Steffen Joeris
2011-May-29 03:23 UTC
[Secure-testing-team] Bug#628448: several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160
Package: libav
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.
CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
| 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
| Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
| related to issues "originally discovered by Google Chrome
developers."
CVE-2011-2161[1]:
| The ape_read_header function in ape.c in libavformat in FFmpeg before
| 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
| products, allows remote attackers to cause a denial of service
| (application crash) via an APE (aka Monkey''s Audio) file that
contains
| a header but no frames.
CVE-2011-2160[2]:
| The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
| MPlayer and other products, does not properly restrict read
| operations, which allows remote attackers to have an unspecified
| impact via a crafted VC-1 file, a related issue to CVE-2011-0723.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers,
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2162
http://security-tracker.debian.org/tracker/CVE-2011-2162
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161
http://security-tracker.debian.org/tracker/CVE-2011-2161
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2160
http://security-tracker.debian.org/tracker/CVE-2011-2160
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3hvCAACgkQ62zWxYk/rQd1aACfZBs5SZcStYwaRi/5LB5zttpL
VPEAn2gZK2qTTba9yMf2XwQKsBrqKGMr
=2kvn
-----END PGP SIGNATURE-----