Ubuntu
ffmpeg package

CVE-2008-3162 Stack-based buffer overflow

Bug #248674 reported by Emanuele Gentili
256
Affects Status Importance Assigned to Milestone
ffmpeg (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Gutsy by Emanuele Gentili
Nominated for Hardy by Emanuele Gentili
Nominated for Intrepid by Emanuele Gentili
Dapper
Fix Released
Medium
Emanuele Gentili
Feisty
Fix Released
Medium
Emanuele Gentili
ffmpeg-debian (Debian)
Fix Released
Unknown

Bug Description

Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted STR file that interleaves audio and video sectors.

CVE References

Revision history for this message
Emanuele Gentili (emgent) wrote :

UPSTREAM FIX:
http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/psxstr.c?view=patch&r1=13993&r2=13992&pathrev=13993

UPSTREAM BUG:
https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311

CVE:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162

Changed in ffmpeg:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → Confirmed
Emanuele Gentili (emgent)
Changed in ffmpeg:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → Confirmed
Emanuele Gentili (emgent)
Changed in ffmpeg:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Emanuele Gentili (emgent) wrote :

POC:

Run 'ffmpeg -y -i logo.iki -vn -f wav /dev/null' (with the attached file)

On the latest ubuntu/i386:
- SVN r13990 will crash immediately. Under valgrind 3.3.0 it will report several invalid writes and then valgrind itself will crash.
- SVN r13993 and up shouldn't crash or have any valgrind warnings.

Revision history for this message
Emanuele Gentili (emgent) wrote :

intrepid use ffmpeg-debian (main)
hardy and gutsy use ffmpeg (main)
dapper and feisty use ffmpeg (universe)

Changed in ffmpeg:
assignee: emgent → nobody
Bug Watch Updater (bug-watch-updater)
Changed in ffmpeg-debian:
status: Unknown → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :

Dapper fixed inline (adopted first security patch method.)

Revision history for this message
Emanuele Gentili (emgent) wrote :

http://www.ubuntu.com/usn/usn-630-1

Changed in ffmpeg:
status: Confirmed → Fix Released
status: Confirmed → Fix Released
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.