oss-sec mailing list archives
Fwd: [Full-disclosure] [PLSA 2008-36] Ffmpeg: Multiple vulnerabilities
From: Vincent Danen <vdanen () linsec ca>
Date: Wed, 29 Oct 2008 09:16:59 -0600
Was looking at the latest ffmpeg issue (CVE-2008-3230) to see if there were any patches and found this in my inbox as not dealt with yet. There are no CVE identifiers for any of these issues that I can see. I'm not sure how many of these issues would be considered security sensitive/exploitable, but Pardus had issued an advisory and the references contain the patches to fix them, but even searching on MITRE's web site shows no ffmpeg CVEs that I've missed. Do these need CVE identifiers? -- Vincent Danen @ http://linsec.ca/
--- Begin Message --- From: Pardus Security Team <pinar () pardus org tr>
Date: Fri, 05 Sep 2008 16:49:30 +0300
------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-36 security () pardus org tr ------------------------------------------------------------------------ Date: 2008-09-05 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= There are multiple vulnerabilities detected in ffmpeg. Please update your packages to the latest versions. Description =========== * Free in avcodec_close() avctx->rc_eq. Fix a memory leak. * Buffer overflow in /libavcodec/dca.c. (patch by Alexander E. Patrakov) * Prevent dts generation code to be executed when delay is> MAX_REORDER_DELAY, this fixes overflow in AVStream->pts_buffer. (in libavformat/utils.c()) * Tcp/udp memory leak Affected packages: Pardus 2008: mplayer, all before 0.0_20080825-92-11 ffmpeg, all before 0.4.9_20080825-46-14 Resolution ========== There are update(s) for mplayer, ffmpeg. You can update them via Package Manager or with a single command from console: pisi up mplayer ffmpeg References ========== * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016011.html * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016012.html * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016352.html * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016136.html ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
--- End Message ---
Attachment:
_bin
Description:
Current thread:
- Fwd: [Full-disclosure] [PLSA 2008-36] Ffmpeg: Multiple vulnerabilities Vincent Danen (Oct 29)