lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1N96Tk-0007uJ-8y@titan.mandriva.com>
Date: Sat, 14 Nov 2009 01:27:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:297 ] ffmpeg


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:297
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ffmpeg
 Date    : November 13, 2009
 Affected: 2009.0, Corporate 3.0, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Vulnerabilities have been discovered and corrected in ffmpeg:
 
 - The ffmpeg lavf demuxer allows user-assisted attackers to cause
 a denial of service (application crash) via a crafted GIF file
 (CVE-2008-3230)
 
 - FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers
 to cause a denial of service (memory consumption) via unknown vectors,
 aka a Tcp/udp memory leak. (CVE-2008-4869)
 
 - Integer signedness error in the fourxm_read_header function in
 libavformat/4xm.c in FFmpeg before revision 16846 allows remote
 attackers to execute arbitrary code via a malformed 4X movie file with
 a large current_track value, which triggers a NULL pointer dereference
 (CVE-2009-0385)
 
 The updated packages fix this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3230
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4869
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 e0594fb5df04fa79335f16d75050cdd2  2009.0/i586/ffmpeg-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm
 57bbb28bfef423a5a03f191894ac047b  2009.0/i586/libavformats52-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm
 205e40f56832e8bc273df3fda8498721  2009.0/i586/libavutil49-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm
 789da278cdb4915eef10a15de83fdcca  2009.0/i586/libffmpeg51-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm
 b0fa1fe90d5a5dc261b8d09b91d84694  2009.0/i586/libffmpeg-devel-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm
 b9ae28eb8d2fb8b8f52a1d330d9d072b  2009.0/i586/libffmpeg-static-devel-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm
 d61b93aaddbab02603d815eecfaf5060  2009.0/i586/libswscaler0-0.4.9-3.pre1.14161.1.2mdv2009.0.i586.rpm 
 1ca41b3ff07810dd8fdc319dad0bfa38  2009.0/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 3bc194b9870a51d754fd4a263672a440  2009.0/x86_64/ffmpeg-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm
 220aaa86d9e11e2ef69bea8e360ebbac  2009.0/x86_64/lib64avformats52-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm
 7d3d5b429dc653e71e3ec8a4cfd17f30  2009.0/x86_64/lib64avutil49-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm
 568a8c2790c8378d555f5ff34a5360fc  2009.0/x86_64/lib64ffmpeg51-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm
 17601276b12379836321303c7f96f62f  2009.0/x86_64/lib64ffmpeg-devel-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm
 0ee4ae42aec3cc81fd2ee7ac5dc92ed7  2009.0/x86_64/lib64ffmpeg-static-devel-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm
 c54bbaeb83e81d78389cdae69fc7945e  2009.0/x86_64/lib64swscaler0-0.4.9-3.pre1.14161.1.2mdv2009.0.x86_64.rpm 
 1ca41b3ff07810dd8fdc319dad0bfa38  2009.0/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.2mdv2009.0.src.rpm

 Corporate 3.0:
 cd5e396289264ed5739fd77bc9580ce3  corporate/3.0/i586/ffmpeg-0.4.8-7.4.C30mdk.i586.rpm
 dade7b7fbf1d4bf1f74b94e17c09cc12  corporate/3.0/i586/libffmpeg0-0.4.8-7.4.C30mdk.i586.rpm
 9d0371d643c952bf302c4c79f7e8bf2f  corporate/3.0/i586/libffmpeg0-devel-0.4.8-7.4.C30mdk.i586.rpm 
 8a5fad09c722723e1a40de83a077d4eb  corporate/3.0/SRPMS/ffmpeg-0.4.8-7.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 614c5fd1e865146478012bd5b053e62e  corporate/3.0/x86_64/ffmpeg-0.4.8-7.4.C30mdk.x86_64.rpm
 3276671b86a7f9e4114defedb17f1770  corporate/3.0/x86_64/lib64ffmpeg0-0.4.8-7.4.C30mdk.x86_64.rpm
 9bfe44651ef6bbe526e26ca323a58817  corporate/3.0/x86_64/lib64ffmpeg0-devel-0.4.8-7.4.C30mdk.x86_64.rpm 
 8a5fad09c722723e1a40de83a077d4eb  corporate/3.0/SRPMS/ffmpeg-0.4.8-7.4.C30mdk.src.rpm

 Corporate 4.0:
 cea39827d3cd607430962785c6206bfe  corporate/4.0/i586/ffmpeg-0.4.9-0.pre1.5.4.20060mlcs4.i586.rpm
 345afe63a69e8b8c2f880a501174fa77  corporate/4.0/i586/libffmpeg0-0.4.9-0.pre1.5.4.20060mlcs4.i586.rpm
 190b7001f77184177490bff0b2176749  corporate/4.0/i586/libffmpeg0-devel-0.4.9-0.pre1.5.4.20060mlcs4.i586.rpm 
 cb4625766fd1476aa6abd49fcf249aa5  corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 aae084db08e02578728aedf396a08471  corporate/4.0/x86_64/ffmpeg-0.4.9-0.pre1.5.4.20060mlcs4.x86_64.rpm
 8e45b4810fa52179292b676b782eef10  corporate/4.0/x86_64/lib64ffmpeg0-0.4.9-0.pre1.5.4.20060mlcs4.x86_64.rpm
 6751921dec760a2742b88fd2434a6b8b  corporate/4.0/x86_64/lib64ffmpeg0-devel-0.4.9-0.pre1.5.4.20060mlcs4.x86_64.rpm 
 cb4625766fd1476aa6abd49fcf249aa5  corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.4.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 5568575b5be379d1f0d27bcde4aa38eb  mes5/i586/ffmpeg-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm
 9d6dc2ea4e12f2c67f6519c83a571e02  mes5/i586/libavformats52-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm
 3e56d644eb5642ebc0583f11e84f52e3  mes5/i586/libavutil49-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm
 3eb1291249d8561b42afc0949ac75bcf  mes5/i586/libffmpeg51-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm
 fd685cbabbd636f0cbe24f77ed2e186b  mes5/i586/libffmpeg-devel-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm
 3f9f8eb7b6119383c3c8ca3af5c61fed  mes5/i586/libffmpeg-static-devel-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm
 111b6bfabdf8058e3ec0826a712f1d6e  mes5/i586/libswscaler0-0.4.9-3.pre1.14161.1.2mdvmes5.i586.rpm 
 41df1f07603ebed5ceba3b21e790c9f0  mes5/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.2mdv2009.0.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 bf65d183cbc92b4b5c969dd494d1e1fa  mes5/x86_64/ffmpeg-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm
 e2203a6231aaaa4c55a6dd63d74c5e7f  mes5/x86_64/lib64avformats52-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm
 b824a2840bfa876467b1fb92b5cb8fe2  mes5/x86_64/lib64avutil49-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm
 9c1e39e6affb3b1df529f13db5e98bea  mes5/x86_64/lib64ffmpeg51-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm
 11107390354de01163b6d9815f0649c5  mes5/x86_64/lib64ffmpeg-devel-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm
 220531e71a45efc06dd336b0ed8687cc  mes5/x86_64/lib64ffmpeg-static-devel-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm
 53712b657a9c2e772abb3bde6f208824  mes5/x86_64/lib64swscaler0-0.4.9-3.pre1.14161.1.2mdvmes5.x86_64.rpm 
 41df1f07603ebed5ceba3b21e790c9f0  mes5/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.2mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK/cuYmqjQ0CJFipgRAkExAKCfIlGM4OXYoHd+YsiHlSCQA4RS2ACgkUks
zU6eTQIbO65tDPa/ANHYTpo=
=q+lG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ