USN-358-1: ffmpeg, xine-lib vulnerabilities

Releases

• Ubuntu 6.06
• Ubuntu 5.10
• Ubuntu 5.04

Details

XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not
correctly validate certain headers. By tricking a user into playing an AVI
with malicious headers, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4799)

Multiple integer overflows were discovered in ffmpeg and tools that contain a
copy of ffmpeg (like xine-lib and kino), for several types of video formats.
By tricking a user into running a video player that uses ffmpeg on a stream
with malicious content, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4800)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.06

• libxine-main1 - 1.1.1+ubuntu2-7.3
• libavcodec-dev - 3:0.cvs20050918-5ubuntu1.1

Ubuntu 5.10

• libxine1c2 - 1.0.1-1ubuntu10.5
• libavcodec-dev - 3:0.cvs20050918-4ubuntu1.1

Ubuntu 5.04

• libxine1 - 1.0-1ubuntu3.9
• kino - 0.75-6ubuntu0.2
• libavcodec-dev - 3:0.cvs20050121-1ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2006-4800
• CVE-2006-4799