About Ubuntu

=========================================================== Ubuntu Security Notice USN-358-1 October 04, 2006 ffmpeg, xine-lib vulnerabilities CVE-2006-4799, CVE-2006-4800 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libavcodec-dev 3:0.cvs20050121-1ubuntu1.2 libxine1 1.0-1ubuntu3.9 kino 0.75-6ubuntu0.2 Ubuntu 5.10: libavcodec-dev 3:0.cvs20050918-4ubuntu1.1 libxine1c2 1.0.1-1ubuntu10.5 Ubuntu 6.06 LTS: libavcodec-dev 3:0.cvs20050918-5ubuntu1.1 libxine-main1 1.1.1+ubuntu2-7.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not correctly validate certain headers. By tricking a user into playing an AVI with malicious headers, an attacker could execute arbitrary code with the target user's privileges. (CVE-2006-4799) Multiple integer overflows were discovered in ffmpeg and tools that contain a copy of ffmpeg (like xine-lib and kino), for several types of video formats. By tricking a user into running a video player that uses ffmpeg on a stream with malicious content, an attacker could execute arbitrary code with the target user's privileges. (CVE-2006-4800)