Your submission was sent successfully! Close

USN-358-1: ffmpeg, xine-lib vulnerabilities

5 October 2006

ffmpeg, xine-lib vulnerabilities

Releases

Details

XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not
correctly validate certain headers. By tricking a user into playing an AVI
with malicious headers, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4799)

Multiple integer overflows were discovered in ffmpeg and tools that contain a
copy of ffmpeg (like xine-lib and kino), for several types of video formats.
By tricking a user into running a video player that uses ffmpeg on a stream
with malicious content, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4800)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.06
  • libxine-main1 - 1.1.1+ubuntu2-7.3
  • libavcodec-dev - 3:0.cvs20050918-5ubuntu1.1
Ubuntu 5.10
  • libxine1c2 - 1.0.1-1ubuntu10.5
  • libavcodec-dev - 3:0.cvs20050918-4ubuntu1.1
Ubuntu 5.04
  • libxine1 - 1.0-1ubuntu3.9
  • kino - 0.75-6ubuntu0.2
  • libavcodec-dev - 3:0.cvs20050121-1ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.