Debian DSA-2336-1 : ffmpeg - several vulnerabilities

high Nessus Plugin ID 56727

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities were found in FFmpeg, a multimedia player, server and encoder :

- CVE-2011-3362 An integer signedness error in decode_residual_block function of the Chinese AVS video (CAVS) decoder in libavcodec can lead to denial of service (memory corruption and application crash) or possible code execution via a crafted CAVS file.

- CVE-2011-3973/ CVE-2011-3974 Multiple errors in the Chinese AVS video (CAVS) decoder can lead to denial of service (memory corruption and application crash) via an invalid bitstream.

- CVE-2011-3504 A memory allocation problem in the Matroska format decoder can lead to code execution via a crafted file.

Solution

Upgrade the ffmpeg packages.

For the stable distribution (squeeze), this problem has been fixed in version 4:0.5.5-1.

Security support for ffmpeg has been discontinued for the oldstable distribution (lenny) before in DSA 2306. The current version in oldstable is not supported by upstream anymore and is affected by several security issues. Backporting fixes for these and any future issues has become unfeasible and therefore we needed to drop our security support for the version in oldstable.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641478

https://security-tracker.debian.org/tracker/CVE-2011-3362

https://security-tracker.debian.org/tracker/CVE-2011-3973

https://security-tracker.debian.org/tracker/CVE-2011-3974

https://security-tracker.debian.org/tracker/CVE-2011-3504

https://packages.debian.org/source/squeeze/ffmpeg

https://www.debian.org/security/2011/dsa-2336

Plugin Details

Severity: High

ID: 56727

File Name: debian_DSA-2336.nasl

Version: 1.11

Type: local

Agent: unix

Published: 11/8/2011

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ffmpeg, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 11/7/2011

Reference Information

CVE: CVE-2011-3362, CVE-2011-3504, CVE-2011-3973, CVE-2011-3974

BID: 49115, 49118, 50555

DSA: 2336