lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Aug 2011 15:19:39 +0200 From: Daniele Bianco <danbia@...rt.org> To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org, bugtraq@...urityfocus.com Subject: [oCERT-2011-002] libavcodec insufficient boundary check #2011-002 libavcodec insufficient boundary check Description: The libavcodec library, an open source video encoding/decoding library part of the FFmpeg and Libav projects, performs insufficient boundary check against a buffer index. The missing check can result in arbitrary read/write of data outside a destination buffer boundaries. The vulnerability affects the Chinese AVS video (CAVS) file format decoder, specially crafted CAVS files may lead to arbitrary code execution during decoding. Affected version: FFmpeg <= 0.7.2, <= 0.8.1 Libav <= 0.7.1 The following packages were identified as affected as they statically include libavcodec in their own packages. MPlayer <= 1.0_rc4 Fixed version: FFmpeg >= 0.7.3, >= 0.8.2 Libav, N/A MPlayer, N/A Credit: vulnerability report received from Emmanouel Kellinis. CVE: N/A Timeline: 2011-07-14: vulnerability report received 2011-07-15: contacted ffmpeg maintainers 2011-07-15: ffmpeg maintainer confirms the issue, preliminary patch is provided 2011-07-21: patch approved by reporter 2011-07-23: contacted affected vendors 2011-08-10: advisory release Permalink: http://www.ocert.org/advisories/ocert-2011-002.html -- Daniele Bianco Open Source Computer Security Incident Response Team <danbia@...rt.org> http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
Powered by blists - more mailing lists