News | About | Download | Documentation | Bug Reports | Contact | Consulting | Projects | Legal | Security | FATE

FFmpeg Security

FFmpeg 0.10

0.10

Fixes following vulnerabilities:

CVE-2011-3929, CVE-2011-3934, CVE-2011-3935, CVE-2011-3936,
CVE-2011-3937, CVE-2011-3940, CVE-2011-3941, CVE-2011-3944,
CVE-2011-3945, CVE-2011-3946, CVE-2011-3947, CVE-2011-3949,
CVE-2011-3950, CVE-2011-3951, CVE-2011-3952

and several others that do not have a CVE number. Many of these issues can be exploited when a remote file is played back and some are probable arbitrary code execution vulnerabilities.

FFmpeg 0.10 is unaffected by:

CVE-2011-3930, CVE-2011-3931, CVE-2011-3932, CVE-2011-3933,
CVE-2011-3938, CVE-2011-3939, CVE-2011-3942, CVE-2011-3943,
CVE-2011-3948.

FFmpeg 0.9

0.9.1

Fixes following vulnerabilities:

CVE-2011-3893, CVE-2011-3895,

CVE-2012-0847 FFmpeg ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi:
add missing check in avfilter_filter_samples()

CVE-2012-0848 FFmpeg 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1:
Fix wrong samples count and crash.

CVE-2012-0849 FFmpeg 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec:
Fix integer overflow leading to a segfault

CVE-2012-0850 FFmpeg 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr:
Fix memory corruption.

CVE-2012-0851 FFmpeg 7fff64e00d886fde11d61958888c82b461cf99b9 h264:
check chroma_format_idc range.

CVE-2012-0852 FFmpeg 608708009f69ba4cecebf05120c696167494c897 adpcm:
Fix crash

CVE-2012-0853 FFmpeg 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3:
Fix crash in tonal component decoding.

CVE-2012-0854 FFmpeg 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5
CODEC_ID_SOL_DPCM: Fix used write buffer.

CVE-2012-0855 FFmpeg 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec:
Check curtileno for validity

CVE-2012-0856 FFmpeg 21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec:
Fix regression / crash with lowres.

CVE-2012-0857 FFmpeg 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec:
Fix crash in get_qcx

CVE-2012-0858 FFmpeg 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten:
Fix invalid free()

CVE-2012-0859 FFmpeg 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis:
Fix last quarter of CVE-2011-3893

and more security issues that have no CVE number. Many of these issues can be exploited when a remote file is played back and a few are probable arbitrary code execution vulnerabilities

FFmpeg 0.8

0.8.11

Fixes following vulnerabilities:

CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
Several security issues that dont have CVE numbers.

0.8.10

Fixes CVE-2011-3893 and CVE-2011-3895, and many more

0.8.7

Fixes CVE-2011-4352/NGS00145, CVE-2011-4579/NGS00148, CVE-2011-4351, NGS00144, CVE-2011-4353 among others

0.8.6

Fixes CVE-2011-3892 among others

0.8.5

Fixes CVE-2011-4364 among others

FFmpeg 0.7

0.7.12

Fixes following vulnerabilities:

CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
Several security issues that dont have CVE numbers.

0.7.11

Fixes CVE-2011-3893 and CVE-2011-3895, and many more

0.7.8

Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4351, CVE-2011-4353

0.7.7

Fixes CVE-2011-3892

0.7.6

Fixes CVE-2011-4364 among others

FFmpeg 0.6

0.6.5

Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895

0.6.4

Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4353, CVE-2011-4351, CVE-2011-4364

FFmpeg 0.5

0.5.8

Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895

0.5.7

CVE-2011-4353

0.5.6

Fixes CVE-2011-4579, CVE-2011-4351

0.5.5

Fixes CVE-2011-3504, CVE-2011-3362, CVE-2011-3973, CVE-2011-3974

0.5.4

Fixes CVE-2010-3908, CVE-2011-0722, CVE-2010-4704, CVE-2011-0480, CVE-2011-0723