Advisories ยป MGASA-2016-0018

Updated ffmpeg packages fix security vulnerabilities

Publication date: 15 Jan 2016
Modification date: 15 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-6761 , CVE-2015-6818 , CVE-2015-6820 , CVE-2015-6821 , CVE-2015-6822 , CVE-2015-6823 , CVE-2015-6824 , CVE-2015-6825 , CVE-2015-6826 , CVE-2015-8216 , CVE-2015-8219 , CVE-2015-8363 , CVE-2015-8364 , CVE-2015-8365 , CVE-2015-8661 , CVE-2015-8662 , CVE-2015-8663

Description

The update_dimensions function in libavcodec/vp8.c in FFmpeg before 2.4.12,
as used in Google Chrome before 46.0.2490.71 and other products, relies on a
coefficient-partition count during multi-threaded operation, which allows
remote attackers to cause a denial of service (race condition and memory
corruption) or possibly have unspecified other impact via a crafted WebM file
(CVE-2015-6761).

The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.4.11
does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG
image, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via a
crafted image with two or more of these chunks (CVE-2015-6818).

The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.4.11 does
not check for a matching AAC frame syntax element before proceeding with
Spectral Band Replication calculations, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted AAC data (CVE-2015-6820).

The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before
2.4.11 does not properly maintain the encoding context, which allows remote
attackers to cause a denial of service (invalid pointer access) or possibly
have unspecified other impact via crafted MPEG data (CVE-2015-6821).

The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.4.11
does not properly maintain height and width values in the video context,
which allows remote attackers to cause a denial of service (segmentation
violation and application crash) or possibly have unspecified other impact
via crafted LucasArts Smush video data (CVE-2015-6822).

The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.4.11
does not initialize certain context data, which allows remote attackers to
cause a denial of service (segmentation violation) or possibly have
unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data
(CVE-2015-6823).

The sws_init_context function in libswscale/utils.c in FFmpeg before 2.4.11
does not initialize certain pixbuf data structures, which allows remote
attackers to cause a denial of service (segmentation violation) or possibly
have unspecified other impact via crafted video data (CVE-2015-6824).

The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg
before 2.4.11 mishandles certain memory-allocation failures, which allows
remote attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via a crafted file, as demonstrated
by an AVI file (CVE-2015-6825).

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg
before 2.4.11 does not initialize certain structure members, which allows
remote attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted RV30 or RV40 RealVideo
data (CVE-2015-6826).

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before
2.4.12 omits certain width and height checks, which allows remote attackers
to cause a denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted MJPEG data (CVE-2015-8216).

The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12
does not enforce minimum-value and maximum-value constraints on tile
coordinates, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via
crafted JPEG 2000 data (CVE-2015-8219).

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg
before 2.4.12 does not enforce uniqueness of the SIZ marker in a JPEG 2000
image, which allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have unspecified other impact
via a crafted image with two or more of these markers (CVE-2015-8363).

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in
FFmpeg before 2.4.12 allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have unspecified other impact
via crafted image dimensions in Indeo Video Interactive data (CVE-2015-8364).

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before
2.4.12 does not verify that the data size is consistent with the number of
channels, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via
crafted Smacker data (CVE-2015-8365).

The h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg
before 2.4.12 does not validate the relationship between the number of
threads and the number of slices, which allows remote attackers to cause a
denial of service (out-of-bounds array access) or possibly have unspecified
other impact via crafted H.264 data (CVE-2015-8661).

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before
2.4.12 does not validate the number of decomposition levels before proceeding
with Discrete Wavelet Transform decoding, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted JPEG 2000 data (CVE-2015-8662).

The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.4.12
preserves width and height values after a failure, which allows remote
attackers to cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via a crafted .mov file
(CVE-2015-8663).
                

References

SRPMS

5/tainted

5/core