FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  452616
Date:      2017-10-21
Time:      23:01:18Z
Committer: cpm

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
046fedd1-bd01-11e5-bbf4-5404a68ad561ffmpeg -- remote attacker can access local files

Arch Linux reports:

ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file — for example, KDE Dolphin thumbnail generation is enough.


Discovery 2016-01-13
Entry 2016-01-17
ffmpeg
gt 2.0,1 lt 2.8.5,1

mplayer
mencoder
lt 1.2.r20151219_2

CVE-2016-1897
CVE-2016-1898
ports/206282
https://www.ffmpeg.org/security.html
3d950687-b4c9-4a86-8478-c56743547af8ffmpeg -- multiple vulnerabilities

NVD reports:

The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG image, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted image with two or more of these chunks.

Multiple integer underflows in the ff_mjpeg_decode_frame function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data.

The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7.2 does not check for a matching AAC frame syntax element before proceeding with Spectral Band Replication calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted AAC data.

The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before 2.7.2 does not properly maintain the encoding context, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted MPEG data.

The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7.2 does not properly maintain height and width values in the video context, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via crafted LucasArts Smush video data.

The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.7.2 does not initialize certain context data, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data.

The sws_init_context function in libswscale/utils.c in FFmpeg before 2.7.2 does not initialize certain pixbuf data structures, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted video data.

The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles certain memory-allocation failures, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via a crafted file, as demonstrated by an AVI file.

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize certain structure members, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted (1) RV30 or (2) RV40 RealVideo data.


Discovery 2015-09-05
Entry 2015-09-20
Modified 2015-09-20
libav
ge 0

gstreamer1-libav
lt 1.5.90

gstreamer-ffmpeg
ge 0

handbrake
ge 0

ffmpeg
lt 2.7.2,1

ffmpeg26
lt 2.6.4

ffmpeg25
lt 2.5.8

ffmpeg24
lt 2.4.11

ffmpeg-devel
ffmpeg23
ffmpeg2
ffmpeg1
ffmpeg-011
ffmpeg0
ge 0

avidemux
avidemux2
avidemux26
lt 2.6.11

kodi
lt 15.1

mplayer
mencoder
lt 1.1.r20150822

mythtv
mythtv-frontend
ge 0

plexhometheater
ge 0

CVE-2015-6818
CVE-2015-6819
CVE-2015-6820
CVE-2015-6821
CVE-2015-6822
CVE-2015-6823
CVE-2015-6824
CVE-2015-6825
CVE-2015-6826
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=84afc6b70d24fc0bf686e43138c96cf60a9445fe
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a
https://ffmpeg.org/security.html
4bae544d-06a3-4352-938c-b3bcbca89298ffmpeg -- multiple vulnerabilities

NVD reports:

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8.4 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file.


Discovery 2015-12-20
Entry 2015-12-28
libav
ge 0

gstreamer-ffmpeg
ge 0

handbrake
ge 0

ffmpeg
ge 2.8,1 lt 2.8.4,1

lt 2.7.4,1

ffmpeg26
lt 2.6.6

ffmpeg25
lt 2.5.9

ffmpeg24
lt 2.4.12

ffmpeg-devel
ffmpeg23
ffmpeg2
ffmpeg1
ffmpeg-011
ffmpeg0
ge 0

avidemux
avidemux2
avidemux26
ge 0

kodi
lt 16.0

mplayer
mencoder
lt 1.2.r20151219_1

mythtv
mythtv-frontend
ge 0

plexhometheater
ge 0

CVE-2015-8662
CVE-2015-8663
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=abee0a1c60612e8638640a8a3738fffb65e16dbf
https://ffmpeg.org/security.html
65b14d39-d01f-419c-b0b8-5df60b929973ffmpeg -- multiple vulnerabilities

Please reference CVE/URL list for details


Discovery 2015-03-12
Entry 2015-06-02
ffmpeg
ffmpeg0
lt 0.7.17,1

CVE-2012-5150
CVE-2014-4609
CVE-2014-8541
CVE-2014-8542
CVE-2014-8543
CVE-2014-8545
CVE-2014-8547
CVE-2014-8548
CVE-2014-9316
CVE-2014-9317
CVE-2014-9603
CVE-2015-1872
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c3ece52decafc4923aebe7fd74b274e9ebb1962e
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1b291e0466308b341bc2e8c2a49d44862400f014
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b5e661bcd2bb4fe771cb2c1e21215c68e6a17665
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=cd3c4d8c55222337b0b59af4ea1fecfb46606e5e
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=73962e677d871fa0dde5385ee04ea07c048d8864
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7a5590ef4282e19d48d70cba0bc4628c13ec6fd8
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=ef32bc8dde52439afd13988f56012a9f4dd55a83
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5b2097626d0e4ccb432d7d8ab040aa8dbde9eb3a
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=30e8a375901f8802853fd6d478b77a127d208bd6
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=cb1db92cca98f963e91f421ee0c84f8866325a73
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fac6f744d8170585f05e098ce9c9f27eeffa818e
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75b0cfcf105c8720a47a2ee80a70ba16799d71b7
https://ffmpeg.org/security.html
6733e1bf-125f-11de-a964-0030843d3802ffmpeg -- 4xm processing memory corruption vulnerability

Secunia reports:

Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a signedness error within the "fourxm_read_header()" function in libavformat/4xm.c. This can be exploited to corrupt arbitrary memory via a specially crafted 4xm file.


Discovery 2009-01-28
Entry 2009-03-16
ffmpeg
lt 2008.07.27_9

33502
CVE-2009-0385
http://secunia.com/advisories/33711/
http://trapkit.de/advisories/TKADV2009-004.txt
6ac79ed8-ccc2-11e5-932b-5404a68ad561ffmpeg -- remote denial of service in JPEG2000 decoder

FFmpeg security reports:

FFmpeg 2.8.6 fixes the following vulnerabilities: CVE-2016-2213


Discovery 2016-01-27
Entry 2016-02-06
ffmpeg
lt 2.8.6,1

mplayer
mencoder
lt 1.2.r20151219_3

CVE-2016-2213
https://www.ffmpeg.org/security.html
7f9b696f-f11b-11e6-b50e-5404a68ad561ffmpeg -- heap overflow in lavf/mov.c

FFmpeg security reports:

FFmpeg 3.2.4 fixes the following vulnerabilities: CVE-2017-5024, CVE-2017-5025


Discovery 2017-01-25
Entry 2017-02-12
ffmpeg
lt 3.2.4,1

CVE-2017-5024
https://www.ffmpeg.org/security.html
https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
CVE-2017-5025
https://www.ffmpeg.org/security.html
https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
80c66af0-d1c5-449e-bd31-63b12525ff88ffmpeg -- out-of-bounds array access

NVD reports:

The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access.


Discovery 2015-04-12
Entry 2015-09-01
Modified 2015-09-20
libav
ge 11.0 lt 11.4

lt 10.7

gstreamer1-libav
lt 1.5.1

handbrake
ge 0

ffmpeg
ge 2.2.0,1 lt 2.2.15,1

lt 2.0.7,1

ffmpeg26
lt 2.6.2

ffmpeg25
lt 2.5.6

ffmpeg24
lt 2.4.8

ffmpeg23
ge 0

ffmpeg1
ge 0

avidemux
avidemux26
lt 2.6.11

kodi
lt 15.1

mplayer
mencoder
lt 1.1.r20150403

mythtv
mythtv-frontend
ge 0

CVE-2015-3395
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7e1367f58263593e6cee3c282f7277d7ee9d553
https://git.libav.org/?p=libav.git;a=commit;h=5ecabd3c54b7c802522dc338838c9a4c2dc42948
https://ffmpeg.org/security.html
https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4
964161cd-6715-11da-99f6-00123ffe8333ffmpeg -- libavcodec buffer overflow vulnerability

Secunia reports:

Simon Kilvington has reported a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system.

The vulnerability is caused due to a boundary error in the "avcodec_default_get_buffer()" function of "utils.c" in libavcodec. This can be exploited to cause a heap-based buffer overflow when a specially-crafted 1x1 ".png" file containing a palette is read.


Discovery 2005-11-30
Entry 2005-12-07
ffmpeg
lt 0.4.9.p1_4

ffmpeg-devel
lt 0.4.9.c.2005120600

http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558
http://secunia.com/advisories/17892/
b0da85af-21a3-4c15-a137-fe9e4bc86002ffmpeg -- multiple vulnerabilities

NVD reports:

The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2.8.1, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file.

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data.

The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg before 2.8.2 does not validate the Chroma Format Indicator, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted High Efficiency Video Coding (HEVC) data.

The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg before 2.8.2 does not validate uncompressed runs, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted CCITT FAX data.

The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.2 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data.

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers.

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data.

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data.


Discovery 2015-11-27
Entry 2015-12-02
Modified 2015-12-28
libav
ge 0

gstreamer-ffmpeg
ge 0

handbrake
ge 0

ffmpeg
ge 2.8,1 lt 2.8.3,1

lt 2.7.3,1

ffmpeg26
lt 2.6.5

ffmpeg25
lt 2.5.9

ffmpeg24
lt 2.4.12

ffmpeg-devel
ffmpeg23
ffmpeg2
ffmpeg1
ffmpeg-011
ffmpeg0
ge 0

avidemux
avidemux2
avidemux26
ge 0

kodi
lt 16.0

mplayer
mencoder
lt 1.1.r20150822_7

mythtv
mythtv-frontend
ge 0

plexhometheater
ge 0

CVE-2015-6761
CVE-2015-8216
CVE-2015-8217
CVE-2015-8218
CVE-2015-8219
CVE-2015-8363
CVE-2015-8364
CVE-2015-8365
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d24888ef19ba38b787b11d1ee091a3d94920c76a
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=93f30f825c08477fe8f76be00539e96014cc83c8
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d4a731b84a08f0f3839eaaaf82e97d8d9c67da46
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=43492ff3ab68a343c1264801baa1d5a02de10167
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4a9af07a49295e014b059c1ab624c40345af5892
https://ffmpeg.org/security.html
da434a78-e342-4d9a-87e2-7497e5f117baffmpeg -- use-after-free

NVD reports:

Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data.


Discovery 2014-12-19
Entry 2015-09-01
libav
ge 11.0 lt 11.4

lt 10.7

gstreamer1-libav
lt 1.5.0

handbrake
ge 0

ffmpeg
ge 2.2.0,1 lt 2.2.12,1

ge 2.1.0,1 lt 2.1.7,1

lt 2.0.7,1

ffmpeg25
lt 2.5.2

ffmpeg24
lt 2.4.5

ffmpeg23
lt 2.3.6

ffmpeg1
lt 1.2.11

mythtv
mythtv-frontend
ge 0

CVE-2015-3417
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e8714f6f93d1a32f4e4655209960afcf4c185214
https://git.libav.org/?p=libav.git;a=commitdiff;h=3b69f245dbe6e2016659a45c4bfe284f6c5ac57e
https://ffmpeg.org/security.html
https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.4
ea2ddc49-3e8e-11e1-8095-5404a67eef98ffmpeg -- multiple vulnerabilities

Ubuntu Security Notice USN-1320-1 reports:

Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed QDM2 streams. If a user were tricked into opening a crafted QDM2 stream file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4351)

Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed VP3 streams. If a user were tricked into opening a crafted file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4352)

Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed VP5 and VP6 streams. If a user were tricked into opening a crafted file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4353)

It was discovered that FFmpeg incorrectly handled certain malformed VMD files. If a user were tricked into opening a crafted VMD file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4364)

Phillip Langlois discovered that FFmpeg incorrectly handled certain malformed SVQ1 streams. If a user were tricked into opening a crafted SVQ1 stream file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2011-4579)


Discovery 2011-09-14
Entry 2012-01-14
ffmpeg
lt 0.7.11,1

CVE-2011-4351
CVE-2011-4352
CVE-2011-4353
CVE-2011-4364
CVE-2011-4579
http://www.ubuntu.com/usn/usn-1320-1