Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553734 - <media-video/ffmpeg-2.5.2: Unspecified vulnerability (CVE-2014-{9602,9603,9604})
Summary: <media-video/ffmpeg-2.5.2: Unspecified vulnerability (CVE-2014-{9602,9603,9604})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-01 15:03 UTC by GLSAMaker/CVETool Bot
Modified: 2016-03-12 11:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-07-01 15:03:04 UTC
CVE-2014-9604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9604):
  libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero
  value of a slice height, which allows remote attackers to cause a denial of
  service (out-of-bounds array access) or possibly have unspecified other
  impact via crafted Ut Video data, related to the (1) restore_median and (2)
  restore_median_il functions.

CVE-2014-9603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9603):
  The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does
  not validate the relationship between a certain length value and the frame
  width, which allows remote attackers to cause a denial of service
  (out-of-bounds array access) or possibly have unspecified other impact via
  crafted Sierra VMD video data.

CVE-2014-9602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9602):
  libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and
  words array dimensions that do not satisfy a required mathematical
  relationship, which allows remote attackers to cause a denial of service
  (out-of-bounds array access) or possibly have unspecified other impact via
  crafted X-Face image data.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-01 15:05:07 UTC
Fixed in: 2.0.7, 2.1.7, 2.2.12, 2.3.6, 2.4.5, 2.5.2

Depends: Bug 548006
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 11:21:56 UTC
This issue was resolved and addressed in
 GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06
by GLSA coordinator Kristian Fiskerstrand (K_F).