User: Password:
|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0281 (ffmpeg)

From:  Mageia Updates <buildsystem-daemon@mageia.org>
To:  updates-announce@ml.mageia.org
Subject:  [updates-announce] MGASA-2014-0281: Updated ffmpeg packages fix security vulnerabilities
Date:  Fri, 4 Jul 2014 20:22:24 +0200
Message-ID:  <20140704182224.B25325A0B9@valstar.mageia.org>

MGASA-2014-0281 - Updated ffmpeg packages fix security vulnerabilities Publication date: 04 Jul 2014 URL: http://advisories.mageia.org/MGASA-2014-0281.html Type: security Affected Mageia releases: 3 CVE: CVE-2012-5150, CVE-2014-2097, CVE-2014-2098, CVE-2014-2099, CVE-2014-2263, CVE-2014-4610 Description: A use-after-free vulnerability in FFmpeg before 1.1.9 involving seek operations on video data could allow remote attackers to cause a denial of service (CVE-2012-5150). The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 1.1.9 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data (CVE-2014-2097). libavcodec/wmalosslessdec.c in FFmpeg before 1.1.9 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data (CVE-2014-2098). The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 1.1.9 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data (CVE-2014-2099). The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg before 1.1.9 allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write (CVE-2014-2263). An integer overflow in LZO decompression in FFmpeg before 1.1.12 allows remote attackers to have an unspecified impact by embedding compressed data in a video file (CVE-2014-4610). This updates provides ffmpeg version 1.1.12, which fixes these issues and several other bugs which were corrected upstream. References: - https://bugs.mageia.org/show_bug.cgi?id=13595 - http://git.videolan.org/?p=ffmpeg.git;a=log;h=n1.1.12 - http://ffmpeg.org/olddownload.html - http://ffmpeg.org/security.html - http://openwall.com/lists/oss-security/2014/06/26/23 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5150 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2097 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2098 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2099 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2263 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4610 SRPMS: - 3/core/ffmpeg-1.1.12-1.mga3 - 3/tainted/ffmpeg-1.1.12-1.mga3.tainted


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds