Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488052 - <media-video/ffmpeg1.2.6: Multiple vulnerabilities
Summary: <media-video/ffmpeg1.2.6: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55288/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-14 18:58 UTC by Agostino Sarubbo
Modified: 2016-03-12 11:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-14 18:58:19 UTC
From ${URL} :

Description

Some vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to 
cause a DoS (Denial of Service) and potentially compromise an application using the library.

1) Some errors within libavcodec/vmnc.c can be exploited to cause out of bounds read memory 
accesses.

2) Some integer overflow errors within the "decode_frame()" function (libavcodec/vmnc.c) can be 
exploited to cause heap-based buffer overflows.

Successful exploitation of vulnerability #2 may allow execution of arbitrary code.


Solution:
Fixed in the git repository.

Provided and/or discovered by:
The vendor credits Mateusz "j00ru" Jurczyk and Gynvael Coldwind.

Original Advisory:
http://git.libav.org/?p=libav.git;a=commit;h=61cd19b8bc32185c8caf64d89d1b0909877a0707
http://git.libav.org/?p=libav.git;a=commit;h=5e992a4682d2c09eed3839c6cacf70db3b65c2f4




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2015-02-15 10:42:27 UTC
sounds like libav stuff, secunia link is about graphicsmagick, ffmpeg 1.2.6 seems to have the fixes; cc us back when you'll have figured what's wrong and what needs to be done
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-01 13:21:12 UTC
At this was fixed in 1.2.6, but will require a GLSA. Setting this to 548006, which when fixed will be one MONSTER GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:20:40 UTC
This issue was resolved and addressed in
 GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06
by GLSA coordinator Kristian Fiskerstrand (K_F).