Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385511 (CVE-2011-4364) - <media-video/ffmpeg-0.7.6 Multiple Vulnerabilities (CVE-2011-4364)
Summary: <media-video/ffmpeg-0.7.6 Multiple Vulnerabilities (CVE-2011-4364)
Status: RESOLVED FIXED
Alias: CVE-2011-4364
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46245/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-03 14:19 UTC by Agostino Sarubbo
Modified: 2013-10-25 19:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-03 14:19:01 UTC
Description:
The vulnerabilities are caused due to various errors within the 4xm, ADPCM IMA Electronic Arts EACS, ANM, Delphine Software International CIN, Electronic Arts CMV, PTX, QDM2, QuickDraw, TIFF, Tiertex Limited SEQ, aac, bink, flic, h264, indeo2, jpeg 2000, mpc v8, rasterfile, shorten, sun raster, vmd audio, vmd video, wmapro, wmavoice, and xan decoders, the 4X Technologies, Deluxe Paint Animation, avi, and avs demuxers, the libx264 interface to the x264 encoder, the unsharp filter, and the mov muxer, which can be exploited to e.g. cause NULL pointer dereferences, out-of-bounds reads and writes, double-frees, and buffer overflows via e.g. specially crafted media content.

The vulnerabilities are reported in versions prior to 0.7.6 and 0.8.5.

Solution:
Update to version 0.7.6
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-03 14:20:15 UTC
(In reply to comment #0)
> Description:
> The vulnerabilities are caused due to various errors within the 4xm, ADPCM IMA
> Electronic Arts EACS, ANM, Delphine Software International CIN, Electronic Arts
> CMV, PTX, QDM2, QuickDraw, TIFF, Tiertex Limited SEQ, aac, bink, flic, h264,
> indeo2, jpeg 2000, mpc v8, rasterfile, shorten, sun raster, vmd audio, vmd
> video, wmapro, wmavoice, and xan decoders, the 4X Technologies, Deluxe Paint
> Animation, avi, and avs demuxers, the libx264 interface to the x264 encoder,
> the unsharp filter, and the mov muxer, which can be exploited to e.g. cause
> NULL pointer dereferences, out-of-bounds reads and writes, double-frees, and
> buffer overflows via e.g. specially crafted media content.
> 
> The vulnerabilities are reported in versions prior to 0.7.6 and 0.8.5.
> 
> Solution:
> Update to version 0.7.6

This is from secunia security advisory at $URL
Comment 3 Alexis Ballier gentoo-dev 2011-10-05 14:07:05 UTC
added 0.7.6 and 0.8.5

(In reply to comment #2)
> It is also worth noting that version 0.8.5 has gained new target with HE-AAC v2
> encoding support

added this in 0.8.5 only since 0.7.6 is the stable candidate
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-05 15:50:24 UTC
Thanks Alexis.


Arches please test and mark stable:

=media-video/ffmpeg-0.7.6

Target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-05 18:52:06 UTC
amd64 ok
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-10-06 17:27:18 UTC
amd64:

emerges ok, has a test failure, Bug 385881.  otherwise
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2011-10-06 19:40:07 UTC
(In reply to comment #6)
> amd64:
> 
> emerges ok, has a test failure, Bug 385881.  otherwise

Hmm, no test failures for me.

+  06 Oct 2011; Steve Dibb <beandog@gentoo.org> ffmpeg-0.7.6.ebuild:
+  amd64 stable, bug 385511
Comment 8 Agostino Sarubbo gentoo-dev 2011-10-06 19:43:45 UTC
In any cases, test failures does not block security bugs
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-07 06:04:39 UTC
Stable for HPPA.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-08 19:03:26 UTC
x86 stable
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-09 18:16:39 UTC
ppc/ppc64 stable
Comment 12 Markus Meier gentoo-dev 2011-10-10 21:24:14 UTC
arm stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2011-10-12 15:12:37 UTC
alpha/ia64/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-10-12 15:16:18 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-08-24 22:02:15 UTC
CVE-2011-4364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4364):
  Buffer overflow in the Sierra VMD decoder in libavcodec in FFmpeg 0.5.x
  before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9 and 0.8.x before 0.8.8;
  and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3
  allows remote attackers to cause a denial of service (crash) and possibly
  execute arbitrary code via a crafted VMD file, related to corrupted streams.
Comment 16 Alexis Ballier gentoo-dev 2013-08-14 21:14:26 UTC
nothing left to do for media-video@
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:24 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).