[Secure-testing-team] Bug#504977: ffmpeg-debian: Several security issues

Steffen Joeris steffen.joeris at skolelinux.de
Sat Nov 8 08:50:20 UTC 2008


Package: ffmpeg-debian
Version: 0.svn20080206-14
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ffmpeg.

CVE-2008-4869[0]:
| FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers
| to cause a denial of service (memory consumption) via unknown vectors,
| aka a "Tcp/udp memory leak."

CVE-2008-4868[1]:
| Unspecified vulnerability in the avcodec_close function in
| libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
| has unknown impact and attack vectors, related to a free "on random
| pointers."

CVE-2008-4867[2]:
| Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as
| used by MPlayer, allows context-dependent attackers to have an unknown
| impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value.

CVE-2008-4866[3]:
| Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9
| before r14715, as used by MPlayer, allow context-dependent attackers
| to have an unknown impact via vectors related to execution of DTS
| generation code with a delay greater than MAX_REORDER_DELAY.

The last three issues are fixed in experimental. I lack information about
the first one, so I am not sure. Do you have any further information? 
Also etch shouldn't be affected by the last three issues. We should 
address them in lenny though. The upstream patches are here[4][5][6][7].
It would be great, if you could upload to unstable with high urgency 
and ask the release team for an unblock.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4869
    http://security-tracker.debian.net/tracker/CVE-2008-4869
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4868
    http://security-tracker.debian.net/tracker/CVE-2008-4868
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4867
    http://security-tracker.debian.net/tracker/CVE-2008-4867
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4866
    http://security-tracker.debian.net/tracker/CVE-2008-4866
[4] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016011.html
[5] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016012.html
[6] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016352.html
[7] http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016136.html





More information about the Secure-testing-team mailing list