FFmpeg updates close security holes
In a post on its homepage, the FFmpeg project development team has announced the release of two point updates to FFmpeg to address even more security issues; the latest updates come just two weeks after 0.7.4 and 0.8.3 closed an integer underflow error, a signedness bug and a memory allocation vulnerability.
FFmpeg 0.7.5 "Peace" and 0.8.4 "Love" close a number of holes in the "svq3_get_se_golomb()" function which could be used by a remote attacker to compromise an application. For an attack to be successful, a victim must first open a specially crafted media file. Versions up to and including 0.7.4 and 0.8.3 are affected. The developers note that the updates also include bug fixes and some backported features, such as speex encoding support through libspeex.
FFmpeg is a free tool and library collection used to record, convert and stream audio and video files in various formats. It is used by several popular open source software projects including the VLC Media Player, MPlayer, Perian and others.
More details about the updates can be found in the change logs for 0.7.5 and 0.8.4 . Versions 0.7.5 and 0.8.4 are available from the project's download page. FFmpeg is licensed under the LGPL or GPL depending upon the configuration used.
- FFmpeg Multiple Vulnerabilities, security advisory from Secunia.