- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: FFmpeg: Multiple vulnerabilities Date: October 25, 2013 Bugs: #285719, #307755, #339036, #352481, #365273, #378801, #382301, #384095, #385511, #389807, #391421, #397893, #401069, #411369, #420305, #433772, #439054, #454420, #465496, #473302, #473790, #476218, #482136 ID: 201310-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in FFmpeg, the worst of which might enable remote attackers to cause user-assisted execution of arbitrary code. Background ========== FFmpeg is a complete solution to record, convert and stream audio and video. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-video/ffmpeg < 1.0.7 >= 1.0.7 Description =========== Multiple vulnerabilities have been discovered in FFmpeg. Please review the CVE identifiers and FFmpeg changelogs referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted media file, possibly leading to the execution of arbitrary code with the privileges of the user running the application or a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All FFmpeg users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-1.0.7" References ========== [ 1 ] CVE-2009-4631 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4631 [ 2 ] CVE-2009-4632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4632 [ 3 ] CVE-2009-4633 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4633 [ 4 ] CVE-2009-4634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4634 [ 5 ] CVE-2009-4635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4635 [ 6 ] CVE-2009-4636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4636 [ 7 ] CVE-2009-4637 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4637 [ 8 ] CVE-2009-4638 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4638 [ 9 ] CVE-2009-4639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4639 [ 10 ] CVE-2009-4640 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4640 [ 11 ] CVE-2010-3429 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3429 [ 12 ] CVE-2010-3908 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3908 [ 13 ] CVE-2010-4704 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4704 [ 14 ] CVE-2010-4704 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4704 [ 15 ] CVE-2010-4705 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4705 [ 16 ] CVE-2011-1931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1931 [ 17 ] CVE-2011-3362 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3362 [ 18 ] CVE-2011-3893 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3893 [ 19 ] CVE-2011-3895 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3895 [ 20 ] CVE-2011-3929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3929 [ 21 ] CVE-2011-3934 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3934 [ 22 ] CVE-2011-3935 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3935 [ 23 ] CVE-2011-3936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3936 [ 24 ] CVE-2011-3937 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3937 [ 25 ] CVE-2011-3940 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3940 [ 26 ] CVE-2011-3941 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3941 [ 27 ] CVE-2011-3944 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3944 [ 28 ] CVE-2011-3945 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3945 [ 29 ] CVE-2011-3946 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3946 [ 30 ] CVE-2011-3947 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3947 [ 31 ] CVE-2011-3949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3949 [ 32 ] CVE-2011-3950 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3950 [ 33 ] CVE-2011-3951 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3951 [ 34 ] CVE-2011-3952 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3952 [ 35 ] CVE-2011-3973 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3973 [ 36 ] CVE-2011-3974 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3974 [ 37 ] CVE-2011-4351 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4351 [ 38 ] CVE-2011-4352 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4352 [ 39 ] CVE-2011-4353 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4353 [ 40 ] CVE-2011-4364 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4364 [ 41 ] CVE-2012-0947 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0947 [ 42 ] CVE-2012-2771 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2771 [ 43 ] CVE-2012-2772 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2772 [ 44 ] CVE-2012-2773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2773 [ 45 ] CVE-2012-2774 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2774 [ 46 ] CVE-2012-2775 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2775 [ 47 ] CVE-2012-2776 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2776 [ 48 ] CVE-2012-2777 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2777 [ 49 ] CVE-2012-2778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2778 [ 50 ] CVE-2012-2779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2779 [ 51 ] CVE-2012-2780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2780 [ 52 ] CVE-2012-2781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2781 [ 53 ] CVE-2012-2782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2782 [ 54 ] CVE-2012-2783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2783 [ 55 ] CVE-2012-2784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2784 [ 56 ] CVE-2012-2785 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2785 [ 57 ] CVE-2012-2786 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2786 [ 58 ] CVE-2012-2787 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2787 [ 59 ] CVE-2012-2788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2788 [ 60 ] CVE-2012-2789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2789 [ 61 ] CVE-2012-2790 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2790 [ 62 ] CVE-2012-2791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2791 [ 63 ] CVE-2012-2792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2792 [ 64 ] CVE-2012-2793 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2793 [ 65 ] CVE-2012-2794 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2794 [ 66 ] CVE-2012-2795 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2795 [ 67 ] CVE-2012-2796 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2796 [ 68 ] CVE-2012-2797 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2797 [ 69 ] CVE-2012-2798 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2798 [ 70 ] CVE-2012-2799 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2799 [ 71 ] CVE-2012-2800 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2800 [ 72 ] CVE-2012-2801 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2801 [ 73 ] CVE-2012-2802 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2802 [ 74 ] CVE-2012-2803 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2803 [ 75 ] CVE-2012-2804 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2804 [ 76 ] CVE-2012-2805 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2805 [ 77 ] CVE-2013-3670 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3670 [ 78 ] CVE-2013-3671 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3671 [ 79 ] CVE-2013-3672 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3672 [ 80 ] CVE-2013-3673 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3673 [ 81 ] CVE-2013-3674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3674 [ 82 ] CVE-2013-3675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3675 [ 83 ] FFmpeg 0.10.x Changelog http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/relea= se/0.10 [ 84 ] FFmpeg 1.0.x Changelog http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/relea= se/1.0 [ 85 ] NGS Secure Research NGS00068 http://archives.neohapsis.com/archives/bugtraq/2011-04/0258.html [ 86 ] Secunia Advisory SA36760 http://secunia.com/advisories/36760/ [ 87 ] Secunia Advisory SA46134 https://secunia.com/advisories/46134/ Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-12.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5