Executive Summary

Summary
Title ffmpeg
Informations
Name MDVSA-2008:157 First vendor Publication 2008-07-29
Vendor Mandriva Last vendor Modification 2008-07-29
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability was found in how ffmpeg handled STR file demuxing. If a user were tricked into processing a malicious STR file, a remote attacker could execute arbitrary code with user privileges via applications linked against ffmpeg (CVE-2008-3162).

The updated packages have been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2008:157

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13670
 
Oval ID: oval:org.mitre.oval:def:13670
Title: DSA-1781-1 ffmpeg-debian -- several vulnerabilities
Description: Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. CVE-2008-3162 It was discovered that using a crafted STR file can lead to the execution of arbitrary code. For the oldstable distribution, these problems have been fixed in version 0.cvs20060823-8+etch1. For the stable distribution, these problems have been fixed in version 0.svn20080206-17+lenny1. For the testing distribution and the unstable distribution , these problems have been fixed in version 0.svn20080206-16. We recommend that you upgrade your ffmpeg-debian packages.
Family: unix Class: patch
Reference(s): DSA-1781-1
CVE-2009-0385
CVE-2008-3162
 Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): ffmpeg-debian
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17029
 
Oval ID: oval:org.mitre.oval:def:17029
Title: USN-630-1 -- ffmpeg vulnerability
Description: It was discovered that ffmpeg did not correctly handle STR file demuxing.
Family: unix Class: patch
Reference(s): USN-630-1
CVE-2008-3162
 Version: 5
Platform(s): Ubuntu 7.10
Ubuntu 8.04
 Product(s): ffmpeg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7843
 
Oval ID: oval:org.mitre.oval:def:7843
Title: DSA-1781 ffmpeg-debian -- several vulnerabilities
Description: Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. It was discovered that using a crafted STR file can lead to the execution of arbitrary code.
Family: unix Class: patch
Reference(s): DSA-1781
CVE-2009-0385
CVE-2008-3162
 Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): ffmpeg-debian
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 14

OpenVAS Exploits

Date Description
2009-05-05 Name : Debian Security Advisory DSA 1781-1 (ffmpeg-debian)
File : nvt/deb_1781_1.nasl
2009-04-09 Name : Mandriva Update for ffmpeg MDVSA-2008:157 (ffmpeg)
File : nvt/gb_mandriva_MDVSA_2008_157.nasl
2009-03-31 Name : Gentoo Security Advisory GLSA 200903-33 (ffmpeg gst-plugins-ffmpeg mplayer)
File : nvt/glsa_200903_33.nasl
2009-03-23 Name : Ubuntu Update for ffmpeg vulnerability USN-630-1
File : nvt/gb_ubuntu_USN_630_1.nasl
2009-01-20 Name : mplayer -- vulnerability in STR files processor
File : nvt/freebsd_mplayer11.nasl
2009-01-13 Name : Gentoo Security Advisory GLSA 200901-07 (mplayer)
File : nvt/glsa_200901_07.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
46842 FFmpeg libavformat/psxstr.c libavformat str_read_packet() Function STR File H...

Nessus® Vulnerability Scanner

Date Description
2009-04-30 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1781.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-157.nasl - Type : ACT_GATHER_INFO
2009-03-20 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200903-33.nasl - Type : ACT_GATHER_INFO
2009-01-16 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_5ccb1c14e35711dda7650030843d3802.nasl - Type : ACT_GATHER_INFO
2009-01-13 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200901-07.nasl - Type : ACT_GATHER_INFO
2008-07-29 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-630-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:39:34
  • Multiple Updates