Debian Security Advisory
DSA-2165-1 ffmpeg-debian -- buffer overflow
- Date Reported:
- 16 Feb 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2010-3429, CVE-2010-4704, CVE-2010-4705.
- More information:
Several vulnerabilities have been discovered in FFmpeg coders, which are used by MPlayer and other applications.
Cesar Bernardini and Felipe Andres Manzano reported an arbitrary offset dereference vulnerability in the libavcodec, in particular in the FLIC file format parser. A specific FLIC file may exploit this vulnerability and execute arbitrary code. Mplayer is also affected by this problem, as well as other software that use this library.
Greg Maxwell discovered an integer overflow the Vorbis decoder in FFmpeg. A specific Ogg file may exploit this vulnerability and execute arbitrary code.
A potential integer overflow has been discovered in the Vorbis decoder in FFmpeg.
This upload also fixes an incomplete patch from DSA-2000-1. Michael Gilbert noticed that there was remaining vulnerabilities, which may cause a denial of service and potentially execution of arbitrary code.
For the oldstable distribution (lenny), this problem has been fixed in version 0.svn20080206-18+lenny3.
We recommend that you upgrade your ffmpeg-debian packages.