FFmpeg updates fix security bugs
Versions 0.7.8 and 0.8.7 of the open source FFmpeg tool and library collection have been released. According to a news post on the project's homepage, the maintenance and security updates to the 0.7.x and 0.8.x branches of FFmpeg fix a number of bugs found in the previous releases and address three vulnerabilities.
The updates correct issues that could be exploited by an attacker to cause a denial-of-service (DoS) condition or potentially compromise an application that uses FFmpeg – well known open source software that uses the library collection includes the VLC Media Player, MPlayer and Perian. An attack on FFmpeg would typically require the user to open a maliciously crafted media file or streaming URL.
The vulnerabilities addressed in the update include errors in the QDM2 decoder and "vp3_dequant()" function that could be used to trigger a buffer overflow, as well as a problem in a number of functions that could lead to out-of-bounds reads. More details about the releases, including a full list of fixes and other changes, can be found in the 0.7.8 and 0.8.7 change logs. Versions 0.7.8 and 0.8.7 are available from the project's Get FFmpeg page. The developers advise all users, distributors and system integrators to upgrade, unless they use the current git master. FFmpeg is licensed under the LGPL or GPL depending upon the configuration used.
- FFmpeg Multiple Vulnerabilities, security advisory from Secunia.