CVE-2008-4866

Priority
Low
Description
Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9 before
r14715, as used by MPlayer, allow context-dependent attackers to have an
unknown impact via vectors related to execution of DTS generation code with
a delay greater than MAX_REORDER_DELAY.
References
Bugs
Notes
mdeslaur> vulnerable code doesn't seem to exist in gutsy and hardy
mdeslaur> debian says: [etch] - ffmpeg <not-affected> (Vulnerable code not present)
mdeslaur> kino is built with --disable-local-ffmpeg, so it's not vulnerable
sbeattie> as of lucid, mplayer uses system ffmpeg rather than embedded
sbeattie> version
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):not-affected (code not present)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (3:0.svn20090303-1ubuntu1+unstripped1)
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Patches:
Upstream:http://svn.ffmpeg.org/ffmpeg/trunk/libavformat/utils.c?r1=14677&r2=14714
Upstream:http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=9ea55926ccc0496af15a927d15da7a579ea4c4de
Upstream:http://svn.ffmpeg.org/ffmpeg/trunk/libavformat/avformat.h?r1=14667&r2=14715
Upstream:http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=6d72f36df6550aaefa047ad466fca9979b770ab2
Vendor:http://patch-tracking.debian.net/patch/series/view/ffmpeg-debian/0.svn20080206-17/050_CVE-2008-4866.patch
Vendor:http://patch-tracking.debian.net/patch/series/view/ffmpeg-debian/0.svn20080206-17/050_CVE-2008-4866-2.patch
Package
Source: kino (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):not-affected (uses system ffmpeg)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (uses system ffmpeg)
Ubuntu 11.04 (Natty Narwhal):not-affected (uses system ffmpeg)
Ubuntu 11.10 (Oneiric Ocelot):not-affected (uses system ffmpeg)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (uses system ffmpeg)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (uses system ffmpeg)
Ubuntu 11.04 (Natty Narwhal):not-affected (uses system ffmpeg)
Ubuntu 11.10 (Oneiric Ocelot):not-affected (uses system ffmpeg)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (uses system ffmpeg)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):not-affected (code not present)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (code not present)
Ubuntu 11.04 (Natty Narwhal):not-affected (code not present)
Ubuntu 11.10 (Oneiric Ocelot):not-affected (code not present)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (code not present)
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:19:12 UTC (commit 5347)