Bug#504977: ffmpeg-debian: Several security issues
steffen.joeris at skolelinux.de
Sat Nov 8 08:50:20 UTC 2008
Tags: security, patch
Justification: user security hole
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ffmpeg.
| FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers
| to cause a denial of service (memory consumption) via unknown vectors,
| aka a "Tcp/udp memory leak."
| Unspecified vulnerability in the avcodec_close function in
| libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
| has unknown impact and attack vectors, related to a free "on random
| Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as
| used by MPlayer, allows context-dependent attackers to have an unknown
| impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value.
| Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9
| before r14715, as used by MPlayer, allow context-dependent attackers
| to have an unknown impact via vectors related to execution of DTS
| generation code with a delay greater than MAX_REORDER_DELAY.
The last three issues are fixed in experimental. I lack information about
the first one, so I am not sure. Do you have any further information?
Also etch shouldn't be affected by the last three issues. We should
address them in lenny though. The upstream patches are here.
It would be great, if you could upload to unstable with high urgency
and ask the release team for an unblock.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
More information about the pkg-multimedia-maintainers