Advisories, December 15, 2005

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200512-06

http://security.gentoo.org/

Severity: High
Title: Ethereal: Buffer overflow in OSPF protocol dissector
Date: December 14, 2005
Bugs: #115030
ID: 200512-06

Synopsis

Ethereal is missing bounds checking in the OSPF protocol
dissector that could lead to abnormal program termination or the
execution of arbitrary code.

Background

Ethereal is a feature-rich network protocol analyzer. It
provides protocol analyzers for various network flows, including
one for Open Shortest Path First (OSPF) Interior Gateway
Protocol.

Affected packages

     Package                /   Vulnerable   /              Unaffected

  1  net-analyzer/ethereal     < 0.10.13-r2              >= 0.10.13-r2

Description

iDEFENSE reported a possible overflow due to the lack of bounds
checking in the dissect_ospfv3address_prefix() function, part of the OSPF protocol
dissector.

An attacker might be able to craft a malicious network flow that
would crash Ethereal. It may be possible, though unlikely, to
exploit this flaw to execute arbitrary code with the permissions of
the user running Ethereal, which could be the root user.

Workaround

There is no known workaround at this time.

Resolution

All Ethereal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.13-r2"

References

[ 1 ] CVE-2005-3651

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3651

[ 2 ] iDEFENSE Advisory

http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200512-06.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

SUSE Linux

SUSE Security Announcement

Package: kernel
Announcement ID: SUSE-SA:2005:068
Date: Wed, 14 Dec 2005 16:00:00 +0000
Affected Products: SUSE LINUX 9.3 SUSE LINUX 9.2 SUSE LINUX 9.1
SuSE Linux 9.0 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server
8 SUSE Linux Enterprise Server 9 UnitedLinux 1.0
Vulnerability Type: denial of service
Severity (1-10): 6
SUSE Default Package: yes
Cross-References: CVE-2005-1041, CVE-2005-2457, CVE-2005-2458
CVE-2005-2459, CVE-2005-2490, CVE-2005-2492 CVE-2005-2800,
CVE-2005-2872, CVE-2005-2973 CVE-2005-3044, CVE-2005-3055,
CVE-2005-3110 CVE-2005-3180, CVE-2005-3275, CVE-2005-3527
CVE-2005-3783, CVE-2005-3784, CVE-2005-3805 CVE-2005-3806,
CVE-2005-3807

Content of This Advisory:

Security Vulnerability Resolved: Linux kernel security problems
and bugfixes Problem Description
Solution or Work-Around
Special Instructions and Notes
Package Location and Checksums
Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE
Security Summary Report.
Authenticity Verification and Additional Information

1) Problem Description and Brief Discussion

The Linux kernel was updated to fix several security problems
and several bugs, listed below:

Security fixes:

CVE-2005-3783: A check in ptrace(2) handling that finds out if
a process is attaching to itself was incorrect and could be used by
a local attacker to crash the machine. (All)
CVE-2005-3784: A check in reaping of terminating child
processes did not consider ptrace(2) attached processes and would
leave a ptrace reference dangling. This could lead to a local user
being able to crash the machine. (Linux kernel 2.6 based products
only)
CVE-2005-2973: An infinite loop in the IPv6 UDP loopback
handling can be easily triggered by a local user and lead to a
denial of service. (Linux kernel 2.6 based products only)
CVE-2005-3055: Unplugging an user space controlled USB device
with an URB pending in user space could crash the kernel. This can
be easily triggered by local attacker. (Fixed for Linux kernel 2.6
based products only.)
CVE-2005-3044: Missing sockfd_put() calls in routing_ioctl()
leaked file handles which in turn could exhaust system memory.
(All)
CVE-2005-3180: Fixed incorrect padding in Orinoco wireless
driver, which could expose kernel data to the air. (Linux 2.6 based
products only)
CVE-2005-2490: A stack-based buffer overflow in the sendmsg
function call in the Linux kernel 2.6 and 2.4 allowed local users
execute arbitrary code by calling sendmsg and modifying the message
contents in another thread. (All)
CVE-2005-3806: A bug in IPv6 flow label handling code could be
used by a local attacker to free non-allocated memory and in turn
corrupt kernel memory and likely crash the machine. (All)
CVE-2005-3275: The NAT code in Linux kernel incorrectly
declares a variable to be static, which allows remote attackers to
cause a denial of service (memory corruption) by causing two
packets for the same protocol to be NATed at the same time.
(All)
CVE-2005-2457: A problem in decompression of files on “zisofs”
filesystem was fixed. (All)
CVE-2005-2458: A potential buffer overflow in the zlib
decompression handling in the kernel was fixed. (All)
CVE-2005-2459: Some return codes in zlib decoding were fixed
which could have led to an attacker crashing the kernel. (All)
CVE-2005-3110: A race condition in the ebtables netfilter
module (ebtables.c), when running on an SMP system that is
operating under a heavy load, might allow remote attackers to cause
a denial of service (crash) via a series of packets that cause a
value to be modified after it has been read but before it has been
locked. (Linux kernel 2.6 based products only)
CVE-2005-1041: A race condition when reading the
/proc/net/route virtual file could be used by a local attacker to
potentially crash the machine. (Linux kernel 2.6 based products
only)
CVE-2005-2800: A memory leak in the seq_file implementation in
the SCSI procfs interface (sg.c) allows local users to cause a
denial of service (memory consumption) via certain repeated reads
from the /proc/scsi/sg/devices file, which is not properly handled
when the next() iterator returns NULL or an error. (Linux kernel
2.6 based products only)
CVE-2005-2872: The ipt_recent module when running on 64bit
processors allows remote attackers to cause a DoS (kernel panic)
via certain attacks such as SSH brute force. (Linux kernel 2.6
based products only)
CVE-2005-2492: The raw_sendmsg function in the Linux kernel
allows local attackers to cause a denial of service (change
hardware state) or read from arbitrary memory via crafted input.
(SUSE Linux 9.2 and 9.3)
CVE-2005-3805: A locking problem in POSIX timer handling could
be used by a local attacker on a SMP system to deadlock the
machine. (SUSE Linux 9.3)
CVE-2005-3527: A race condition in do_coredump in signal.c
allows local users to cause a denial of service (machine hang) by
triggering a core dump in one thread while another thread has a
pending SIGSTOP. (SUSE Linux 9.3)
CVE-2005-3807: A memory kernel leak in VFS lease handling can
exhaust the machine memory and so cause a local denial of service.
This is seen in regular Samba use and could also be triggered by
local attackers. (SUSE Linux 9.3)

Non security bugfixes:

Fixed the “treason uncloaked” kernel messages that were caused
by a stale pred_flags variable when the TCP snd_wnd changes.
a lot of other small fixes not listed here. 2) Solution or
Work-Around

There is no known workaround, please install the update
packages.

3) Special Instructions and Notes

SPECIAL INSTALLATION
INSTRUCTIONS

The following paragraphs guide you through the installation
process in a step-by-step fashion. The character sequence “****”
marks the beginning of a new paragraph. In some cases, the steps
outlined in a particular paragraph may or may not be applicable to
your situation. Therefore, make sure that you read through all of
the steps below before attempting any of these procedures. All of
the commands that need to be executed must be run as the superuser
‘root’. Each step relies on the steps before it to complete
successfully.

Step 1: Determine the needed kernel type.
Use the following command to determine which kind of kernel is
installed on your system:

rpm -qf –qf ‘%{name} ‘ /boot/vmlinuz
Step 2: Download the packages for your system.
Download the kernel RPM package for your distribution with the
name indicated by Step 1. Starting from SUSE LINUX 9.2, kernel
modules that are not free were moved to a separate package with the
suffix ‘-nongpl’ in its name. Download that package as well if you
rely on hardware that requires non-free drivers, such as some ISDN
adapters. The list of all kernel RPM packages is appended
below.

The kernel-source package does not contain a binary kernel in
bootable form. Instead, it contains the sources that correspond
with the binary kernel RPM packages. This package is required to
build third party add-on modules.
Step 3: Verify authenticity of the packages.
Verify the authenticity of the kernel RPM package using the
methods as listed in Section 6 of this SUSE Security
Announcement.
Step 4: Installing your kernel rpm package.
Install the rpm package that you have downloaded in Step 2 with
the command

rpm -Uhv <FILE>

replacing <FILE> with the filename of the RPM package
downloaded.

Warning: After performing this step, your system may not boot
unless the following steps have been followed completely.
Step 5: Configuring and creating the initrd.
The initrd is a RAM disk that is loaded into the memory of your
system together with the kernel boot image by the boot loader. The
kernel uses the content of this RAM disk to execute commands that
must be run before the kernel can mount its root file system. The
initrd is typically used to load hard disk controller drivers and
file system modules. The variable INITRD_MODULES in
/etc/sysconfig/kernel determines which kernel modules are loaded in
the initrd.

After a new kernel rpm has been installed, the initrd must be
recreated to include the updated kernel modules. Usually this
happens automatically when installing the kernel rpm. If creating
the initrd fails for some reason, manually run the command

/sbin/mkinitrd
Step 6: Update the boot loader, if necessary.
Depending on your software configuration, you either have the
LILO or GRUB boot loader installed and initialized on your system.
Use the command

grep LOADER_TYPE /etc/sysconfig/bootloader

to find out which boot loader is configured.

The GRUB boot loader does not require any further action after a
new kernel has been installed. You may proceed to the next step if
you are using GRUB.

If you use the LILO boot loader, lilo must be run to
reinitialize the boot sector of the hard disk. Usually this happens
automatically when installing the kernel RPM. In case this step
fails, run the command

/sbin/lilo

Warning: An improperly installed boot loader will render your
system unbootable.
Step 7: Reboot.
If all of the steps above have been successfully completed on
your system, the new kernel including the kernel modules and the
initrd are ready to boot. The system needs to be rebooted for the
changes to be active. Make sure that all steps have been completed
then reboot using the command

/sbin/shutdown -r now

Your system will now shut down and restart with the new
kernel.

4) Package Location and Checksums

The preferred method for installing security updates is to use
the YaST Online Update (YOU) tool. YOU detects which updates are
required and automatically performs the necessary steps to verify
and install them. Alternatively, download the update packages for
your distribution manually and verify their integrity by the
methods listed in Section 6 of this announcement. Then install the
packages using the command

rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the
filename of the downloaded RPM package.

x86 Platform:

SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.202.7.i586.rpm
498b6452f6e80c2168fc18e9aaa171ca
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.202.7.i586.rpm
9cdcc381aa3fe9c38883af5ae50fe566
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.202.7.i586.rpm
5b6910b080ddaebb52ba01a77e64cda5
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.202.7.i586.rpm
f492f72cf5cc3039a02b0b809688ca49
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-syms-2.6.5-7.202.7.i586.rpm
4613e41ca201515ae803966ecd7b0b93
   ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/ltmodem-2.6.2-38.19.i586.rpm
d21af772ba56053116b350a1970777aa

Platform Independent:

SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/noarch/kernel-docs-2.6.11.4-21.10.noarch.rpm
47d5b58910d7890c56b49c5f0a051edb

SUSE LINUX 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/noarch/kernel-docs-2.6.8-24.19.noarch.rpm
d7d6524760444a7007b33614f7438d18

SUSE LINUX 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/noarch/kernel-docs-2.6.5-7.202.7.noarch.rpm
1c8fe8bd02541c36268c8bdd9ae52408
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/noarch/kernel-docs-2.6.5-7.202.7.noarch.rpm
4ccf9f952bf7bdf81535fae998ebcecf

x86-64 Platform:

SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-2.6.11.4-21.10.x86_64.rpm
ba425257f4863c3609218ffb97d88ad5
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-default-nongpl-2.6.11.4-21.10.x86_64.rpm
4c5ce7b9a10a1befe1055e5dda1f8cf3
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-2.6.11.4-21.10.x86_64.rpm
3cbe380b73ab0582f272389241ed3387
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-smp-nongpl-2.6.11.4-21.10.x86_64.rpm
4b42629c3bed66cacb1a984c5e26f9d4
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-source-2.6.11.4-21.10.x86_64.rpm
06a6903d738d08d889486fd37fd356a8
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/kernel-syms-2.6.11.4-21.10.x86_64.rpm
8e68e2009d0a7f75c844e66770d4c812

SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-2.6.8-24.19.x86_64.rpm
205edc94cdc1efd47dcd5a3c207ed8ea
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-default-nongpl-2.6.8-24.19.x86_64.rpm
d165d199a24c2531ffb66bf8559f94d0
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-2.6.8-24.19.x86_64.rpm
3741cd730f4d74fdd942df421dcd70c8
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-smp-nongpl-2.6.8-24.19.x86_64.rpm
a944dadc1c00f35e0311cc1e059f2ef7
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-source-2.6.8-24.19.x86_64.rpm
10d243b42b080caf2b35a203d37e054b
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/kernel-syms-2.6.8-24.19.x86_64.rpm
476f6d22a5f9b985c6ff637b47560902

SUSE LINUX 9.1:
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6.5-7.202.7.x86_64.rpm
b842f83ea73c098b06264255c448a369
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7.202.7.x86_64.rpm
67348b7d9c74d517652340c1b195d350
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.5-7.202.7.x86_64.rpm
32a9ffb2b0907f4110ed577cc19f588e
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-syms-2.6.5-7.202.7.x86_64.rpm
5f466140ede81eb3cf45a883c1a4283e

SuSE Linux 9.0:
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-303.x86_64.rpm
995456b107b5a11541c441c01285c69f
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-303.x86_64.rpm
1330055b72a360e1e9d95f55446565c6
   ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-303.x86_64.rpm
bfd3f18af242371f001ab3badb6886b6

Sources:

Our maintenance customers are notified individually. The
packages are offered for installation from the maintenance web:

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/0efbd4214ff63cd671f6ac22674becbe.html

http://portal.suse.com/psdb/0efbd4214ff63cd671f6ac22674becbe.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/20c5e4c2a0fea3202c966fa44c89b13e.html

http://portal.suse.com/psdb/20c5e4c2a0fea3202c966fa44c89b13e.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/9fc2ed050cb64aa9c37f32a689e98703.html

http://portal.suse.com/psdb/9fc2ed050cb64aa9c37f32a689e98703.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/79a129621653571f9f612232ddd69857.html

http://portal.suse.com/psdb/79a129621653571f9f612232ddd69857.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/77fd150f1962b32355a96affeee048ed.html

http://portal.suse.com/psdb/77fd150f1962b32355a96affeee048ed.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/93d7c163efacc0665439a7d2c93341d1.html

http://portal.suse.com/psdb/93d7c163efacc0665439a7d2c93341d1.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/fcd8a24f5457e2ac521ea89935681fa3.html

http://portal.suse.com/psdb/fcd8a24f5457e2ac521ea89935681fa3.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/c7050141b3702832a32e74185b621254.html

http://portal.suse.com/psdb/c7050141b3702832a32e74185b621254.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/fa8599c9b2c6f42f6125cdff8246eb01.html

http://portal.suse.com/psdb/fa8599c9b2c6f42f6125cdff8246eb01.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/f43a8157eaa3cc5d6ad4e782c86273d5.html

http://portal.suse.com/psdb/f43a8157eaa3cc5d6ad4e782c86273d5.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/e400e6279f02255de204820f5290b8bb.html

http://portal.suse.com/psdb/e400e6279f02255de204820f5290b8bb.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/268441775ca440ed04388897a55453d1.html

http://portal.suse.com/psdb/268441775ca440ed04388897a55453d1.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/0e2c7f08437e0128f5441c08f313e453.html

http://portal.suse.com/psdb/0e2c7f08437e0128f5441c08f313e453.html

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.

6) Authenticity Verification and Additional Information

Announcement authenticity verification:
SUSE security announcements are published via mailing lists and
on Web sites. The authenticity and integrity of a SUSE security
announcement is guaranteed by a cryptographic signature in each
announcement. All SUSE security announcements are published with a
valid signature.

To verify the signature of the announcement, save it as text
into a file and run the command

gpg –verify <file>

replacing <file> with the name of the file where you saved
the announcement. The output for a valid signature looks like:

gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from “SuSE Security Team <security@suse.de>”

where <DATE> is replaced by the date the document was
signed.

If the security team’s key is not contained in your key ring,
you can import it from the first installation CD. To import the
key, use the command

gpg –import gpg-pubkey-3d25d3d9-36e12d04.asc
Package authenticity verification:
SUSE update packages are available on many mirror FTP servers
all over the world. While this service is considered valuable and
important to the free and open source software community, the
authenticity and the integrity of a package needs to be verified to
ensure that it has not been tampered with.

There are two verification methods that can be used
independently from each other to prove the authenticity of a
downloaded file or RPM package:
1. Using the internal gpg signatures of the rpm package
2. MD5 checksums as provided in this announcement
1. The internal rpm package signatures provide an easy way to
  verify the authenticity of an RPM package. Use the command
  
  rpm -v –checksig <file.rpm>
  
  to verify the signature of the package, replacing
  <file.rpm> with the filename of the RPM package downloaded.
  The package is unmodified if it contains a valid signature from
  build@suse.de with the key ID
  9C800ACA. This key is automatically imported into the RPM database
  (on RPMv4-based distributions) and the gpg key ring of ‘root’
  during installation. You can also find it on the first installation
  CD and at the end of this announcement.
2. If you need an alternative means of verification, use the
  md5sum
  
  command to verify the authenticity of the packages. Execute the
  command
  
  md5sum <filename.rpm>
  
  after you downloaded the file from a SUSE FTP server or its
  mirrors. Then compare the resulting md5sum with the one that is
  listed in the SUSE security announcement. Because the announcement
  containing the checksums is cryptographically signed (by security@suse.de), the checksums show
  proof of the authenticity of the package if the signature of the
  announcement is valid. Note that the md5 sums published in the SUSE
  Security Announcements are valid for the respective packages only.
  Newer versions of these packages cannot be verified.
SUSE runs two security mailing lists to which any interested
party may subscribe:

suse-security@suse.com
- General Linux and SUSE security discussion.
  All SUSE security announcements are sent to this list. To
  subscribe, send an e-mail to
  
  <suse-security-subscribe@suse.com>.
  
  suse-security-announce@suse.com
- SUSE’s announce-only mailing list.
  Only SUSE’s security announcements are sent to this list. To
  subscribe, send an e-mail to
  
  <suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (FAQ),
send mail to <suse-security-info@suse.com>
or
<suse-security-faq@suse.com>.

SUSE’s security contact is <security@suse.com> or
<security@suse.de>. The
<security@suse.de>
public key is listed below.

The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, the clear text signature should show proof of the
authenticity of the text.

SUSE Linux Products GmbH provides no warranties of any kind
whatsoever with respect to the information contained in this
security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

Ubuntu Linux

Ubuntu Security Notice USN-230-1 December 14, 2005
ffmpeg vulnerability
CVE-2005-4048

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libavcodec-dev
kino

The problem can be corrected by upgrading the affected package
to version 3:0.cvs20050121-1ubuntu1.1 (libavcodec-dev), and
0.75-6ubuntu0.1 (kino). In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Simon Kilvington discovered a buffer overflow in the
avcodec_default_get_buffer() function of the ffmpeg library. By
tricking an user into opening a malicious movie which contains
specially crafted PNG images, this could be exploited to execute
arbitrary code with the user’s privileges.

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.1.diff.gz

Size/MD5: 9033
4878968bff9fe53442fab66dad190a41
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.1.dsc

Size/MD5: 776
1fd3ea52c6ac45334f48f9d46964f9ca
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/ffmpeg_0.cvs20050121.orig.tar.gz

Size/MD5: 1781944
20b305e0943289b6e361bc15f664ff40
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.1.diff.gz

Size/MD5: 26236
78a05be921f6fd2cdb4f95ef39b4c802
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75-6ubuntu0.1.dsc

Size/MD5: 863
07e9bcc599b324c566f4fbf185d45196
http://security.ubuntu.com/ubuntu/pool/main/k/kino/kino_0.75.orig.tar.gz

Size/MD5: 1227042
592f90be63feb7e63940cedd68edcf79

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/ffmpeg_0.cvs20050121-1ubuntu1.1_amd64.deb

Size/MD5: 3896862
7caacb873b5a1279643e8fb6edb94397
http://security.ubuntu.com/ubuntu/pool/main/f/ffmpeg/libavcodec-dev_0.cvs20050121-1ubuntu1.1_amd64.deb

Size/MD5: 2284570
81e81570170a3d3a47c38f5c5792ac50
http://security.ubuntu.com/ubuntu/pool/universe/f/ffmpeg/libavformat-dev_0.cvs20050121-1ubuntu1.1_amd64.deb