ffmpeg vulnerability and version disparity

Mark Foster mark at foster.cc
Sun Feb 8 16:31:39 PST 2009

ffmpeg has 3 announced vulnerabilities in this past month.
Here is just the latest...
09.6.23 CVE: Not Available
Platform: Cross Platform
Title: FFmpeg "libavformat/4xm.c" Remote Code Execution
Description: FFmpeg is an application used to record, convert, and
stream audio and video. The application is exposed to a remote code
execution issue because it fails to adequately validate user-supplied
input. This issue occurs in the "libavformat/4xm.c" source file, and
occurs because of a NULL pointer dereference error. FFmpeg trunk
revision versions prior to 16846 are vulnerable.
Ref: http://www.trapkit.de/advisories/TKADV2009-004.txt 

Normally I would submit a vuxml entry, but not sure how to indicate the 
proper "fixed" version since the port uses *2008.07.27_7* while the 
fixed version is revision 16846.

How do we reconcile this?

Realization #2031: That the "meaning of life" is now just another Google search.
Mark D. Foster <mark at foster.cc>  
http://mark.foster.cc/ | http://conshell.net/

More information about the freebsd-multimedia mailing list