CVE-2011-4352

Publication date 25 November 2011

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Integer overflow in the vp3_dequant function in the VP3 decoder (vp3.c) in libavcodec in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9, and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VP3 stream, which triggers a buffer overflow.

Read the notes from the security team

Status

Package Ubuntu Release Status
ffmpeg 11.10 oneiric Not in release
11.04 natty Not in release
10.10 maverick
Fixed 4:0.6-2ubuntu6.3
10.04 LTS lucid
Not affected
8.04 LTS hardy Ignored end of life
ffmpeg-extra 11.10 oneiric Not in release
11.04 natty Not in release
10.10 maverick
Fixed 4:0.6-2ubuntu3.3
10.04 LTS lucid
Not affected
8.04 LTS hardy Not in release
libav 11.10 oneiric
Fixed 4:0.7.3-0ubuntu0.11.10.1
11.04 natty
Fixed 4:0.6.4-0ubuntu0.11.04.1
10.10 maverick Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release
libav-extra 11.10 oneiric
Fixed 4:0.7.3ubuntu0.11.10.1
11.04 natty
Fixed 4:0.6.4-1ubuntu1
10.10 maverick Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes

mdeslaur

ffmpeg-extra in multiverse needs to have matching version libav-extra is built with tarball produced by libav package libav doesn't seem to have equivalent patch yet as of 2012-12-22 See thread: http://thread.gmane.org/gmane.comp.video.libav.devel/15121 this fixes NGS00145

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
ffmpeg
libav

References

Related Ubuntu Security Notices (USN)

Other references