CVE-2013-2276
Published: 27 February 2013
The avcodec_decode_audio4 function in utils.c in libavcodec in FFmpeg before 1.1.3 does not verify the decoding state before proceeding with certain skip operations, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted audio data.
Notes
| Author | Note |
|---|---|
| mdeslaur | ffmpeg-extra in multiverse needs to have matching version libav-extra is built with tarball produced by libav package |
| jdstrand | avcodec_decode_audio4() does not exist in ffmpeg in Ubuntu 10.04 LTS or libav in Ubuntu 11.10 avcodec_decode_audio4() exists in Ubuntu 12.04 LTS and higher, but does not support skipping samples |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ffmpeg Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Not vulnerable
(code-not-present)
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8a6449167a6da8cb747cfe3502ae86ffaac2ed48 |
||
|
ffmpeg-extra Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Not vulnerable
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
libav Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Not vulnerable
(code-not-present)
|
|
| precise |
Not vulnerable
(code-not-present)
|
|
| quantal |
Not vulnerable
(code-not-present)
|
|
| upstream |
Needs triage
|
|
|
libav-extra Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| upstream |
Needs triage
|
|