Your submission was sent successfully! Close

CVE-2011-3504

Published: 28 September 2011

The Matroska format decoder in FFmpeg before 0.8.3 does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file.

Notes

AuthorNote
mdeslaur
ffmpeg-extra in multiverse needs to have matching version
libav-extra is built with tarball produced by libav package
tyhicks
The Mitre description references MSVR11-011, while the upstream
commit message references MSVR11-080, which does not exist. I believe
there may have been a typo in the commit message.
I believe the ffmpeg commit 77d2ef13 was for the 0.8.3 release and
956c901c was the backport for the 0.7.5 release.
The older ffmpeg packages in lucid and maverick look to have the same
vulnerable code.
Priority

Medium

Status

Package Release Status
ffmpeg
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid
Released (4:0.5.1-1ubuntu1.3)
maverick
Released (4:0.6-2ubuntu6.3)
natty Does not exist

oneiric Does not exist

upstream Needed

Patches:
upstream: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
vendor: http://lists.debian.org/debian-security-announce/2011/msg00216.html

ffmpeg-extra
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (4:0.5.1-1ubuntu1.3)
maverick
Released (4:0.6-2ubuntu3.3)
natty Does not exist

oneiric Does not exist

upstream Needed

libav
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty
Released (4:0.6.4-0ubuntu0.11.04.1)
oneiric Not vulnerable
(4:0.7.2-1ubuntu1)
upstream Needed

Patches:


upstream: http://git.libav.org/?p=libav.git;a=commit;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
libav-extra
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty
Released (4:0.6.4-1ubuntu1)
oneiric
Released (4:0.7.3ubuntu0.11.10.1)
upstream Needed