Updated ffmpeg packages fix security vulnerabilities
Publication date: 15 Jan 2016Modification date: 15 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-6761 , CVE-2015-6818 , CVE-2015-6820 , CVE-2015-6821 , CVE-2015-6822 , CVE-2015-6823 , CVE-2015-6824 , CVE-2015-6825 , CVE-2015-6826 , CVE-2015-8216 , CVE-2015-8219 , CVE-2015-8363 , CVE-2015-8364 , CVE-2015-8365 , CVE-2015-8661 , CVE-2015-8662 , CVE-2015-8663
Description
The update_dimensions function in libavcodec/vp8.c in FFmpeg before 2.4.12, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file (CVE-2015-6761). The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.4.11 does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG image, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted image with two or more of these chunks (CVE-2015-6818). The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.4.11 does not check for a matching AAC frame syntax element before proceeding with Spectral Band Replication calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted AAC data (CVE-2015-6820). The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before 2.4.11 does not properly maintain the encoding context, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted MPEG data (CVE-2015-6821). The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.4.11 does not properly maintain height and width values in the video context, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via crafted LucasArts Smush video data (CVE-2015-6822). The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.4.11 does not initialize certain context data, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data (CVE-2015-6823). The sws_init_context function in libswscale/utils.c in FFmpeg before 2.4.11 does not initialize certain pixbuf data structures, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted video data (CVE-2015-6824). The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg before 2.4.11 mishandles certain memory-allocation failures, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via a crafted file, as demonstrated by an AVI file (CVE-2015-6825). The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg before 2.4.11 does not initialize certain structure members, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted RV30 or RV40 RealVideo data (CVE-2015-6826). The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.4.12 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data (CVE-2015-8216). The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data (CVE-2015-8219). The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers (CVE-2015-8363). Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.4.12 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data (CVE-2015-8364). The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.4.12 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data (CVE-2015-8365). The h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg before 2.4.12 does not validate the relationship between the number of threads and the number of slices, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted H.264 data (CVE-2015-8661). The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.4.12 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data (CVE-2015-8662). The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.4.12 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file (CVE-2015-8663).
References
- https://bugs.mageia.org/show_bug.cgi?id=17257
- http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n2.4.12
- http://ffmpeg.org/download.html
- http://ffmpeg.org/security.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6761
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6818
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6820
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6822
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6823
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6824
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6825
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6826
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8216
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8219
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8364
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8661
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8662
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8663
SRPMS
5/core
- ffmpeg-2.4.12-1.mga5
5/tainted
- ffmpeg-2.4.12-1.mga5.tainted