Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0926 ffmpeg security update 12 September 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ffmpeg Publisher: Debian Operating System: Debian GNU/Linux 6 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-0723 CVE-2011-0722 CVE-2011-0480 CVE-2010-4704 CVE-2010-3908 Reference: ASB-2011.0004.2 ESB-2011.0179 Original Bulletin: http://www.debian.org/security/2011/dsa-2306 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running ffmpeg check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2306-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 11, 2011 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ffmpeg Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2010-3908 CVE-2010-4704 CVE-2011-0480 CVE-2011-0722 CVE-2011-0723 Debian Bug : 611495 Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3908 FFmpeg before 0.5.4, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed WMV file. CVE-2010-4704 libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. CVE-2011-0480 Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFmpeg allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted WebM file, related to buffers for the channel floor and the channel residue. CVE-2011-0722 FFmpeg allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a malformed RealMedia file. For the stable distribution (squeeze), this problem has been fixed in version 4:0.5.4-1. Security support for ffmpeg has been discontinued for the oldstable distribution (lenny). The current version in oldstable is not supported by upstream anymore and is affected by several security issues. Backporting fixes for these and any future issues has become unfeasible and therefore we need to drop our security support for the version in oldstable. We recommend that you upgrade your ffmpeg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk5s7SIACgkQNxpp46476aodAQCaAm5VWfGx6I2A9RNw8stjALGK aO0An0Q7J1GF1ylBivmSMYIERy1DMZV1 =agGR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTm1ma+4yVqjM2NGpAQJ7/A//YofRFuA32bX7h9/57/4dS4L9p9bJkKW3 IuWEd1VObQuYujxPeCo0NsNN0deYCLr+Hwzk6gxWEJaIe3giQnmLmyHYYrhf8gi0 Ei33s66D2XX6WfpmUNCEls+v7XRYx5+hLR+0lD1HeAsZW78tvw42wqEZSLxRYcFW QnEIHnYoNzMU/EGSDnSgRpVfWUTNgs0SLqDQQ8XjolynMDefNgXzm5PG9uin3Ndh 9QOTo0lduR6EaaYHk6um1OAVwMDHvSG4SiFr7K6aVNtkioD7qD/vWYrUFTxob0uv 6pjZp6pLoMpbS3VGlEzmI5sdW49gVNFEne6nodYLh/D/ytAMbU4aaQZBfDlcG5GT cttLeZcpMGopWx+iXK4SirqBGLzrFsHHk9suDZdU5a/7ibNcwjjoMIQQdLBw9+ft R+XEy9FX+558hUyVwhLbYqARYEd63+XjMLr5JoeTm1bMaeGtADOGzX61Vt8snBcl JzOO8Ar0Ezbkjg/5EjP3BObGNbVhCJya5ev3fIj3T+EUFjKMN7gCsqwMAYfX85K5 38g/E0gpn7nxsgdLMac8f4mAewdWSMMuD7s1nI4az7GmwYnZ8Nw6ovIv8Pvh/xoQ XyECHAABV+KtsA/FkbJFjNGTA/zjlt/GVlPGgzwq4FZMTfjTm4agX4+ULuDv5byG CImiZ2/wb7g= =rUck -----END PGP SIGNATURE-----