Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes.

Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code.

Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. xine-lib includes a local copy of libavcodec.

Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The vlc media player links statically against libavcodec.

New xine-lib packages are available for Slackware 10.2 and -current to fix security issues.

The remote host is affected by the vulnerability described in GLSA-200603-03 (MPlayer: Multiple integer overflows)

    MPlayer makes use of the FFmpeg library, which is vulnerable to a heap     overflow in the avcodec_default_get_buffer() function discovered by     Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security     Research discovered two integer overflows in ASF file format decoding,     in the new_demux_packet() function from libmpdemux/demuxer.h and the     demux_asf_read_packet() function from libmpdemux/demux_asf.c.
  Impact :

    An attacker could craft a malicious media file which, when opened using     MPlayer, would lead to a heap-based buffer overflow. This could result     in the execution of arbitrary code with the permissions of the user     running MPlayer.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-200602-01 (GStreamer FFmpeg plugin: Heap-based buffer overflow)

    The GStreamer FFmpeg plugin contains derived code from the FFmpeg     library, which is vulnerable to a heap overflow in the     'avcodec_default_get_buffer()' function discovered by Simon Kilvington     (see GLSA 200601-06).
  Impact :

    A remote attacker could entice a user to run an application using     the GStreamer FFmpeg plugin on a maliciously crafted PIX_FMT_PAL8     format image file (like PNG images), possibly leading to the execution     of arbitrary code with the permissions of the user running the     application.
  Workaround :

    There is no known workaround at this time.

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw.

For reference, this is the original advisory :

Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user's privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user's privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec.
This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read.

Gstreamer-ffmpeg is built with a private copy of ffmpeg containing this same code.

The updated packages have been patched to prevent this problem.

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec.
This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read.

The updated packages have been patched to prevent this problem.

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec.
This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read.

Mplayer is built with a private copy of ffmpeg containing this same code.

The updated packages have been patched to prevent this problem.

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec.
This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read.

Xmovie is built with a private copy of ffmpeg containing this same code.

The updated packages have been patched to prevent this problem.

Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec.
This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read.

Xine-lib is built with a private copy of ffmpeg containing this same code. (Corporate Server 2.1 is not vulnerable)

The updated packages have been patched to prevent this problem.

The remote host is affected by the vulnerability described in GLSA-200601-06 (xine-lib, FFmpeg: Heap-based buffer overflow)

    Simon Kilvington has reported a vulnerability in FFmpeg     libavcodec. The flaw is due to a buffer overflow error in the     'avcodec_default_get_buffer()' function. This function doesn't properly     handle specially crafted PNG files as a result of a heap overflow.
  Impact :

    A remote attacker could entice a user to run an FFmpeg based     application on a maliciously crafted PNG file, resulting in the     execution of arbitrary code with the permissions of the user running     the application.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
22858	Debian DSA-992-1 : ffmpeg - buffer overflow	Nessus	Debian Local Security Checks	high
22547	Debian DSA-1005-1 : xine-lib - buffer overflow	Nessus	Debian Local Security Checks	high
22546	Debian DSA-1004-1 : vlc - buffer overflow	Nessus	Debian Local Security Checks	high
22101	Slackware 10.2 / current : xine-lib (SSA:2006-207-04)	Nessus	Slackware Local Security Checks	high
21001	GLSA-200603-03 : MPlayer: Multiple integer overflows	Nessus	Gentoo Local Security Checks	high
20864	GLSA-200602-01 : GStreamer FFmpeg plugin: Heap-based buffer overflow	Nessus	Gentoo Local Security Checks	high
20774	Ubuntu 4.10 / 5.04 / 5.10 : xine-lib vulnerability (USN-230-2)	Nessus	Ubuntu Local Security Checks	high
20773	Ubuntu 5.04 : ffmpeg vulnerability (USN-230-1)	Nessus	Ubuntu Local Security Checks	high
20463	Mandrake Linux Security Advisory : gstreamer-ffmpeg (MDKSA-2005:232)	Nessus	Mandriva Local Security Checks	high
20462	Mandrake Linux Security Advisory : ffmpeg (MDKSA-2005:231)	Nessus	Mandriva Local Security Checks	high
20461	Mandrake Linux Security Advisory : mplayer (MDKSA-2005:230)	Nessus	Mandriva Local Security Checks	high
20460	Mandrake Linux Security Advisory : xmovie (MDKSA-2005:229)	Nessus	Mandriva Local Security Checks	high
20459	Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:228)	Nessus	Mandriva Local Security Checks	high
20416	GLSA-200601-06 : xine-lib, FFmpeg: Heap-based buffer overflow	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2005-4048

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high