CVE-2011-3504

Publication date 28 September 2011

Last updated 24 July 2024


Ubuntu priority

The Matroska format decoder in FFmpeg before 0.8.3 does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file.

Read the notes from the security team

Status

Package Ubuntu Release Status
ffmpeg 11.10 oneiric Not in release
11.04 natty Not in release
10.10 maverick
Fixed 4:0.6-2ubuntu6.3
10.04 LTS lucid
Fixed 4:0.5.1-1ubuntu1.3
8.04 LTS hardy Ignored end of life
ffmpeg-extra 11.10 oneiric Not in release
11.04 natty Not in release
10.10 maverick
Fixed 4:0.6-2ubuntu3.3
10.04 LTS lucid
Fixed 4:0.5.1-1ubuntu1.3
8.04 LTS hardy Not in release
libav 11.10 oneiric
Not affected
11.04 natty
Fixed 4:0.6.4-0ubuntu0.11.04.1
10.10 maverick Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release
libav-extra 11.10 oneiric
Fixed 4:0.7.3ubuntu0.11.10.1
11.04 natty
Fixed 4:0.6.4-1ubuntu1
10.10 maverick Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes


mdeslaur

ffmpeg-extra in multiverse needs to have matching version libav-extra is built with tarball produced by libav package


tyhicks

The Mitre description references MSVR11-011, while the upstream commit message references MSVR11-080, which does not exist. I believe there may have been a typo in the commit message. I believe the ffmpeg commit 77d2ef13 was for the 0.8.3 release and 956c901c was the backport for the 0.7.5 release. The older ffmpeg packages in lucid and maverick look to have the same vulnerable code.

References

Related Ubuntu Security Notices (USN)

Other references