1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200601-06 / xine-lib ffmpeg |
| Release Date | January 10, 2006 |
| Latest Revision | January 10, 2006: 01 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| media-libs/xine-lib | < 1.1.1-r3 | >= 1.1.1-r3 | All supported architectures |
| media-video/ffmpeg | < 0.4.9_p20051216 | >= 0.4.9_p20051216 | All supported architectures |
Related bugreports: #115849, #116181
xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.
xine is a GPL high-performance, portable and reusable multimedia playback engine. xine-lib is xine's core engine. FFmpeg is a very fast video and audio converter and is used in xine-lib.
Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The flaw is due to a buffer overflow error in the "avcodec_default_get_buffer()" function. This function doesn't properly handle specially crafted PNG files as a result of a heap overflow.
A remote attacker could entice a user to run an FFmpeg based application on a maliciously crafted PNG file, resulting in the execution of arbitrary code with the permissions of the user running the application.
There is no known workaround at this time.
All xine-lib users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.1-r3" |
All FFmpeg users should upgrade to the latest version:
Code Listing 3.2: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-0.4.9_p20051216" |