发布时间 :2005-12-07 06:03:00
修订时间 :2011-10-17 00:00:00

[原文]Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes.

[CNNVD]FFmpeg LibAVCodec堆溢出漏洞(CNNVD-200512-133)


- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:ffmpeg:ffmpeg:0.4.8FFmpeg 0.4.8
cpe:/a:ffmpeg:ffmpeg:0.4.9_pre1FFmpeg FFmpeg 0.4.9 pre1
cpe:/a:ffmpeg:ffmpeg:0.4.7FFmpeg 0.4.7
cpe:/a:ffmpeg:ffmpeg:0.4.6FFmpeg 0.4.6

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  15743

- 漏洞信息

FFmpeg LibAVCodec堆溢出漏洞
高危 缓冲区溢出
2005-12-07 00:00:00 2006-06-09 00:00:00

- 公告与补丁


- 漏洞信息 (F44564)

Debian Linux Security Advisory 992-1 (PacketStormID:F44564)
2006-03-11 00:00:00

Debian Security Advisory DSA 992-1 - Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 992-1                                    Moritz Muehlenhoff
March 10th, 2006              
- --------------------------------------------------------------------------

Package        : ffmpeg
Vulnerability  : buffer overflow
Problem-Type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2005-4048
Debian Bug     : 342207

Simon Kilvington discovered that specially crafted PNG images can trigger
a heap overflow in libavcodec, the multimedia library of ffmpeg, which may
lead to the execution of arbitrary code.

The old stable distribution (woody) doesn't contain ffmpeg packages.

For the stable distribution (sarge) this problem has been fixed in
version 0.cvs20050313-2sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.cvs20050918-5.1.

We recommend that you upgrade your ffmpeg package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:      788 c342177de5cb29b6cbe7466913177eb5
      Size/MD5 checksum:    10168 b166812b4f1a0a42958ab688a6a9b5c3
      Size/MD5 checksum:  1826023 2ac646fe7c2788df7cd23c1149d08bfa

  Alpha architecture:
      Size/MD5 checksum:  6097254 20856c94289e94503cb81414bb46a757
      Size/MD5 checksum:  3739640 de6bd06e0ad710a03003a0eed7f1530c
      Size/MD5 checksum:   820960 535d69245a0c7904935e90b77b5797e3
      Size/MD5 checksum:    61272 57cb698be0ed4422adb8153cc6e2a319

  AMD64 architecture:
      Size/MD5 checksum:  4213510 0b7bbdae2e98b397b35a33a73530d019
      Size/MD5 checksum:  2535570 9982493d7b91176eacf42d68ede0c591
      Size/MD5 checksum:   525590 c53090241848ece8088c23f09bf00d4f
      Size/MD5 checksum:    41602 169b0c469dae7dc2f20b64814c498b58

  ARM architecture:
      Size/MD5 checksum:  4342778 e59a13ed2b8432709040217e80dc04c6
      Size/MD5 checksum:  2712766 18f34fa3107d98c6accff0beeb83f0b1
      Size/MD5 checksum:   573938 d624c3b038ff801d3cd23a47b263429d
      Size/MD5 checksum:    40930 6e6c30c4f8569f74d52b19951ea29b10

  Intel IA-32 architecture:
      Size/MD5 checksum:  4087446 8f24fe8272e8e41f7a830d3a78027892
      Size/MD5 checksum:  2456904 ee10e407200d2d2cc02567206db224cb
      Size/MD5 checksum:   531312 979e39569bd3c0ad1f6921f5e69efec3
      Size/MD5 checksum:    37704 2f2a6a8a4a2c147509cbfcd33cd445b9

  Intel IA-64 architecture:
      Size/MD5 checksum:  7881986 5b4310c0ab316bd81fe7a69a25277986
      Size/MD5 checksum:  4696712 f24d29e44585e8ffe79ffef3db3cdad3
      Size/MD5 checksum:   850884 a42456b7f2b65f905b64d2d33b03b9eb
      Size/MD5 checksum:    65550 d5e1df2b7b36d134c54378a8ca7230a5

  HP Precision architecture:
      Size/MD5 checksum:  4710972 c88dca9b8a05165d3c71cb83585e01e8
      Size/MD5 checksum:  2935898 41be367d2aa57e3693d9187834f0aeee
      Size/MD5 checksum:   635292 f1269f876ac7fe6cc0661662cf5f133c
      Size/MD5 checksum:    49108 bf04bb21e7878ab4f1c5c291dd324dc4

  Motorola 680x0 architecture:
      Size/MD5 checksum:  3367674 eae1a0ac6eefcc776886821086da3c02
      Size/MD5 checksum:  1946552 1a8affe5ffe50060e234f760cfc0c6b1
      Size/MD5 checksum:   455704 0b8bb387131346611599260e410100e9
      Size/MD5 checksum:    35204 81d60fb9bf0e3f31e7d898c8a868c545

  Big endian MIPS architecture:
      Size/MD5 checksum:  4819902 88332fcfc313123677af6915d41be7fe
      Size/MD5 checksum:  2922904 82885dc637f3cec90c52a4fcc374fd52
      Size/MD5 checksum:   617844 18330498d03482ac6318ba0302d273d5
      Size/MD5 checksum:    51068 0514aeed19ca31901d5df9847a7cdb23

  Little endian MIPS architecture:
      Size/MD5 checksum:  5051630 f3b44c564b5678f1f21f744fc65d5172
      Size/MD5 checksum:  3046300 e7bc11b496bbb7028de83086eea3fcbd
      Size/MD5 checksum:   622342 b3e47a2440123af0a5ae6e7a7a46207f
      Size/MD5 checksum:    51364 4901d4219bb5b984fa20c8122f7252e5

  PowerPC architecture:
      Size/MD5 checksum:  4208168 f64ca157c47e87d40fde82957a49c3b0
      Size/MD5 checksum:  2403206 8ce18dd5da513472a7ddac85ac59e3cd
      Size/MD5 checksum:   581924 8a00c2797bea34c999fc20a001a23117
      Size/MD5 checksum:    62764 12174e83fa8c188c30ba723eeaa35fbc

  IBM S/390 architecture:
      Size/MD5 checksum:  4081458 1aae1c41a5badc5cf729b68659900006
      Size/MD5 checksum:  2358452 2209278e9891594ed5ed820c399ecbbe
      Size/MD5 checksum:   545564 49f196be05af5eacb0deff930de7517a
      Size/MD5 checksum:    40034 15b1b9c9914da5a5a9b0615e4930f148

  Sun Sparc architecture:
      Size/MD5 checksum:  4724252 55821fb402bc19238da5a10ad9be8fac
      Size/MD5 checksum:  2924858 00937f817243eb056e5eb4ad95f006e9
      Size/MD5 checksum:   559014 d492198cc33e42a6dd2ad5715a9b9464
      Size/MD5 checksum:    41196 4a557e153a493f0a01e2d9e35271a07c

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.4.2 (GNU/Linux)



- 漏洞信息 (F42302)

Ubuntu Security Notice 230-1 (PacketStormID:F42302)
2005-12-15 00:00:00

Ubuntu Security Notice USN-230-1 - Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user's privileges.

Ubuntu Security Notice USN-230-1	  December 14, 2005
ffmpeg vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:


The problem can be corrected by upgrading the affected package to
version 3:0.cvs20050121-1ubuntu1.1 (libavcodec-dev), and
0.75-6ubuntu0.1 (kino).  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Simon Kilvington discovered a buffer overflow in the
avcodec_default_get_buffer() function of the ffmpeg library. By
tricking an user into opening a malicious movie which contains
specially crafted PNG images, this could be exploited to execute
arbitrary code with the user's privileges.

  Source archives:
      Size/MD5:     9033 4878968bff9fe53442fab66dad190a41
      Size/MD5:      776 1fd3ea52c6ac45334f48f9d46964f9ca
      Size/MD5:  1781944 20b305e0943289b6e361bc15f664ff40
      Size/MD5:    26236 78a05be921f6fd2cdb4f95ef39b4c802
      Size/MD5:      863 07e9bcc599b324c566f4fbf185d45196
      Size/MD5:  1227042 592f90be63feb7e63940cedd68edcf79

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:  3896862 7caacb873b5a1279643e8fb6edb94397
      Size/MD5:  2284570 81e81570170a3d3a47c38f5c5792ac50
      Size/MD5:   525978 823b6f6f704390e7694a119290a4f44c
      Size/MD5:    35840 71aeb8560e445631b8c0dc1a30b87a4f
      Size/MD5:  1365530 c477f48e1da9800227c41db4aab0a63b

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  3720730 476267af9cef8074880443fd2e8e2de3
      Size/MD5:  2175620 a3261d90eea9e139a64d58e900c4a196
      Size/MD5:   510254 2d440bae3b03b7e42efa640266eaa4c1
      Size/MD5:    39628 5c44709021d4b31bb0956cd2b9c3ffaf
      Size/MD5:  1308590 754396303f2d4053957114b4d706194a

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  4434766 65608daf2134783cff567c7bae87965c
      Size/MD5:  2581464 a4761dd10fe9dfd27e3f867e89c4db3c
      Size/MD5:   592980 7e6d76980d544b8f2f85eb90438feb94
      Size/MD5:    64342 d16c55593444668ad948c052af0c3652
      Size/MD5:  1489120 aef040ebc4a65532d627fa90df7c83d1

- 漏洞信息

FFmpeg libavcodec avcodec_default_get_buffer Function Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-30 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

FFmpeg LibAVCodec Heap Buffer Overflow Vulnerability
Boundary Condition Error 15743
Yes No
2005-12-06 12:00:00 2007-01-04 06:27:00
Simon Kilvington <> disclosed this issue to the vendor.

- 受影响的程序版本

VLC VLC 0.8.5
VLC VLC 0.8.4
VLC VLC 0.8.1
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Slackware Linux 10.2
Slackware Linux -current
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Gentoo Linux
FFmpeg FFmpeg 0.8.7
FFmpeg FFmpeg 0.4.9 -pre1
FFmpeg FFmpeg 0.4.8
FFmpeg FFmpeg 0.4.7
FFmpeg FFmpeg 0.4.6
FFmpeg FFmpeg CVS
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
FFmpeg FFmpeg 2005-03-13
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
FFmpeg FFmpeg 0.8.7 -r1

- 不受影响的程序版本

FFmpeg FFmpeg 0.8.7 -r1

- 漏洞讨论

FFmpeg's 'libavcodec' is prone to a heap buffer-overflow vulnerability. This issue is due to the library's failure to properly bounds-check user-supplied data before using it in memory allocation and copy operations.

Attackers may exploit this vulnerability to execute arbitrary code in the context of applications that use an affected version of the libavcodec library.

An attacker can exploit this issue by enticing a user to open a malformed PNG file with an application that uses a vulnerable version of libavcodec. If the application is configured as the default handler for PNG files, this could present a viable web or email attack vector -- when the PNG is clicked from an appropriate client application, the application using the vulnerable library will automatically be invoked.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

NOTE: A fix for this issue has been committed to FFmpeg's CVS repository on December 2, 2005. Users of libavcodec built from sources retrieved before this date are encouraged to update their library. The patch from FFmpeg is available from:

Please see the referenced advisories for more information.

FFmpeg FFmpeg CVS

FFmpeg FFmpeg 2005-03-13

FFmpeg FFmpeg 0.4.8

FFmpeg FFmpeg 0.4.9 -pre1

VLC VLC 0.8.1

- 相关参考