CVE-2011-3504
Published: 28 September 2011
The Matroska format decoder in FFmpeg before 0.8.3 does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file.
Notes
Author | Note |
---|---|
mdeslaur | ffmpeg-extra in multiverse needs to have matching version libav-extra is built with tarball produced by libav package |
tyhicks | The Mitre description references MSVR11-011, while the upstream commit message references MSVR11-080, which does not exist. I believe there may have been a typo in the commit message. I believe the ffmpeg commit 77d2ef13 was for the 0.8.3 release and 956c901c was the backport for the 0.7.5 release. The older ffmpeg packages in lucid and maverick look to have the same vulnerable code. |
Priority
Status
Package | Release | Status |
---|---|---|
ffmpeg Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(4:0.5.1-1ubuntu1.3)
|
|
maverick |
Released
(4:0.6-2ubuntu6.3)
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needed
|
|
Patches: upstream: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec vendor: http://lists.debian.org/debian-security-announce/2011/msg00216.html |
||
ffmpeg-extra Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Released
(4:0.5.1-1ubuntu1.3)
|
|
maverick |
Released
(4:0.6-2ubuntu3.3)
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needed
|
|
libav Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Released
(4:0.6.4-0ubuntu0.11.04.1)
|
|
oneiric |
Not vulnerable
(4:0.7.2-1ubuntu1)
|
|
upstream |
Needed
|
|
Patches: upstream: http://git.libav.org/?p=libav.git;a=commit;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec |
||
libav-extra Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Released
(4:0.6.4-1ubuntu1)
|
|
oneiric |
Released
(4:0.7.3ubuntu0.11.10.1)
|
|
upstream |
Needed
|