Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 05 Dec 2011 08:58:14 -0500
From: Marc Deslauriers <>
Subject: Re: CVE Request: ffmpeg

On Sun, 2011-12-04 at 11:36 -0700, Kurt Seifried wrote:
> On 12/04/2011 04:06 AM, Marc Deslauriers wrote:
> > This doesn't seem to have a CVE:
> >
> > An error within the "svq1_decode_frame()" function
> > (libavcodec/svq1dec.c) can be exploited to corrupt memory.
> >
> >;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2
> >
> >
> >
> >
> The secunia page lists 3 CVE's and 4 issues with no mappings to CVE's to
> issues that I can see. Can you reply with the mapping information that
> you used to determine that this issue was not assigned a CVE (as opposed
> to one of the other issues)?. Also can you confirm or proove that these
> 4 issues are all separate and that two of them have not been merged
> (thus obviating any need for a third CVE)? Thanks in advance. If anyone
> from Secunia is on this list I'd love to hear from you/any comments on
> this issue are more then welcome.


The 3 other issues got CVEs assigned here:

CVE-2011-4351 - An error within the QDM2 decoder (libavcodec/qdm2.c) can
be exploited to cause a buffer overflow.

Seems to be the following commits in libavcodec/qdm2.c (at least the
last one, the others seem to be a bit older):;a=commitdiff;h=491eaf35ae1f9b619441314bec33766e31580184;a=commitdiff;h=291d74a46d32183653db07818c7b3407fd50a288;a=commitdiff;h=7d49f79f1cd47783a963a757a6563b9cac29db62;a=commitdiff;h=14db3af4f26dad8e6ddf2147e96ccc710952ad4d;a=commitdiff;h=895d258e9ba065d035dd30dbc622423031f0185c

Last commit says this fixes NGS00144

CVE-2011-4352 - An integer overflow error within the "vp3_dequant()"
function (libavcodec/vp3.c) can be exploited to cause a buffer overflow.

Seems to be the following commit in libavcodec/vp3.c:;a=commit;h=eef5c35b4352ec49ca41f6198bee8a976b1f81e5

Commit says this fixes NGS00145

CVE-2011-4353 - Errors within the "av_image_fill_pointers()", the
"vp5_parse_coeff()", and the "vp6_parse_coeff()" functions can be
exploited to trigger out-of-bounds reads.

Seems to be the following commits in libavutil/imgutils.c,
libavcodec/vp5.c, libavcodec/vp6.c:;a=commit;h=c693aa6f71b4f539cf9df67ba42f4b1932981687;a=commit;h=bb4b0ad83b13c3af57675e80163f3f333adef96f;a=commit;h=e0966eb140b3569b3d6b5b5008961944ef229c06

So, the fourth issue, which is fixed by the following commit that
matches the description doesn't seem to have a CVE number, and doesn't
seem to be related to the others:

"An error within the "svq1_decode_frame()" function
(libavcodec/svq1dec.c) can be exploited to corrupt memory.";a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2

Commit says it fixes NGS00148.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.