Vulnerabilities > CVE-2005-4048 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ffmpeg
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-230.NASL description Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 20461 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20461 title Mandrake Linux Security Advisory : mplayer (MDKSA-2005:230) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:230. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(20461); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-4048"); script_xref(name:"MDKSA", value:"2005:230"); script_name(english:"Mandrake Linux Security Advisory : mplayer (MDKSA-2005:230)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec. This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read. Mplayer is built with a private copy of ffmpeg containing this same code. The updated packages have been patched to prevent this problem." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64postproc0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64postproc0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libdha1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpostproc0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpostproc0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mencoder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer-gui"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64postproc0-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64postproc0-devel-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libdha1.0-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libpostproc0-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libpostproc0-devel-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"mencoder-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"mplayer-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"mplayer-gui-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-174.NASL description Gstreamer-ffmpeg uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24560 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24560 title Mandrake Linux Security Advisory : gstreamer-ffmpeg (MDKSA-2006:174) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-230-1.NASL description Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 20773 published 2006-01-21 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20773 title Ubuntu 5.04 : ffmpeg vulnerability (USN-230-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200602-01.NASL description The remote host is affected by the vulnerability described in GLSA-200602-01 (GStreamer FFmpeg plugin: Heap-based buffer overflow) The GStreamer FFmpeg plugin contains derived code from the FFmpeg library, which is vulnerable to a heap overflow in the last seen 2020-06-01 modified 2020-06-02 plugin id 20864 published 2006-02-06 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20864 title GLSA-200602-01 : GStreamer FFmpeg plugin: Heap-based buffer overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-176.NASL description Xine-lib uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24562 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24562 title Mandrake Linux Security Advisory : xine-lib (MDKSA-2006:176) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-229.NASL description Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 20460 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20460 title Mandrake Linux Security Advisory : xmovie (MDKSA-2005:229) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-992.NASL description Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22858 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22858 title Debian DSA-992-1 : ffmpeg - buffer overflow NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-230-2.NASL description USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw. For reference, this is the original advisory : Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user last seen 2020-06-01 modified 2020-06-02 plugin id 20774 published 2006-01-21 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20774 title Ubuntu 4.10 / 5.04 / 5.10 : xine-lib vulnerability (USN-230-2) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-232.NASL description Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 20463 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20463 title Mandrake Linux Security Advisory : gstreamer-ffmpeg (MDKSA-2005:232) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-228.NASL description Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 20459 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20459 title Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:228) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200601-06.NASL description The remote host is affected by the vulnerability described in GLSA-200601-06 (xine-lib, FFmpeg: Heap-based buffer overflow) Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The flaw is due to a buffer overflow error in the last seen 2020-06-01 modified 2020-06-02 plugin id 20416 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20416 title GLSA-200601-06 : xine-lib, FFmpeg: Heap-based buffer overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-173.NASL description Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24559 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24559 title Mandrake Linux Security Advisory : ffmpeg (MDKSA-2006:173) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-207-04.NASL description New xine-lib packages are available for Slackware 10.2 and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 22101 published 2006-07-28 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22101 title Slackware 10.2 / current : xine-lib (SSA:2006-207-04) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200603-03.NASL description The remote host is affected by the vulnerability described in GLSA-200603-03 (MPlayer: Multiple integer overflows) MPlayer makes use of the FFmpeg library, which is vulnerable to a heap overflow in the avcodec_default_get_buffer() function discovered by Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security Research discovered two integer overflows in ASF file format decoding, in the new_demux_packet() function from libmpdemux/demuxer.h and the demux_asf_read_packet() function from libmpdemux/demux_asf.c. Impact : An attacker could craft a malicious media file which, when opened using MPlayer, would lead to a heap-based buffer overflow. This could result in the execution of arbitrary code with the permissions of the user running MPlayer. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 21001 published 2006-03-06 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21001 title GLSA-200603-03 : MPlayer: Multiple integer overflows NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-231.NASL description Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 20462 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20462 title Mandrake Linux Security Advisory : ffmpeg (MDKSA-2005:231) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1004.NASL description Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The vlc media player links statically against libavcodec. last seen 2020-06-01 modified 2020-06-02 plugin id 22546 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22546 title Debian DSA-1004-1 : vlc - buffer overflow NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1005.NASL description Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. xine-lib includes a local copy of libavcodec. last seen 2020-06-01 modified 2020-06-02 plugin id 22547 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22547 title Debian DSA-1005-1 : xine-lib - buffer overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-175.NASL description Mplayer uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24561 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24561 title Mandrake Linux Security Advisory : mplayer (MDKSA-2006:175)
References
- http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558
- http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/ffmpeg/libavcodec/utils.c.diff?r1=1.161&r2=1.162&cvsroot=FFMpeg
- http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/ffmpeg/libavcodec/utils.c?rev=1.162&content-type=text/x-cvsweb-markup&cvsroot=FFMpeg
- http://www.securityfocus.com/bid/15743
- http://secunia.com/advisories/17892
- http://secunia.com/advisories/18066
- http://secunia.com/advisories/18107
- http://secunia.com/advisories/18087
- http://www.gentoo.org/security/en/glsa/glsa-200602-01.xml
- http://secunia.com/advisories/18739
- http://secunia.com/advisories/18746
- http://www.gentoo.org/security/en/glsa/glsa-200603-03.xml
- http://secunia.com/advisories/19114
- http://www.us.debian.org/security/2006/dsa-992
- http://secunia.com/advisories/19192
- http://www.debian.org/security/2006/dsa-1004
- http://www.debian.org/security/2006/dsa-1005
- http://secunia.com/advisories/19272
- http://secunia.com/advisories/19279
- http://cvs.freedesktop.org/gstreamer/gst-ffmpeg/ChangeLog?rev=1.239&view=markup
- http://www.gentoo.org/security/en/glsa/glsa-200601-06.xml
- http://secunia.com/advisories/18400
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:228
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:229
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:230
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:231
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:232
- http://www.vupen.com/english/advisories/2005/2770
- https://usn.ubuntu.com/230-2/
- https://usn.ubuntu.com/230-1/