ffmpeg vulnerability and version disparity
Mark Foster
mark at foster.cc
Sun Feb 8 16:31:39 PST 2009
ffmpeg has 3 announced vulnerabilities in this past month.
Here is just the latest...
09.6.23 CVE: Not Available
Platform: Cross Platform
Title: FFmpeg "libavformat/4xm.c" Remote Code Execution
Description: FFmpeg is an application used to record, convert, and
stream audio and video. The application is exposed to a remote code
execution issue because it fails to adequately validate user-supplied
input. This issue occurs in the "libavformat/4xm.c" source file, and
occurs because of a NULL pointer dereference error. FFmpeg trunk
revision versions prior to 16846 are vulnerable.
Ref: http://www.trapkit.de/advisories/TKADV2009-004.txt
<http://www.trapkit.de/advisories/TKADV2009-004.txt>
Normally I would submit a vuxml entry, but not sure how to indicate the
proper "fixed" version since the port uses *2008.07.27_7* while the
fixed version is revision 16846.
How do we reconcile this?
--
Realization #2031: That the "meaning of life" is now just another Google search.
Mark D. Foster <mark at foster.cc>
http://mark.foster.cc/ | http://conshell.net/
More information about the freebsd-multimedia
mailing list