Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 06 Dec 2011 17:31:44 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marc Deslauriers <marc.deslauriers@...onical.com>
Subject: Re: CVE Request: ffmpeg



> Sure!
>
> The 3 other issues got CVEs assigned here:
>
> http://marc.info/?l=oss-security&m=132205107221272&w=2
>
> CVE-2011-4351 - An error within the QDM2 decoder (libavcodec/qdm2.c) can
> be exploited to cause a buffer overflow.
>
> Seems to be the following commits in libavcodec/qdm2.c (at least the
> last one, the others seem to be a bit older):
> http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=491eaf35ae1f9b619441314bec33766e31580184
> http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=291d74a46d32183653db07818c7b3407fd50a288
> http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7d49f79f1cd47783a963a757a6563b9cac29db62
> http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=14db3af4f26dad8e6ddf2147e96ccc710952ad4d
> http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=895d258e9ba065d035dd30dbc622423031f0185c
>
> Last commit says this fixes NGS00144
>
> CVE-2011-4352 - An integer overflow error within the "vp3_dequant()"
> function (libavcodec/vp3.c) can be exploited to cause a buffer overflow.
>
> Seems to be the following commit in libavcodec/vp3.c:
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eef5c35b4352ec49ca41f6198bee8a976b1f81e5
>
> Commit says this fixes NGS00145
>
> CVE-2011-4353 - Errors within the "av_image_fill_pointers()", the
> "vp5_parse_coeff()", and the "vp6_parse_coeff()" functions can be
> exploited to trigger out-of-bounds reads.
>
> Seems to be the following commits in libavutil/imgutils.c,
> libavcodec/vp5.c, libavcodec/vp6.c:
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c693aa6f71b4f539cf9df67ba42f4b1932981687
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=bb4b0ad83b13c3af57675e80163f3f333adef96f
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e0966eb140b3569b3d6b5b5008961944ef229c06
>
>
> So, the fourth issue, which is fixed by the following commit that
> matches the description doesn't seem to have a CVE number, and doesn't
> seem to be related to the others:
>
> "An error within the "svq1_decode_frame()" function
> (libavcodec/svq1dec.c) can be exploited to corrupt memory."
>
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2
>
> Commit says it fixes NGS00148.
>
> Marc.
>
Thanks, context is king =). Please use CVE-2011-4579 for this new issue
( svq1_decode_frame() )

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.