=========================================================== Ubuntu Security Notice USN-358-1 October 04, 2006 ffmpeg, xine-lib vulnerabilities CVE-2006-4799, CVE-2006-4800 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libavcodec-dev 3:0.cvs20050121-1ubuntu1.2 libxine1 1.0-1ubuntu3.9 kino 0.75-6ubuntu0.2 Ubuntu 5.10: libavcodec-dev 3:0.cvs20050918-4ubuntu1.1 libxine1c2 1.0.1-1ubuntu10.5 Ubuntu 6.06 LTS: libavcodec-dev 3:0.cvs20050918-5ubuntu1.1 libxine-main1 1.1.1+ubuntu2-7.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not correctly validate certain headers. By tricking a user into playing an AVI with malicious headers, an attacker could execute arbitrary code with the target user's privileges. (CVE-2006-4799) Multiple integer overflows were discovered in ffmpeg and tools that contain a copy of ffmpeg (like xine-lib and kino), for several types of video formats. By tricking a user into running a video player that uses ffmpeg on a stream with malicious content, an attacker could execute arbitrary code with the target user's privileges. (CVE-2006-4800) Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2.diff.gz Size/MD5: 10238 f95a3b049976e6810b767accc23657fe http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2.dsc Size/MD5: 805 12789d26ff5c943c58fe8aa71a1fbcdb http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121.orig.tar.gz Size/MD5: 1781944 20b305e0943289b6e361bc15f664ff40 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.9.diff.gz Size/MD5: 6512 5c48feea8227f4960bee0b6c06db49d9 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.9.dsc Size/MD5: 1098 4415a20161d1f4556cf8ee85f0a3da58 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz Size/MD5: 7384258 96e5195c366064e7778af44c3e71f43a http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2.diff.gz Size/MD5: 26292 2a8a102104106661a5c08b8a8a53584b http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2.dsc Size/MD5: 891 5dd7fc5093d6bd334409cc5cb4521847 http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75.orig.tar.gz Size/MD5: 1227042 592f90be63feb7e63940cedd68edcf79 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2_amd64.deb Size/MD5: 3897444 a331c7b4d7f3cdd9a234503e12c06f21 http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.2_amd64.deb Size/MD5: 2284982 a9cbde7f83a7a87b245e2d3d832b7ec3 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.2_amd64.deb Size/MD5: 526308 344c6f14ef61283b8f4332869d390201 http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050121-1ubuntu1.2_amd64.deb Size/MD5: 35990 0d8967185c517189fd45aa59955d2298 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.9_amd64.deb Size/MD5: 107106 7b164130de6563e3f706f5cce02ec23d http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.9_amd64.deb Size/MD5: 3567868 c64fd2ac69e3c549d2e222243d8b704e http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2_amd64.deb Size/MD5: 1365756 5b230b3deb8eefa51b96a2ebc52201c0 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2_i386.deb Size/MD5: 3721536 74ab13aceb62b7497032e4bd8060c62a http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.2_i386.deb Size/MD5: 2176110 2683978a935432d0ee871e2130fecc46 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.2_i386.deb Size/MD5: 510696 c933a6bf5763e5ab0b14e1eb731ce194 http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050121-1ubuntu1.2_i386.deb Size/MD5: 39786 ca65d0f45198b839fe98ae9647edfc4b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.9_i386.deb Size/MD5: 107094 619a73b7c3fdde643dfc3da8c8b877dc http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.9_i386.deb Size/MD5: 3750788 7f26cc9b900e4fbb909ca0e10c637137 http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2_i386.deb Size/MD5: 1308716 57d8815a53e5eda1da911a93288f4a44 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2_powerpc.deb Size/MD5: 4435382 68e36e0eb9e1f1c021211d777eedcd6e http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.2_powerpc.deb Size/MD5: 2581972 f19925136fe56c1113e5980f6bc82512 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.2_powerpc.deb Size/MD5: 593320 99e3a9e8f937b4f809182b608623e50a http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050121-1ubuntu1.2_powerpc.deb Size/MD5: 64508 7905f228797ad344d1b6d69326143214 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.9_powerpc.deb Size/MD5: 107104 2ce65033d4fa5e21ca8373e5595ad33c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.9_powerpc.deb Size/MD5: 3925918 5f0a59c59a45dc79ce6003a0b34c575b http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2_powerpc.deb Size/MD5: 1489212 f67c84ccff08669e15671580e419f956 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1.diff.gz Size/MD5: 14644 5ab588391b9366951d79341c180d289b http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1.dsc Size/MD5: 897 d1ecda21e8571cdd206754ba0f19a34d http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918.orig.tar.gz Size/MD5: 1998449 dfd64c96545b8757f97c86e21aa1bc50 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.5.diff.gz Size/MD5: 11285 72b006b3db077d05c99a54e5ca942199 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.5.dsc Size/MD5: 1215 44402eee3519daf6d65898caf8beadc8 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_amd64.deb Size/MD5: 4021266 b330d9df69e1d723e57bd745c2dd8168 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_amd64.deb Size/MD5: 2397454 f5fe0b34d20286e41558c445484ea6de http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_amd64.deb Size/MD5: 540382 90fcaeabef43142942242c72f750f845 http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_amd64.deb Size/MD5: 47034 092518659e4138cc89a2f3aa175c901a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_amd64.deb Size/MD5: 109106 ab7f37596f5ce06071ce6f0363ef1926 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_amd64.deb Size/MD5: 3611650 bb49168c2f960d9e3105273949757d7c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_i386.deb Size/MD5: 3975334 d49be38418e2224c87ad14dcc627c05a http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_i386.deb Size/MD5: 2421468 18a4404dd92816e4e618c01a1bf77a32 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_i386.deb Size/MD5: 517734 787d2af7cdb3c55ad165c6d47c600976 http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_i386.deb Size/MD5: 45126 99de040df27e13fc9b06c813ece3c5d7 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_i386.deb Size/MD5: 109118 f777e340488d5c825ac2a5729325c18b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_i386.deb Size/MD5: 4004780 490b87b7ed83e16d75d14668b3e748fa powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_powerpc.deb Size/MD5: 3936540 d66cbc6c33a0bba46b1bbc677b19106f http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_powerpc.deb Size/MD5: 2296452 763bf34b596f7135b96f49797a06082a http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_powerpc.deb Size/MD5: 566146 d8a1ef4c54ccb9e2e9c7b5cfb15f7c40 http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_powerpc.deb Size/MD5: 61042 1ba669a9323d336ecae8b86b91e5ed42 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_powerpc.deb Size/MD5: 109108 09d9e12faad921b6f7bf95e98441cfb6 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_powerpc.deb Size/MD5: 3850120 0040292c8c92f611530a24e21c762f18 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_sparc.deb Size/MD5: 3982268 128ca063c8391d7104cd5638f6cca89d http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_sparc.deb Size/MD5: 2378950 3f79e4bea5c640bf982e41a1d7c789f5 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_sparc.deb Size/MD5: 538648 a28a4c20f849cf19035666d620166b6a http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_sparc.deb Size/MD5: 36582 fa5237aa1ceb35ea5f6dd1ab8cf2ceb5 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_sparc.deb Size/MD5: 109124 1d026b570ef7945e3bf6f970ffb84fd3 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_sparc.deb Size/MD5: 3695610 d660e38065ed28f50c0d61b5504b8a06 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1.diff.gz Size/MD5: 14929 a23e5b9e8e90543baeed121df5c32594 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1.dsc Size/MD5: 897 a4488074e90c9bed0de2c2d217f40778 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918.orig.tar.gz Size/MD5: 1998449 dfd64c96545b8757f97c86e21aa1bc50 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.3.diff.gz Size/MD5: 19017 5e5ed3a92e58367c258b16ca608b128c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.3.dsc Size/MD5: 1141 f5aa37ad4527ca805ccc3226a4dd678b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_amd64.deb Size/MD5: 4019254 a3f2d447f449696117806a711d6d4942 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_amd64.deb Size/MD5: 2445492 ba8b6300b74cced27c45422c13eb799a http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_amd64.deb Size/MD5: 540970 bd4c6f019fc7cec825dea64ab3368c39 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_amd64.deb Size/MD5: 96580 c5c9c42c1dd9f27e197190f7cc93515a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_amd64.deb Size/MD5: 115640 d08d611a1e0a12f8d9e4bcdbf88548b4 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_amd64.deb Size/MD5: 2615036 d5d2f9ad1e652becb798bee1c06d5594 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_i386.deb Size/MD5: 3927618 a091600f33b4407d3dbc462e100fec17 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_i386.deb Size/MD5: 2441082 b5395fcbe7efc0e9a56f2d37af286030 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_i386.deb Size/MD5: 508484 58fe4431a9b7151100e883e0be452000 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_i386.deb Size/MD5: 99022 70dbbed56f773e22a601a47791de887b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_i386.deb Size/MD5: 115636 3a6044610769d746f1e0de936825802b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_i386.deb Size/MD5: 2934142 c7a4e53666bdf2a4b3b1ce8bd00c5b75 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_powerpc.deb Size/MD5: 3925328 3c9d8705d15bea0159072201c4c68a11 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_powerpc.deb Size/MD5: 2310264 9b06e144d062657b5e76951feac37c8d http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_powerpc.deb Size/MD5: 566128 e37ff68b001c9671d222ba0b67870d06 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_powerpc.deb Size/MD5: 77330 8bdf89bda030279393c60cdd6c27cd15 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_powerpc.deb Size/MD5: 115644 88d3978e6f946575932b4b8f224028da http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_powerpc.deb Size/MD5: 2724744 703b583809de3db53f131cb85d4c527d sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_sparc.deb Size/MD5: 3859108 2c5038c12dc3d7601c14c3f62f8f2be6 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_sparc.deb Size/MD5: 2302992 3b62a6751fb38b77f8ece1da50553d10 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_sparc.deb Size/MD5: 529472 073f5053de4cbc8418a2f3d5488fbf12 http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_sparc.deb Size/MD5: 36208 a84032c989357f21fd724fdbb4b9fe2f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_sparc.deb Size/MD5: 115652 157726793623cb32e95ace007ec4c05b http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_sparc.deb Size/MD5: 2591542 269caaefe0f88c1c1b8eb424a370cec0