Debian Security Advisory

DSA-2165-1 ffmpeg-debian -- buffer overflow

Date Reported:
16 Feb 2011
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2010-3429, CVE-2010-4704, CVE-2010-4705.
More information:

Several vulnerabilities have been discovered in FFmpeg coders, which are used by MPlayer and other applications.

  • CVE-2010-3429

    Cesar Bernardini and Felipe Andres Manzano reported an arbitrary offset dereference vulnerability in the libavcodec, in particular in the FLIC file format parser. A specific FLIC file may exploit this vulnerability and execute arbitrary code. Mplayer is also affected by this problem, as well as other software that use this library.

  • CVE-2010-4704

    Greg Maxwell discovered an integer overflow the Vorbis decoder in FFmpeg. A specific Ogg file may exploit this vulnerability and execute arbitrary code.

  • CVE-2010-4705

    A potential integer overflow has been discovered in the Vorbis decoder in FFmpeg.

This upload also fixes an incomplete patch from DSA-2000-1. Michael Gilbert noticed that there was remaining vulnerabilities, which may cause a denial of service and potentially execution of arbitrary code.

For the oldstable distribution (lenny), this problem has been fixed in version 0.svn20080206-18+lenny3.

We recommend that you upgrade your ffmpeg-debian packages.