- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200903-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: FFmpeg: Multiple vulnerabilities
      Date: March 19, 2009
      Bugs: #231831, #231834, #245313, #257217, #257381
        ID: 200903-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities in FFmpeg may lead to the remote execution of
arbitrary code or a Denial of Service.

Background
=========
FFmpeg is a complete solution to record, convert and stream audio and
video. gst-plugins-ffmpeg is a FFmpeg based gstreamer plugin which
includes a vulnerable copy of FFmpeg code. Mplayer is a multimedia
player which also includes a vulnerable copy of the code.

Affected packages
================
    -------------------------------------------------------------------
     Package             /      Vulnerable      /           Unaffected
    -------------------------------------------------------------------
  1  ffmpeg                  < 0.4.9_p20090201      >= 0.4.9_p20090201
  2  gst-plugins-ffmpeg          < 0.10.5                    >= 0.10.5
  3  mplayer                 < 1.0_rc2_p28450        >= 1.0_rc2_p28450
    -------------------------------------------------------------------
     3 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
==========
Multiple vulnerabilities were found in FFmpeg:

* astrange reported a stack-based buffer overflow in the
  str_read_packet() in libavformat/psxstr.c when processing .str files
  (CVE-2008-3162).

* Multiple buffer overflows in libavformat/utils.c (CVE-2008-4866).

* A buffer overflow in libavcodec/dca.c (CVE-2008-4867).

* An unspecified vulnerability in the avcodec_close() function in
  libavcodec/utils.c (CVE-2008-4868).

* Unspecified memory leaks (CVE-2008-4869).

* Tobias Klein repoerted a NULL pointer dereference due to an integer
  signedness error in the fourxm_read_header() function in
  libavformat/4xm.c (CVE-2009-0385).

Impact
=====
A remote attacker could entice a user to open a specially crafted media
file, possibly leading to the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All FFmpeg users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose >=media-video/ffmpeg-0.4.9_p20090201"

All gst-plugins-ffmpeg users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose
>=media-plugins/gst-plugins-ffmpeg-0.10.5"

All Mplayer users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose >=media-video/mplayer-1.0_rc2_p28450"

References
=========
  [ 1 ] CVE-2008-3162
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162
  [ 2 ] CVE-2008-4866
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4866
  [ 3 ] CVE-2008-4867
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4867
  [ 4 ] CVE-2008-4868
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4868
  [ 5 ] CVE-2008-4869
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4869
  [ 6 ] CVE-2009-0385
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  https://security.gentoo.org/glsa/200903-33

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org/.

License
======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5/

Gentoo: GLSA-200903-33: FFmpeg: Multiple vulnerabilities

Multiple vulnerabilities in FFmpeg may lead to the remote execution of arbitrary code or a Denial of Service.

Summary

Gentoo Linux Security Advisory GLSA 200903-33 https://security.gentoo.org/ Severity: Normal Title: FFmpeg: Multiple vulnerabilities Date: March 19, 2009 Bugs: #231831, #231834, #245313, #257217, #257381 ID: 200903-33

Synopsis ======= Multiple vulnerabilities in FFmpeg may lead to the remote execution of arbitrary code or a Denial of Service.
Background ========= FFmpeg is a complete solution to record, convert and stream audio and video. gst-plugins-ffmpeg is a FFmpeg based gstreamer plugin which includes a vulnerable copy of FFmpeg code. Mplayer is a multimedia player which also includes a vulnerable copy of the code.
Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 ffmpeg < 0.4.9_p20090201 >= 0.4.9_p20090201 2 gst-plugins-ffmpeg < 0.10.5 >= 0.10.5 3 mplayer < 1.0_rc2_p28450 >= 1.0_rc2_p28450 ------------------------------------------------------------------- 3 affected packages on all of their supported architectures. -------------------------------------------------------------------
========== Multiple vulnerabilities were found in FFmpeg:
* astrange reported a stack-based buffer overflow in the str_read_packet() in libavformat/psxstr.c when processing .str files (CVE-2008-3162).
* Multiple buffer overflows in libavformat/utils.c (CVE-2008-4866).
* A buffer overflow in libavcodec/dca.c (CVE-2008-4867).
* An unspecified vulnerability in the avcodec_close() function in libavcodec/utils.c (CVE-2008-4868).
* Unspecified memory leaks (CVE-2008-4869).
* Tobias Klein repoerted a NULL pointer dereference due to an integer signedness error in the fourxm_read_header() function in libavformat/4xm.c (CVE-2009-0385).
Impact ===== A remote attacker could entice a user to open a specially crafted media file, possibly leading to the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service.
Workaround ========= There is no known workaround at this time.
Resolution ========= All FFmpeg users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose >=media-video/ffmpeg-0.4.9_p20090201"
All gst-plugins-ffmpeg users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose >=media-plugins/gst-plugins-ffmpeg-0.10.5"
All Mplayer users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose >=media-video/mplayer-1.0_rc2_p28450"
References ========= [ 1 ] CVE-2008-3162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162 [ 2 ] CVE-2008-4866 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4866 [ 3 ] CVE-2008-4867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4867 [ 4 ] CVE-2008-4868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4868 [ 5 ] CVE-2008-4869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4869 [ 6 ] CVE-2009-0385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385
Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/200903-33
Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org/.
License ====== Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5/


Resolution

References

Availability

Concerns

Severity

Synopsis

Background

Affected Packages

Impact

Workaround

Related News

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved