Mandriva Linux Security Advisory 2011-060 - oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read. vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow. Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause utils.c to use inconsistent codec types and identifiers, which causes the mp3 decoder to process a pointer for a video structure, leading to a stack-based buffer overflow. The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service via a crafted AVI file that triggers a divide-by-zero error. Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read. flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an arbitrary offset dereference vulnerability. libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service via a crafted.ogg file, related to the vorbis_floor0_decode function. And several additional vulnerabilities originally discovered by Google Chrome developers were also fixed with this advisory.
72bda34e1a85cce233e9d75d74936eddfb6b008e8d850ac1e6308d2a939ee87b
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:060
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ffmpeg
Date : April 1, 2011
Affected: 2009.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in ffmpeg:
oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain
pointer arithmetic, which might allow remote attackers to obtain
sensitive memory contents and cause a denial of service via a crafted
file that triggers an out-of-bounds read. (CVE-2009-4632)
vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a
comparison operator was intended, which might allow remote attackers
to cause a denial of service and possibly execute arbitrary code via
a crafted file that modifies a loop counter and triggers a heap-based
buffer overflow. (CVE-2009-4633)
Multiple integer underflows in FFmpeg 0.5 allow remote attackers to
cause a denial of service and possibly execute arbitrary code via a
crafted file that (1) bypasses a validation check in vorbis_dec.c
and triggers a wraparound of the stack pointer, or (2) access a
pointer from out-of-bounds memory in mov.c, related to an elst tag
that appears before a tag that creates a stream. (CVE-2009-4634)
FFmpeg 0.5 allows remote attackers to cause a denial of service and
possibly execute arbitrary code via a crafted MOV container with
improperly ordered tags that cause (1) mov.c and (2) utils.c to use
inconsistent codec types and identifiers, which causes the mp3 decoder
to process a pointer for a video structure, leading to a stack-based
buffer overflow. (CVE-2009-4635)
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows
remote attackers to cause a denial of service (crash) via a crafted
AVI file that triggers a divide-by-zero error. (CVE-2009-4639)
Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a crafted Vorbis file that triggers an out-of-bounds
read. (CVE-2009-4640)
flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer
and other products, allows remote attackers to execute arbitrary code
via a crafted flic file, related to an arbitrary offset dereference
vulnerability. (CVE-2010-3429)
libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1
and earlier allows remote attackers to cause a denial of service
(application crash) via a crafted .ogg file, related to the
vorbis_floor0_decode function. (CVE-2010-4704)
And several additional vulnerabilites originally discovered by Google
Chrome developers were also fixed with this advisory.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4633
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4639
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4640
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
35b8598a8ba305854c81884350072070 2009.0/i586/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
537c6ed300c14bd4c6dac8b9ea98349a 2009.0/i586/libavformats52-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
847b11c0bb86959f9712cb2beced7648 2009.0/i586/libavutil49-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
6bad47923019bdd3e17209956955919e 2009.0/i586/libffmpeg51-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
c49eeeda4be62fdcc57b0b42eff2005b 2009.0/i586/libffmpeg-devel-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
c06661882ab8613b23712898751856af 2009.0/i586/libffmpeg-static-devel-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
a9ef39faaa7a3054c846471ed95510a1 2009.0/i586/libswscaler0-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm
c8cf3cef711e1a6d51bcb666030e1f42 2009.0/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
03d2549605505e1c22ebb95d83b2657b 2009.0/x86_64/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
b4e51f531b91947b68224adb0b7da78b 2009.0/x86_64/lib64avformats52-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
304a2ba3024d20e6c61d499d9d77daa0 2009.0/x86_64/lib64avutil49-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
f772b82b558dc0cb8ce7f643c23b1214 2009.0/x86_64/lib64ffmpeg51-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
d60e53babfdfced4c42e15e881c1de11 2009.0/x86_64/lib64ffmpeg-devel-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
e7b0f5257f4859d35c33d7d9cfaf601c 2009.0/x86_64/lib64ffmpeg-static-devel-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
a585acd8d62940593fca0aafc9b1dc96 2009.0/x86_64/lib64swscaler0-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm
c8cf3cef711e1a6d51bcb666030e1f42 2009.0/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.src.rpm
Mandriva Enterprise Server 5:
3a36c497bde8a3e9fd34f0cd029d0392 mes5/i586/ffmpeg-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
3f06c90d4ec2332f295a6b947dd57ab5 mes5/i586/libavformats52-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
d9aab1dbf20a5e14c824ee003941763b mes5/i586/libavutil49-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
5917203833e406e431fcf3cfba2fe7de mes5/i586/libffmpeg51-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
d3ac8c102cf086501d4fd256155941ac mes5/i586/libffmpeg-devel-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
b42248fb015e570a89923d1a60728ead mes5/i586/libffmpeg-static-devel-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
48ce261f950e4730ac76bebf65c4acc7 mes5/i586/libswscaler0-0.4.9-3.pre1.14161.1.4mdvmes5.2.i586.rpm
b332f476834cc59ea192f36bf9f1521c mes5/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.4mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
897a2646af3535baeb15ec92bd912443 mes5/x86_64/ffmpeg-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
c270cb8f505340f3b23c6e862b6a61ae mes5/x86_64/lib64avformats52-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
3bcc81db2dce4cfe4e62f8828d710ef2 mes5/x86_64/lib64avutil49-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
556dccfb35d1b7ae34e3a98ff50392f9 mes5/x86_64/lib64ffmpeg51-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
ca12abb36b5abd916f3e94c19b02d10c mes5/x86_64/lib64ffmpeg-devel-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
63ea4c46741919fe690beb94e85cfd92 mes5/x86_64/lib64ffmpeg-static-devel-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
d87ceee8d1befd22d04e3f4f78e5e52b mes5/x86_64/lib64swscaler0-0.4.9-3.pre1.14161.1.4mdvmes5.2.x86_64.rpm
b332f476834cc59ea192f36bf9f1521c mes5/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.4mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNlgUCmqjQ0CJFipgRAuihAKDPoHXVNvZg3AdcWlp42IFPTQ1sPwCg2Ig1
aC78goX8Av/Q7yOT6VWTDyo=
=0hmU
-----END PGP SIGNATURE-----