USN-358-1: ffmpeg, xine-lib vulnerabilities

5 October 2006

ffmpeg, xine-lib vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 6.06 LTS
  • Ubuntu 5.10
  • Ubuntu 5.04

Software Description

Details

XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not correctly validate certain headers. By tricking a user into playing an AVI with malicious headers, an attacker could execute arbitrary code with the target user’s privileges. (CVE-2006-4799)

Multiple integer overflows were discovered in ffmpeg and tools that contain a copy of ffmpeg (like xine-lib and kino), for several types of video formats. By tricking a user into running a video player that uses ffmpeg on a stream with malicious content, an attacker could execute arbitrary code with the target user’s privileges. (CVE-2006-4800)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.06 LTS
libavcodec-dev - 3:0.cvs20050918-5ubuntu1.1
libxine-main1 - 1.1.1+ubuntu2-7.3
Ubuntu 5.10
libavcodec-dev - 3:0.cvs20050918-4ubuntu1.1
libxine1c2 - 1.0.1-1ubuntu10.5
Ubuntu 5.04
kino - 0.75-6ubuntu0.2
libavcodec-dev - 3:0.cvs20050121-1ubuntu1.2
libxine1 - 1.0-1ubuntu3.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References