USN-358-1: ffmpeg, xine-lib vulnerabilities

Ubuntu Security Notice USN-358-1

4th October, 2006

ffmpeg, xine-lib vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 6.06 LTS
  • Ubuntu 5.10
  • Ubuntu 5.04

Details

XFOCUS Security Team discovered that the AVI decoder used in xine-lib did not
correctly validate certain headers. By tricking a user into playing an AVI
with malicious headers, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4799)

Multiple integer overflows were discovered in ffmpeg and tools that contain a
copy of ffmpeg (like xine-lib and kino), for several types of video formats.
By tricking a user into running a video player that uses ffmpeg on a stream
with malicious content, an attacker could execute arbitrary code with the
target user's privileges. (CVE-2006-4800)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 6.06 LTS:
libxine-main1 1.1.1+ubuntu2-7.3
libavcodec-dev 3:0.cvs20050918-5ubuntu1.1
Ubuntu 5.10:
libxine1c2 1.0.1-1ubuntu10.5
libavcodec-dev 3:0.cvs20050918-4ubuntu1.1
Ubuntu 5.04:
libxine1 1.0-1ubuntu3.9
kino 0.75-6ubuntu0.2
libavcodec-dev 3:0.cvs20050121-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2006-4799, CVE-2006-4800