U radu programskog paketa ffmpeg uočeni su novi sigurnosni propusti. Udaljeni napadač ih može iskoristiti za pokretanje zlonamjernog programskog koda ili izvođenje napada uskraćivanja usluge (DoS).
Paket:
ffmpeg 4.x
Operacijski sustavi:
Ubuntu Linux 10.04, Ubuntu Linux 10.10
Kritičnost:
6.4
Problem:
neodgovarajuće rukovanje datotekama, pogreška u programskoj komponenti
==========================================================================
Ubuntu Security Notice USN-1320-1
January 05, 2012
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
FFmpeg could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- ffmpeg: multimedia player, server and encoder
Details:
Steve Manzuik discovered that FFmpeg incorrectly handled certain malformed
Matroska files. If a user were tricked into opening a crafted Matroska
file, an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2011-3504)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed QDM2 streams. If a user were tricked into opening a crafted QDM2
stream file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4351)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed VP3 streams. If a user were tricked into opening a crafted file,
an attacker could cause a denial of service via application crash, or
possibly execute arbitrary code with the privileges of the user invoking
the program. This issue only affected Ubuntu 10.10. (CVE-2011-4352)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed VP5 and VP6 streams. If a user were tricked into opening a
crafted file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4353)
It was discovered that FFmpeg incorrectly handled certain malformed VMD
files. If a user were tricked into opening a crafted VMD file, an attacker
could cause a denial of service via application crash, or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2011-4364)
Phillip Langlois discovered that FFmpeg incorrectly handled certain
malformed SVQ1 streams. If a user were tricked into opening a crafted SVQ1
stream file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2011-4579)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.10:
libavcodec52 4:0.6-2ubuntu6.3
libavformat52 4:0.6-2ubuntu6.3
Ubuntu 10.04 LTS:
libavcodec52 4:0.5.1-1ubuntu1.3
libavformat52 4:0.5.1-1ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1320-1
CVE-2011-3504, CVE-2011-4351, CVE-2011-4352, CVE-2011-4353,
CVE-2011-4364, CVE-2011-4579
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/4:0.6-2ubuntu6.3
https://launchpad.net/ubuntu/+source/ffmpeg/4:0.5.1-1ubuntu1.3
Posljednje sigurnosne preporuke