GLSA-200601-06 : xine-lib, FFmpeg: Heap-based buffer overflow
High Nessus Plugin ID 20416
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200601-06 (xine-lib, FFmpeg: Heap-based buffer overflow)
Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The flaw is due to a buffer overflow error in the 'avcodec_default_get_buffer()' function. This function doesn't properly handle specially crafted PNG files as a result of a heap overflow.
A remote attacker could entice a user to run an FFmpeg based application on a maliciously crafted PNG file, resulting in the execution of arbitrary code with the permissions of the user running the application.
There is no known workaround at this time.
SolutionAll xine-lib users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=media-libs/xine-lib-1.1.1-r3' All FFmpeg users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=media-video/ffmpeg-0.4.9_p20051216'