FFmpeg 0.10 "Freedom" released - Update
Just over six weeks after after FFmpeg 0.9 "Harmony" arrived, the FFmpeg development team has announced the release of version 0.10 of its open source video codec tools and libraries. FFmpeg is used to record, convert and stream audio and video files in various formats, and is used by several popular open source software projects including the VLC Media Player, MPlayer, Perian and others.
Code-named "Freedom", the latest stable release includes several new encoders and decoders that add support for additional formats: XWD, y41p Brooktree Uncompressed, v308 Quicktime Uncompressed and ffwavesynth are among the new formats supported. A new OpenMG Audio muxer has been added, as have filters for thumbnail video, asplit audio, tinterlace video and astreamsync audio. The new version also closes 15 security holes; however, specific details of the vulnerabilities addressed are not provided.
A detailed list of changes and fixes can be found in the change log. FFmpeg 0.10 is available to download from the project's site. As usual, the developers advise all users, distributors and system integrators to upgrade, unless they use the current git master.
Update – Details of the security holes are now available. Security services company Secunia rates as the collection of issues as "highly critical" because some include the ability to potentially inject malicious code.
For example, a boundary error in the "nsv_read_chunk" function can be exploited to cause an out of bounds write using specially crafted files. A similar issue exists with the "decode_mb" and can be used for an out of bounds write. In all, 17 errors are listed by Secunia, with fifteen of them credited to Mateusz "j00ru" Jurczyk and Gynvael Coldwind and two to John Villamil.