Date: Sun, 08 Feb 2009 16:15:39 -0800 From: Mark Foster <mark@foster.cc> To: multimedia@freebsd.org Subject: ffmpeg vulnerability and version disparity Message-ID: <498F75AB.2000608@foster.cc>
next in thread | raw e-mail | index | archive | help
ffmpeg has 3 announced vulnerabilities in this past month. Here is just the latest... 09.6.23 CVE: Not Available Platform: Cross Platform Title: FFmpeg "libavformat/4xm.c" Remote Code Execution Description: FFmpeg is an application used to record, convert, and stream audio and video. The application is exposed to a remote code execution issue because it fails to adequately validate user-supplied input. This issue occurs in the "libavformat/4xm.c" source file, and occurs because of a NULL pointer dereference error. FFmpeg trunk revision versions prior to 16846 are vulnerable. Ref: http://www.trapkit.de/advisories/TKADV2009-004.txt <http://www.trapkit.de/advisories/TKADV2009-004.txt>; Normally I would submit a vuxml entry, but not sure how to indicate the proper "fixed" version since the port uses *2008.07.27_7* while the fixed version is revision 16846. How do we reconcile this? -- Realization #2031: That the "meaning of life" is now just another Google search. Mark D. Foster <mark@foster.cc> http://mark.foster.cc/ | http://conshell.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?498F75AB.2000608>