lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <48C138EA.6080708@pardus.org.tr>
Date: Fri, 05 Sep 2008 16:49:30 +0300
From: Pardus Security Team <pinar@...dus.org.tr>
To: pardus-security@...dus.org.tr
Cc: full-disclosure@...ts.grok.org.uk
Subject: [PLSA 2008-36] Ffmpeg: Multiple vulnerabilities

------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-36            security@...dus.org.tr
------------------------------------------------------------------------
       Date: 2008-09-05
   Severity: 2
       Type: Remote
------------------------------------------------------------------------

Summary
=======

There are multiple vulnerabilities detected in  ffmpeg.  Please  update
your packages to the latest versions.


Description
===========

* Free in avcodec_close() avctx->rc_eq. Fix a memory leak.

* Buffer overflow in /libavcodec/dca.c. (patch by Alexander E. Patrakov)

*  Prevent dts  generation  code  to  be  executed  when  delay  is>
MAX_REORDER_DELAY, this fixes  overflow  in  AVStream->pts_buffer.  (in
libavformat/utils.c())

* Tcp/udp memory leak

Affected packages:

   Pardus 2008:
     mplayer, all before 0.0_20080825-92-11
     ffmpeg, all before 0.4.9_20080825-46-14


Resolution
==========

There are update(s) for mplayer, ffmpeg. You can update them via Package
Manager or with a single command from console:

     pisi up mplayer ffmpeg

References
==========

   * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016011.html
   * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016012.html
   * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016352.html
   * http://lists.mplayerhq.hu/pipermail/ffmpeg-cvslog/2008-August/016136.html

------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ