Summary
Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. Multiple input validations in the decoders/demuxers for Shorten, Chinese AVS video, VP5, VP6, AVI, AVS and MPEG-1/2 files could lead to the execution of arbitrary code.
Most of these issues were discovered by Mateusz Jurczyk and Gynvael Coldwind.
Solution
For the stable distribution (squeeze), these problems have been fixed in version 4:0.5.10-1.
For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6:0.8.5-1 of the source package libav.
We recommend that you upgrade your ffmpeg packages.
Insight
This package contains the ffplay multimedia player, the ffserver streaming server and the ffmpeg audio and video encoder. They support most existing file formats (AVI, MPEG, OGG, Matroska, ASF...) and encoding formats (MPEG, DivX, MPEG4, AC3, DV...).
Affected
ffmpeg on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-0858, CVE-2012-2777, CVE-2012-2783, CVE-2012-2784, CVE-2012-2788, CVE-2012-2801, CVE-2012-2803 -
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities