 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.71860 |
| Category: | Mandrake Local Security Checks |
| Title: | Mandriva Security Advisory MDVSA-2012:074-1 (ffmpeg) |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing an update to ffmpeg announced via advisory MDVSA-2012:074-1. Multiple vulnerabilities has been found and corrected in ffmpeg: The Matroska format decoder in FFmpeg does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file (CVE-2011-3362, CVE-2011-3504). cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, related to the decode_residual_block, check_for_slice, and cavs_decode_frame functions, a different vulnerability than CVE-2011-3362 (CVE-2011-3973). Integer signedness error in the decode_residual_inter function in cavsdec.c in libavcodec in FFmpeg allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, a different vulnerability than CVE-2011-3362 (CVE-2011-3974). FFmpeg does not properly implement the MKV and Vorbis media handlers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors (CVE-2011-3893). Heap-based buffer overflow in the Vorbis decoder in FFmpeg allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream (CVE-2011-3895). An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited to cause a buffer overflow (CVE-2011-4351). An integer overflow error within the 'vp3_dequant()' function (libavcodec/vp3.c) can be exploited to cause a buffer overflow (CVE-2011-4352). Errors within the 'av_image_fill_pointers()', the 'vp5_parse_coeff()', and the 'vp6_parse_coeff()' functions can be exploited to trigger out-of-bounds reads (CVE-2011-4353). It was discovered that Libav incorrectly handled certain malformed VMD files. If a user were tricked into opening a crafted VMD file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program (CVE-2011-4364). It was discovered that Libav incorrectly handled certain malformed SVQ1 streams. If a user were tricked into opening a crafted SVQ1 stream file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program (CVE-2011-4579). The updated packages have been upgraded to the 0.5.9 version where these issues has been corrected. Additionally a couple of packages needed to be rebuilt for the new ffmpeg version and is also being provided with this advisory. Update: A missing dependency was discovered which prevented the sox library from installing properly. This updated advisory provided the missing libwavpack1 and lib64wavpack1 packages. Affected: Enterprise Server 5.0 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2012:074-1 Risk factor : High |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2011-3362 http://www.ocert.org/advisories/ocert-2011-002.html http://www.openwall.com/lists/oss-security/2011/09/13/4 http://www.openwall.com/lists/oss-security/2011/09/14/8 http://secunia.com/advisories/45532 Common Vulnerability Exposure (CVE) ID: CVE-2011-3504 http://www.mandriva.com/security/advisories?name=MDVSA-2012:074 http://www.mandriva.com/security/advisories?name=MDVSA-2012:075 http://www.mandriva.com/security/advisories?name=MDVSA-2012:076 http://technet.microsoft.com/en-us/security/msvr/msvr11-011 http://www.ffmpeg.org/releases/ffmpeg-0.7.5.changelog http://www.ffmpeg.org/releases/ffmpeg-0.8.4.changelog http://www.osvdb.org/75621 http://ubuntu.com/usn/usn-1320-1 http://ubuntu.com/usn/usn-1333-1 Common Vulnerability Exposure (CVE) ID: CVE-2011-3973 Common Vulnerability Exposure (CVE) ID: CVE-2011-3974 Common Vulnerability Exposure (CVE) ID: CVE-2011-3893 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14267 http://secunia.com/advisories/46933 http://secunia.com/advisories/49089 Common Vulnerability Exposure (CVE) ID: CVE-2011-3895 Debian Security Information: DSA-2471 (Google Search) http://www.debian.org/security/2012/dsa-2471 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13551 Common Vulnerability Exposure (CVE) ID: CVE-2011-4351 Bugtraq: 20111123 NGS00144 Patch Notification: FFmpeg Libavcodec buffer overflow remote code execution (Google Search) http://seclists.org/bugtraq/2011/Nov/145 Common Vulnerability Exposure (CVE) ID: CVE-2011-4352 Bugtraq: 20111123 NGS00145 Patch Notification: FFmpeg Libavcodec out of bounds write remote code execution (Google Search) http://www.securityfocus.com/archive/1/520622 Common Vulnerability Exposure (CVE) ID: CVE-2011-4353 Common Vulnerability Exposure (CVE) ID: CVE-2011-4364 Common Vulnerability Exposure (CVE) ID: CVE-2011-4579 Bugtraq: 20111123 NGS00148 Patch Notification: FFmpeg Libavcodec memory corruption remote code execution (Google Search) http://www.securityfocus.com/archive/1/520620 |
| Copyright | Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |