CVE-2011-3974

Publication date 2 October 2011

Last updated 24 July 2024

Ubuntu priority

Integer signedness error in the decode_residual_inter function in cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, a different vulnerability than CVE-2011-3362.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ffmpeg	11.10 oneiric	Not in release
	11.04 natty	Not in release
	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Ignored end of life
ffmpeg-extra	11.10 oneiric	Not in release
	11.04 natty	Not in release
	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Not in release
libav	11.10 oneiric	Not affected
	11.04 natty	Not affected
	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release
libav-extra	11.10 oneiric	Not affected
	11.04 natty	Fixed 4:0.6.4-1ubuntu1
	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

Notes

mdeslaur

ffmpeg-extra in multiverse needs to have matching version libav-extra is built with tarball produced by libav package same commit as CVE-2011-3973 this is already fixed in CVE-2011-3362.patch

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ffmpeg	Upstream: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=bd968d260aef322fb32e254a3de0d2036c57bd56 Vendor: http://lists.debian.org/debian-security-announce/2011/msg00216.html
libav	Upstream: http://git.libav.org/?p=libav.git;a=commit;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78

References

Other references

https://www.cve.org/CVERecord?id=CVE-2011-3974