Executive Summary
Summary | |
---|---|
Title | ffmpeg security update |
Informations | |||
---|---|---|---|
Name | DSA-2336 | First vendor Publication | 2011-11-07 |
Vendor | Debian | Last vendor Modification | 2011-11-07 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities were found in the ffmpeg, a multimedia player, server and encoder: CVE-2011-3362 An integer signedness error in decode_residual_block function of the Chinese AVS video (CAVS) decoder in libavcodec can lead to denial of service (memory corruption and application crash) or possible code execution via a crafted CAVS file. CVE-2011-3973/CVE-2011-3974 Multiple errors in the Chinese AVS video (CAVS) decoder can lead to denial of service (memory corruption and application crash) via an invalid bitstream. CVE-2011-3504 A memory allocation problem in the Matroska format decoder can lead to code execution via a crafted file. For the stable distribution (squeeze), this problem has been fixed in version 4:0.5.5-1. For the unstable distribution (sid), this problem has been fixed in version 4:0.7.2-1 of the libav source package. Security support for ffmpeg has been discontinued for the oldstable distribution (lenny) before in DSA 2306. The current version in oldstable is not supported by upstream anymore and is affected by several security issues. Backporting fixes for these and any future issues has become unfeasible and therefore we needed to drop our security support for the version in oldstable. We recommend that you upgrade your ffmpeg packages. |
Original Source
Url : http://www.debian.org/security/2011/dsa-2336 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
25 % | CWE-399 | Resource Management Errors |
25 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:14770 | |||
Oval ID: | oval:org.mitre.oval:def:14770 | ||
Title: | DSA-2336-1 ffmpeg -- several | ||
Description: | Multiple vulnerabilities were found in the ffmpeg, a multimedia player, server and encoder: CVE-2011-3362 An integer signedness error in decode_residual_block function of the Chinese AVS video decoder in libavcodec can lead to denial of service or possible code execution via a crafted CAVS file. CVE-2011-3973/CVE-2011-3974 Multiple errors in the Chinese AVS video decoder can lead to denial of service via an invalid bitstream. CVE-2011-3504 A memory allocation problem in the Matroska format decoder can lead to code execution via a crafted file. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2336-1 CVE-2011-3362 CVE-2011-3973 CVE-2011-3974 CVE-2011-3504 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | ffmpeg |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21095 | |||
Oval ID: | oval:org.mitre.oval:def:21095 | ||
Title: | USN-1209-2 -- libav vulnerabilities | ||
Description: | Libav could be made to run programs as your login if it opened a specially crafted file. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1209-2 CVE-2011-1196 CVE-2011-1931 CVE-2011-3362 | Version: | 5 |
Platform(s): | Ubuntu 11.04 | Product(s): | libav |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21194 | |||
Oval ID: | oval:org.mitre.oval:def:21194 | ||
Title: | USN-1209-1 -- ffmpeg vulnerabilities | ||
Description: | FFmpeg could be made to run programs as your login if it opened a specially crafted file. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1209-1 CVE-2011-1196 CVE-2011-1931 CVE-2011-2161 CVE-2011-3362 | Version: | 5 |
Platform(s): | Ubuntu 10.10 Ubuntu 10.04 | Product(s): | ffmpeg |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-03 | Name : Mandriva Update for ffmpeg MDVSA-2012:075 (ffmpeg) File : nvt/gb_mandriva_MDVSA_2012_075.nasl |
2012-08-03 | Name : Mandriva Update for ffmpeg MDVSA-2012:076 (ffmpeg) File : nvt/gb_mandriva_MDVSA_2012_076.nasl |
2012-02-11 | Name : Debian Security Advisory DSA 2336-1 (ffmpeg) File : nvt/deb_2336_1.nasl |
2012-01-20 | Name : Ubuntu Update for libav USN-1333-1 File : nvt/gb_ubuntu_USN_1333_1.nasl |
2012-01-09 | Name : Ubuntu Update for ffmpeg USN-1320-1 File : nvt/gb_ubuntu_USN_1320_1.nasl |
2011-09-23 | Name : Ubuntu Update for ffmpeg USN-1209-1 File : nvt/gb_ubuntu_USN_1209_1.nasl |
2011-09-23 | Name : Ubuntu Update for libav USN-1209-2 File : nvt/gb_ubuntu_USN_1209_2.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
76803 | FFmpeg cavsdec.c libavcodec decode_residual_inter Function CAVS File Handling... |
76802 | FFmpeg cavsdec.c libavcodec Multiple Function CAVS File Handling Remote DoS |
75621 | FFmpeg Matroska File Handling Remote Code Execution |
74926 | ffmpeg libavcodec/cavsdec.c Multiple Function Signedness Error CAVS File Hand... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-10-27 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201310-12.nasl - Type : ACT_GATHER_INFO |
2012-09-06 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-076.nasl - Type : ACT_GATHER_INFO |
2012-05-15 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-075.nasl - Type : ACT_GATHER_INFO |
2012-01-18 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1333-1.nasl - Type : ACT_GATHER_INFO |
2012-01-06 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1320-1.nasl - Type : ACT_GATHER_INFO |
2011-11-08 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2336.nasl - Type : ACT_GATHER_INFO |
2011-09-20 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1209-1.nasl - Type : ACT_GATHER_INFO |
2011-09-20 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1209-2.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:30:32 |
|