| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Aug 2011 15:19:39 +0200
From: Daniele Bianco <danbia@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org,
bugtraq@...urityfocus.com
Subject: [oCERT-2011-002] libavcodec insufficient boundary check
#2011-002 libavcodec insufficient boundary check
Description:
The libavcodec library, an open source video encoding/decoding library part
of the FFmpeg and Libav projects, performs insufficient boundary check
against a buffer index. The missing check can result in arbitrary read/write
of data outside a destination buffer boundaries.
The vulnerability affects the Chinese AVS video (CAVS) file format decoder,
specially crafted CAVS files may lead to arbitrary code execution during
decoding.
Affected version:
FFmpeg <= 0.7.2, <= 0.8.1
Libav <= 0.7.1
The following packages were identified as affected as they statically
include libavcodec in their own packages.
MPlayer <= 1.0_rc4
Fixed version:
FFmpeg >= 0.7.3, >= 0.8.2
Libav, N/A
MPlayer, N/A
Credit: vulnerability report received from Emmanouel Kellinis.
CVE: N/A
Timeline:
2011-07-14: vulnerability report received
2011-07-15: contacted ffmpeg maintainers
2011-07-15: ffmpeg maintainer confirms the issue, preliminary patch is
provided
2011-07-21: patch approved by reporter
2011-07-23: contacted affected vendors
2011-08-10: advisory release
Permalink:
http://www.ocert.org/advisories/ocert-2011-002.html
--
Daniele Bianco Open Source Computer Security Incident Response Team
<danbia@...rt.org> http://www.ocert.org
GPG Key 0x9544A497
GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
Powered by blists - more mailing lists