Bug#628448: several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160

Sun May 29 03:23:17 UTC 2011

Package: libav
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.

CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
| 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
| Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
| related to issues "originally discovered by Google Chrome developers."

CVE-2011-2161[1]:
| The ape_read_header function in ape.c in libavformat in FFmpeg before
| 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
| products, allows remote attackers to cause a denial of service
| (application crash) via an APE (aka Monkey's Audio) file that contains
| a header but no frames.

CVE-2011-2160[2]:
| The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
| MPlayer and other products, does not properly restrict read
| operations, which allows remote attackers to have an unspecified
| impact via a crafted VC-1 file, a related issue to CVE-2011-0723.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Cheers,
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2162
    http://security-tracker.debian.org/tracker/CVE-2011-2162
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161
    http://security-tracker.debian.org/tracker/CVE-2011-2161
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2160
    http://security-tracker.debian.org/tracker/CVE-2011-2160

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3hvCAACgkQ62zWxYk/rQd1aACfZBs5SZcStYwaRi/5LB5zttpL
VPEAn2gZK2qTTba9yMf2XwQKsBrqKGMr
=2kvn
-----END PGP SIGNATURE-----