[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061004171824.GI4948@piware.de>
Date: Wed, 4 Oct 2006 19:18:25 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-358-1] ffmpeg, xine-lib vulnerabilities
===========================================================
Ubuntu Security Notice USN-358-1 October 04, 2006
ffmpeg, xine-lib vulnerabilities
CVE-2006-4799, CVE-2006-4800
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.04:
libavcodec-dev 3:0.cvs20050121-1ubuntu1.2
libxine1 1.0-1ubuntu3.9
kino 0.75-6ubuntu0.2
Ubuntu 5.10:
libavcodec-dev 3:0.cvs20050918-4ubuntu1.1
libxine1c2 1.0.1-1ubuntu10.5
Ubuntu 6.06 LTS:
libavcodec-dev 3:0.cvs20050918-5ubuntu1.1
libxine-main1 1.1.1+ubuntu2-7.3
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not
correctly validate certain headers. By tricking a user into playing an AVI
with malicious headers, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4799)
Multiple integer overflows were discovered in ffmpeg and tools that contain a
copy of ffmpeg (like xine-lib and kino), for several types of video formats.
By tricking a user into running a video player that uses ffmpeg on a stream
with malicious content, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4800)
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2.diff.gz
Size/MD5: 10238 f95a3b049976e6810b767accc23657fe
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2.dsc
Size/MD5: 805 12789d26ff5c943c58fe8aa71a1fbcdb
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121.orig.tar.gz
Size/MD5: 1781944 20b305e0943289b6e361bc15f664ff40
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.9.diff.gz
Size/MD5: 6512 5c48feea8227f4960bee0b6c06db49d9
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.9.dsc
Size/MD5: 1098 4415a20161d1f4556cf8ee85f0a3da58
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz
Size/MD5: 7384258 96e5195c366064e7778af44c3e71f43a
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2.diff.gz
Size/MD5: 26292 2a8a102104106661a5c08b8a8a53584b
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2.dsc
Size/MD5: 891 5dd7fc5093d6bd334409cc5cb4521847
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75.orig.tar.gz
Size/MD5: 1227042 592f90be63feb7e63940cedd68edcf79
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2_amd64.deb
Size/MD5: 3897444 a331c7b4d7f3cdd9a234503e12c06f21
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.2_amd64.deb
Size/MD5: 2284982 a9cbde7f83a7a87b245e2d3d832b7ec3
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.2_amd64.deb
Size/MD5: 526308 344c6f14ef61283b8f4332869d390201
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050121-1ubuntu1.2_amd64.deb
Size/MD5: 35990 0d8967185c517189fd45aa59955d2298
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.9_amd64.deb
Size/MD5: 107106 7b164130de6563e3f706f5cce02ec23d
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.9_amd64.deb
Size/MD5: 3567868 c64fd2ac69e3c549d2e222243d8b704e
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2_amd64.deb
Size/MD5: 1365756 5b230b3deb8eefa51b96a2ebc52201c0
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2_i386.deb
Size/MD5: 3721536 74ab13aceb62b7497032e4bd8060c62a
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.2_i386.deb
Size/MD5: 2176110 2683978a935432d0ee871e2130fecc46
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.2_i386.deb
Size/MD5: 510696 c933a6bf5763e5ab0b14e1eb731ce194
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050121-1ubuntu1.2_i386.deb
Size/MD5: 39786 ca65d0f45198b839fe98ae9647edfc4b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.9_i386.deb
Size/MD5: 107094 619a73b7c3fdde643dfc3da8c8b877dc
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.9_i386.deb
Size/MD5: 3750788 7f26cc9b900e4fbb909ca0e10c637137
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2_i386.deb
Size/MD5: 1308716 57d8815a53e5eda1da911a93288f4a44
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.2_powerpc.deb
Size/MD5: 4435382 68e36e0eb9e1f1c021211d777eedcd6e
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.2_powerpc.deb
Size/MD5: 2581972 f19925136fe56c1113e5980f6bc82512
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.2_powerpc.deb
Size/MD5: 593320 99e3a9e8f937b4f809182b608623e50a
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050121-1ubuntu1.2_powerpc.deb
Size/MD5: 64508 7905f228797ad344d1b6d69326143214
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.9_powerpc.deb
Size/MD5: 107104 2ce65033d4fa5e21ca8373e5595ad33c
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.9_powerpc.deb
Size/MD5: 3925918 5f0a59c59a45dc79ce6003a0b34c575b
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.2_powerpc.deb
Size/MD5: 1489212 f67c84ccff08669e15671580e419f956
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1.diff.gz
Size/MD5: 14644 5ab588391b9366951d79341c180d289b
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1.dsc
Size/MD5: 897 d1ecda21e8571cdd206754ba0f19a34d
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918.orig.tar.gz
Size/MD5: 1998449 dfd64c96545b8757f97c86e21aa1bc50
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.5.diff.gz
Size/MD5: 11285 72b006b3db077d05c99a54e5ca942199
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.5.dsc
Size/MD5: 1215 44402eee3519daf6d65898caf8beadc8
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_amd64.deb
Size/MD5: 4021266 b330d9df69e1d723e57bd745c2dd8168
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_amd64.deb
Size/MD5: 2397454 f5fe0b34d20286e41558c445484ea6de
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_amd64.deb
Size/MD5: 540382 90fcaeabef43142942242c72f750f845
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_amd64.deb
Size/MD5: 47034 092518659e4138cc89a2f3aa175c901a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_amd64.deb
Size/MD5: 109106 ab7f37596f5ce06071ce6f0363ef1926
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_amd64.deb
Size/MD5: 3611650 bb49168c2f960d9e3105273949757d7c
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_i386.deb
Size/MD5: 3975334 d49be38418e2224c87ad14dcc627c05a
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_i386.deb
Size/MD5: 2421468 18a4404dd92816e4e618c01a1bf77a32
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_i386.deb
Size/MD5: 517734 787d2af7cdb3c55ad165c6d47c600976
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_i386.deb
Size/MD5: 45126 99de040df27e13fc9b06c813ece3c5d7
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_i386.deb
Size/MD5: 109118 f777e340488d5c825ac2a5729325c18b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_i386.deb
Size/MD5: 4004780 490b87b7ed83e16d75d14668b3e748fa
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_powerpc.deb
Size/MD5: 3936540 d66cbc6c33a0bba46b1bbc677b19106f
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_powerpc.deb
Size/MD5: 2296452 763bf34b596f7135b96f49797a06082a
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_powerpc.deb
Size/MD5: 566146 d8a1ef4c54ccb9e2e9c7b5cfb15f7c40
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_powerpc.deb
Size/MD5: 61042 1ba669a9323d336ecae8b86b91e5ed42
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_powerpc.deb
Size/MD5: 109108 09d9e12faad921b6f7bf95e98441cfb6
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_powerpc.deb
Size/MD5: 3850120 0040292c8c92f611530a24e21c762f18
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-4ubuntu1.1_sparc.deb
Size/MD5: 3982268 128ca063c8391d7104cd5638f6cca89d
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-4ubuntu1.1_sparc.deb
Size/MD5: 2378950 3f79e4bea5c640bf982e41a1d7c789f5
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-4ubuntu1.1_sparc.deb
Size/MD5: 538648 a28a4c20f849cf19035666d620166b6a
http://security.ubuntu.com/ubuntu/pool/multiverse/f/ffmpeg/libpostproc-dev_0.cvs20050918-4ubuntu1.1_sparc.deb
Size/MD5: 36582 fa5237aa1ceb35ea5f6dd1ab8cf2ceb5
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.5_sparc.deb
Size/MD5: 109124 1d026b570ef7945e3bf6f970ffb84fd3
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.5_sparc.deb
Size/MD5: 3695610 d660e38065ed28f50c0d61b5504b8a06
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1.diff.gz
Size/MD5: 14929 a23e5b9e8e90543baeed121df5c32594
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1.dsc
Size/MD5: 897 a4488074e90c9bed0de2c2d217f40778
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918.orig.tar.gz
Size/MD5: 1998449 dfd64c96545b8757f97c86e21aa1bc50
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.3.diff.gz
Size/MD5: 19017 5e5ed3a92e58367c258b16ca608b128c
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.3.dsc
Size/MD5: 1141 f5aa37ad4527ca805ccc3226a4dd678b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz
Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_amd64.deb
Size/MD5: 4019254 a3f2d447f449696117806a711d6d4942
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_amd64.deb
Size/MD5: 2445492 ba8b6300b74cced27c45422c13eb799a
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_amd64.deb
Size/MD5: 540970 bd4c6f019fc7cec825dea64ab3368c39
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_amd64.deb
Size/MD5: 96580 c5c9c42c1dd9f27e197190f7cc93515a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_amd64.deb
Size/MD5: 115640 d08d611a1e0a12f8d9e4bcdbf88548b4
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_amd64.deb
Size/MD5: 2615036 d5d2f9ad1e652becb798bee1c06d5594
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_i386.deb
Size/MD5: 3927618 a091600f33b4407d3dbc462e100fec17
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_i386.deb
Size/MD5: 2441082 b5395fcbe7efc0e9a56f2d37af286030
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_i386.deb
Size/MD5: 508484 58fe4431a9b7151100e883e0be452000
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_i386.deb
Size/MD5: 99022 70dbbed56f773e22a601a47791de887b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_i386.deb
Size/MD5: 115636 3a6044610769d746f1e0de936825802b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_i386.deb
Size/MD5: 2934142 c7a4e53666bdf2a4b3b1ce8bd00c5b75
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_powerpc.deb
Size/MD5: 3925328 3c9d8705d15bea0159072201c4c68a11
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_powerpc.deb
Size/MD5: 2310264 9b06e144d062657b5e76951feac37c8d
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_powerpc.deb
Size/MD5: 566128 e37ff68b001c9671d222ba0b67870d06
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_powerpc.deb
Size/MD5: 77330 8bdf89bda030279393c60cdd6c27cd15
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_powerpc.deb
Size/MD5: 115644 88d3978e6f946575932b4b8f224028da
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_powerpc.deb
Size/MD5: 2724744 703b583809de3db53f131cb85d4c527d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050918-5ubuntu1.1_sparc.deb
Size/MD5: 3859108 2c5038c12dc3d7601c14c3f62f8f2be6
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavcodec-dev_0.cvs20050918-5ubuntu1.1_sparc.deb
Size/MD5: 2302992 3b62a6751fb38b77f8ece1da50553d10
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050918-5ubuntu1.1_sparc.deb
Size/MD5: 529472 073f5053de4cbc8418a2f3d5488fbf12
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libpostproc-dev_0.cvs20050918-5ubuntu1.1_sparc.deb
Size/MD5: 36208 a84032c989357f21fd724fdbb4b9fe2f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.3_sparc.deb
Size/MD5: 115652 157726793623cb32e95ace007ec4c05b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.3_sparc.deb
Size/MD5: 2591542 269caaefe0f88c1c1b8eb424a370cec0
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists