg < 0.4.9_p20090201: type conversion vulnerability in libavformat/4xm.c (CVE-2009-0385)
Summary: media-video/ffmpeg < 0.4.9_p20090201: type conversion vulnerability in libavf...
Status: RESOLVED FIXED
Alias: CVE-2009-0385
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.trapkit.de/advisories/TKAD...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: 257380 257381
  Show dependency tree
 
Reported: 2009-02-01 14:30 UTC by Matti Bickel (RETIRED)
Modified: 2020-04-10 11:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2009-02-01 14:30:42 UTC
From the advisory:
FFmpeg contains a type conversion vulnerability while parsing malformed 4X 
movie files. The vulnerability may be exploited by a (remote) attacker to 
execute arbitrary code in the context of FFmpeg or an application using 
the FFmpeg library.

Upstream has fixed this in svn r16846, i haven't found a release yet.
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2009-02-01 14:33:28 UTC
media-video, do you pull updates from trunk and can provide an ebuild? Or do we wait for the ffmpeg folks for a release?
Comment 2 Alexis Ballier gentoo-dev 2009-02-01 14:55:20 UTC
(In reply to comment #1)
> media-video, do you pull updates from trunk and can provide an ebuild? Or do we
> wait for the ffmpeg folks for a release?

A release is expected around the end of february; I'll make a new snapshot
Comment 3 Alexis Ballier gentoo-dev 2009-02-01 16:23:27 UTC
rev 16916, aka 0.4.9_p20090201 is in the tree; don't forget all the packages bundling ffmpeg too
Comment 4 Matti Bickel (RETIRED) gentoo-dev 2009-02-01 16:43:21 UTC
thanks for the quick response.

target keywords for: media-video/ffmpeg-0.4.9_p20090201
alpha, amd64, arm, hppa, ia64, ppc, ppc64, sparc, x86, ~x86-fbsd

Please do, we have 10 days maximum for a glsa, so a little testing on this complex piece would not hurt.
Comment 5 Tobias Klausmann gentoo-dev 2009-02-01 17:33:19 UTC
Stable on alpha.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-02-02 06:04:49 UTC
# ChangeLog for media-video/ffmpeg
# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/media-video/ffmpeg/ChangeLog,v 1.264 2009/02/01 16:23:10 aballier Exp $

*ffmpeg-0.4.9_p20090201 (01 Feb 2009)

  01 Feb 2009; Alexis Ballier <aballier@gentoo.org>
  +ffmpeg-0.4.9_p20090201.ebuild:
  new snapshot, bug #257217
Comment 7 Tobias Klausmann gentoo-dev 2009-02-02 13:37:47 UTC
Stable on alpha. Again (that's what you get for being quick).
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-02-02 15:13:25 UTC
ppc64 done
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-02-03 00:08:18 UTC
amd64 stable
Comment 10 Markus Meier gentoo-dev 2009-02-04 21:37:23 UTC
x86 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-02-05 02:34:48 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-02-09 14:23:03 UTC
ia64/sparc stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-11 17:07:13 UTC
ppc stable
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-20 08:32:32 UTC
GLSA 200903-33