USN-1320-1: FFmpeg vulnerabilities

05 January 2012

FFmpeg could be made to crash or run programs as your login if it opened a specially crafted file.

Releases

Packages

  • ffmpeg - multimedia player, server and encoder

Details

Steve Manzuik discovered that FFmpeg incorrectly handled certain malformed
Matroska files. If a user were tricked into opening a crafted Matroska
file, an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2011-3504)

Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed QDM2 streams. If a user were tricked into opening a crafted QDM2
stream file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4351)

Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed VP3 streams. If a user were tricked into opening a crafted file,
an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. This issue only affected Ubuntu 10.10. (CVE-2011-4352)

Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed VP5 and VP6 streams. If a user were tricked into opening a
crafted file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4353)

It was discovered that FFmpeg incorrectly handled certain malformed VMD
files. If a user were tricked into opening a crafted VMD file, an attacker
could cause a denial of service via application crash, or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2011-4364)

Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed SVQ1 streams. If a user were tricked into opening a crafted SVQ1
stream file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4579)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.

Related notices

  • USN-1333-1: libav, libavformat53, libavcodec52, libavcodec53, libavformat52