GLSA 201603-06: FFmpeg: Multiple vulnerabilities

Severity:	normal
Title:	FFmpeg: Multiple vulnerabilities
Date:	03/12/2016
Bugs:	#485228, #486692, #488052, #492742, #493452, #494038, #515282, #520132, #536218, #537558, #548006, #553734
ID:	201603-06

Synopsis

Multiple vulnerabilities have been found in FFmpeg, the worst of which could lead to arbitrary code execution or Denial of Service condition.

Background

FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video.

Affected packages

Package	Vulnerable	Unaffected	Architecture(s)
media-video/ffmpeg	< 2.6.3	>= 2.6.3	All supported architectures

Description

Multiple vulnerabilities have been discovered in FFmpeg. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could possibly execute arbitrary code or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All FFmpeg users should upgrade to the latest version:

      # emerge --sync
      # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-2.6.3"
    

References

• CVE-2013-0860
• CVE-2013-0861
• CVE-2013-0862
• CVE-2013-0863
• CVE-2013-0864
• CVE-2013-0865
• CVE-2013-0866
• CVE-2013-0867
• CVE-2013-0868
• CVE-2013-0872
• CVE-2013-0873
• CVE-2013-0874
• CVE-2013-0875
• CVE-2013-0876
• CVE-2013-0877
• CVE-2013-0878
• CVE-2013-4263
• CVE-2013-4264
• CVE-2013-4265
• CVE-2013-7008
• CVE-2013-7009
• CVE-2013-7010
• CVE-2013-7011
• CVE-2013-7012
• CVE-2013-7013
• CVE-2013-7014
• CVE-2013-7015
• CVE-2013-7016
• CVE-2013-7017
• CVE-2013-7018
• CVE-2013-7019
• CVE-2013-7020
• CVE-2013-7021
• CVE-2013-7022
• CVE-2013-7023
• CVE-2013-7024
• CVE-2014-2097
• CVE-2014-2098
• CVE-2014-2263
• CVE-2014-5271
• CVE-2014-5272
• CVE-2014-7937
• CVE-2014-8541
• CVE-2014-8542
• CVE-2014-8543
• CVE-2014-8544
• CVE-2014-8545
• CVE-2014-8546
• CVE-2014-8547
• CVE-2014-8548
• CVE-2014-8549
• CVE-2014-9316
• CVE-2014-9317
• CVE-2014-9318
• CVE-2014-9319
• CVE-2014-9602
• CVE-2014-9603
• CVE-2014-9604
• CVE-2015-3395

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201603-06.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.