4.5 Addendum

Note

Wednesday, January 28, 2009

The vulnerability was fixed (Figure 4-9 shows the timeline) and a new version of FFmpeg is available, so I released a detailed security advisory on my website.[44] The bug was assigned CVE-2009-0385.

Timeline of the FFmpeg bug from notification to the release of a fixed version of FFmpeg

Figure 4-9. Timeline of the FFmpeg bug from notification to the release of a fixed version of FFmpeg

Notes

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]


[37] See http://wiki.multimedia.cx/index.php?title=YouTube.

[38] See http://ffmpeg.org/download.html.

[39] See http://www.trapkit.de/books/bhd/.

[40] A detailed description of the 4X movie file format can be found at http://wiki.multimedia.cx/index.php?title=4xm_Format.

[41] See http://www.trapkit.de/books/bhd/.

[42] The patch from the FFmpeg maintainers can be found at http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0838cfdc8a10185604db5cd9d6bffad71279a0e8.

[43] For more information on type conversions and associated security problems consult Mark Dowd, John McDonald, and Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (Indianapolis, IN: Addison-Wesley Professional, 2007). See also the sample chapter available at http://ptgmedia.pearsoncmg.com/images/0321444426/samplechapter/Dowd_ch06.pdf.

[44] My security advisory that describes the details of the FFmpeg vulnerability can be found at http://www.trapkit.de/advisories/TKADV2009-004.txt.