-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:062 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ffmpeg Date : April 1, 2011 Affected: 2010.1 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and fixed in ffmpeg: FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop. (CVE-2009-4636) flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an arbitrary offset dereference vulnerability. (CVE-2010-3429) libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. (CVE-2010-4704) Fix heap corruption crashes (CVE-2011-0722) Fix invalid reads in VC-1 decoding (CVE-2011-0723) And several additional vulnerabilites originally discovered by Google Chrome developers were also fixed with this advisory. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0723 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: b4db9e819fe581e61ad59225fe630a25 2010.1/i586/ffmpeg-0.6-0.22960.5.1mdv2010.2.i586.rpm b2ba7998b8549d1a0434d51ff76ddfed 2010.1/i586/libavformats52-0.6-0.22960.5.1mdv2010.2.i586.rpm ce8964529073304413e3591f8d0de20b 2010.1/i586/libavutil50-0.6-0.22960.5.1mdv2010.2.i586.rpm da9b5200a498933bd3a1e5e000937a90 2010.1/i586/libffmpeg52-0.6-0.22960.5.1mdv2010.2.i586.rpm 64a5a0c59fba081b54f7538fd658f66f 2010.1/i586/libffmpeg-devel-0.6-0.22960.5.1mdv2010.2.i586.rpm e6fa096ebf765e1258a13bd578a8de68 2010.1/i586/libffmpeg-static-devel-0.6-0.22960.5.1mdv2010.2.i586.rpm 4cc7830f9684161826518db3077ca207 2010.1/i586/libpostproc51-0.6-0.22960.5.1mdv2010.2.i586.rpm be1e63a9da0a1b48308390ce48dc30cb 2010.1/i586/libswscaler0-0.6-0.22960.5.1mdv2010.2.i586.rpm 87155585e9ad3413d3210489a539a62f 2010.1/SRPMS/ffmpeg-0.6-0.22960.5.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: f26e9389ab90769c9d41379063b44052 2010.1/x86_64/ffmpeg-0.6-0.22960.5.1mdv2010.2.x86_64.rpm c1f7175cad48f46cfdd2b0d57c5f1d82 2010.1/x86_64/lib64avformats52-0.6-0.22960.5.1mdv2010.2.x86_64.rpm da8802f10ae716e344a85d27061716e2 2010.1/x86_64/lib64avutil50-0.6-0.22960.5.1mdv2010.2.x86_64.rpm abe637a5f54bf30b8738bc77d3a505cd 2010.1/x86_64/lib64ffmpeg52-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 528f1d86498f7c6d975aaa58c30715d6 2010.1/x86_64/lib64ffmpeg-devel-0.6-0.22960.5.1mdv2010.2.x86_64.rpm c77efb105b06ee700d1094e0f468bc6d 2010.1/x86_64/lib64ffmpeg-static-devel-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 2b46dcebe1a563aed2e9949f5869be8b 2010.1/x86_64/lib64postproc51-0.6-0.22960.5.1mdv2010.2.x86_64.rpm e1f77931ce1aa23bbc8f1b8f607548ff 2010.1/x86_64/lib64swscaler0-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 87155585e9ad3413d3210489a539a62f 2010.1/SRPMS/ffmpeg-0.6-0.22960.5.1mdv2010.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNlhb3mqjQ0CJFipgRAn9IAJ9Yxk/y7oQNkzbAf0CXuET3XPRYYwCdF7V6 mAdlwouwYl64jARlHgI/M2w= =AyKF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/