web/security: CVEs and commits for the 1.1 branch
[ffmpeg-web.git] / src / security
1 <h1>FFmpeg Security</h1>
2
3 <p>Please report vulnerabilities to <a href="mailto:ffmpeg-security@ffmpeg.org">ffmpeg-security@ffmpeg.org</a></p>
4
5 <h2>FFmpeg 1.1</h2>
6 <h3>1.1.2</h3>
7 <p>
8 Fixes following vulnerabilities:
9 </p>
10 <pre>
11 CVE-2013-0862, f4fb841ad13bab66d4fb0c7ff2a94770df7815d8 / 49b729d3af8464de431362e6c5b3027102bc2f88
12 CVE-2013-0863, 62c9beda0c189db5cb61fa772057e3af9521f293 / 7357ca900efcf829de4cce4cec6ddc286526d417
13 CVE-2013-0864, 9547034f9120187e23ad76424dd4d70247e62212 / c10350358da58600884292c08a8690289b81de29
14 CVE-2013-0865, f3d16706060ab6ae6dc78f15359fab3fd87c9495 / ab6c9332bfa1e20127a16392a0b85a4aa4840889
15 CVE-2013-0866, 47e462eecc0a47ad40f59376199f93f227e21d13 / 96f452ac647dae33c53c242ef3266b65a9beafb6
16 CVE-2013-0867, 3ef1538121fa6daeb1767510f1d4ae2c306c9fec / 11c99c78bafa77f679a1a3ba06ad00984b9a4cae
17 CVE-2013-0868, 6baa54924980e1f0e8121e4715d16ed1adcd2a23 / f67a0d115254461649470452058fa3c28c0df294
18                75e88db33013eaa7ab74457f5556df677b4ffb42 / 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
19 CVE-2013-0869, eaa9d2cd6b8c1e2722d5bfc56ea67fde865200ce / 695af8eed642ff0104834495652d1ee784a4c14d
20 </pre>
21
22 <h3>1.1.1</h3>
23 <p>
24 Fixes following vulnerabilities:
25 </p>
26 <pre>
27 CVE-2013-0860, 68a0477bc0af026db971ddba22541029a9e8715b / 23318a57358358e7a4dc551e830e4503f0638cfe
28 CVE-2013-0861, 43c6b45a53a186a187f7266e4d6bd3c2620519f1 / d270c3202539e8364c46410e15f7570800e33343
29 </pre>
30
31 <h3>1.1</h3>
32 <p>
33 Fixes following vulnerabilities:
34 </p>
35 <pre>
36 CVE-2013-0844, f18c873ab5ee3c78d00fdcc2582b39c133faecb4
37 CVE-2013-0845, 0ceca269b66ec12a23bf0907bd2c220513cdbf16
38 CVE-2013-0846, a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed
39 CVE-2013-0847, 10416a4d56fa8a89784e4fb62099c3cab17a9952
40 CVE-2013-0848, 6abb9a901fca27da14d4fffbb01948288b5da3ba
41 CVE-2013-0849, 3ae610451170cd5a28b33950006ff0bd23036845
42 CVE-2013-0850, d6c184880ee2e09fd68c0ae217173832cee5afc1
43 CVE-2013-0851, 63ac64864c6e0e84355aa3caa5b92208997a9a8d
44 CVE-2013-0852, c0d68be555f5858703383040e04fcd6529777061
45 CVE-2013-0853, be818df547c3b0ae4fadb50fd210139a8636706a
46 CVE-2013-0854, 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29
47 CVE-2013-0855, 3920d1387834e2bc334aff9f518f4beb24e470bd
48 CVE-2013-0856, fd4f4923cce6a2cbf4f48640b4ac706e614a1594
49 CVE-2013-0857, 2fbb37b51bbea891392ad357baf8f3dff00bac05
50 CVE-2013-0858, 13451f5520ce6b0afde861b2285dda659f8d4fb4
51 CVE-2013-0859, 6d1c5ea04af3e345232aa70c944de961061dab2d
52 </pre>
53
54 <h2>FFmpeg 1.0</h2>
55 <h3>1.0.2</h3>
56 <p>
57 Fixes following vulnerabilities:
58 </p>
59 <pre>
60 commit 20c121c00747d6c3b0b0f98deeff021171b2ed74 / c83002a4f8042ccfa0688a9a18e8fa0369c1fda8
61 commit 68e48ed72e0597ae61bc3e9e6e6d9edcb1a00073 / 7d66bc7920240cc0e8df6c44b2d2cdbe4b228fbe
62 commit 9929991da7b843e7d80154fcacc4e80579b86a2d / cbe43e62c9ac7d4aefdc13476f6f691bd626525f
63 commit e74cd2f4706f71da5e9205003c1d8263b54ed3fb / 03847eb8259291b4ff1bd840bd779d0699d71f96
64 </pre>
65
66 <h3>1.0.1</h3>
67 <p>
68 Fixes following vulnerabilities:
69 </p>
70 <pre>
71 commit 0b9be54e97fa574867d5e99a3623d1db7df7b274 / 6d1c5ea04af3e345232aa70c944de961061dab2d
72 commit 112d4c400f0e0d5d1621fc8db515907cffaae259 / 2fbb37b51bbea891392ad357baf8f3dff00bac05
73 commit e0884eadf6a15e93142131b695f48776f9a0ac31 / fd4f4923cce6a2cbf4f48640b4ac706e614a1594
74 commit c8c9740ee1ea4a4f857a24b1ce05dcd07b72ec2d / 3920d1387834e2bc334aff9f518f4beb24e470bd
75 commit c51c5f83c13b0fa3e332e59bf764fdc598476b2e / be818df547c3b0ae4fadb50fd210139a8636706a
76 commit 28bf685bfc6d0c744369cdf367f61a78d80d0b01 / c0d68be555f5858703383040e04fcd6529777061
77 commit c8833a13cf530fbf5b1d579cd1ae527a0904403f / 63ac64864c6e0e84355aa3caa5b92208997a9a8d
78 commit c82d6e05da0898c45ae915fb808e175f6a4ec7e5 / d6c184880ee2e09fd68c0ae217173832cee5afc1
79 commit 38e8f78c041bd28f5b8d32f2fd945eae8ce28598 / 3ae610451170cd5a28b33950006ff0bd23036845
80 commit 74241de7ed501a34e7dfe291eed3339ca7b50755 / 6abb9a901fca27da14d4fffbb01948288b5da3ba
81 commit e34369e8ece08b7bd820366dea5965f4c40c0080 / a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed
82 </pre>
83
84 <h2>FFmpeg 0.11</h2>
85 <h3>0.11</h3>
86 <p>
87 Fixes following vulnerabilities:
88 </p>
89 <pre>
90 CVE-2012-2772, cb7190cd2c691fd93e4d3664f3fce6c19ee001dd
91 CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
92 CVE-2012-2775, 9d3032b960ae03066c008d6e6774f68b17a1d69d
93 CVE-2012-2776, ba775a54bc2136ec5da85385a923b05ee6fab159
94 CVE-2012-2777, 25715064c2ef4978672a91f8c856f3e8809a7c45
95 CVE-2012-2779, 229e4c133287955d5f3f837520a3602709b21950
96 CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
97 CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
98 CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
99                d462949974668ffb013467d12dc4934b9106fe19
100 CVE-2012-2786, d1c95d2ce39560e251fdb14f4af91b04fd7b845c
101 CVE-2012-2787, 01bf2ad7351fdaa2e21b6bdf963d22d6ffccb920
102 CVE-2012-2788, c41ac870470c614185e1752c11f892809022248a
103 CVE-2012-2789, 97a5addfcf0029d0f5538ed70cb38cae4108a618
104 CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
105 CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
106 CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
107 CVE-2012-2793, 83c7803f55b3231faeb93c1a634399a70fae9480
108 CVE-2012-2794, 5ad7335ebac2b38bb2a1c8df51a500b78461c05a
109 CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
110                2a7063de547b1d8fb1cef523469390fb59fb2c50
111                b3a43515827f3d22a881c33b87384f01c86786fd
112 CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
113 CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
114 CVE-2012-2798, 72b9537d8886f679494651df517dfed9b420cf1f
115 CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
116 CVE-2012-2800, f0bf9e9c2a65e9a2b9d9e4e94f99acb191dc7ae7
117 CVE-2012-2801, 1df49142bab1b7bccd11392aa9e819e297d21a6e
118 CVE-2012-2802, 2c22701c371c2f3dea21fcdbb97c981939fb77af
119 CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
120 CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04
121 </pre>
122
123 <h2>FFmpeg 0.10</h2>
124 <h3>0.10.6</h3>
125 <p>
126 Fixes following vulnerabilities:
127 </p>
128 <pre>
129 CVE-2012-2796, CVE-2012-2775, CVE-2012-2772, CVE-2012-2776,
130 CVE-2012-2779, CVE-2012-2787, CVE-2012-2794, CVE-2012-2800,
131 CVE-2012-2802, CVE-2012-2801, CVE-2012-2786, CVE-2012-2798,
132 CVE-2012-2793, CVE-2012-2789, CVE-2012-2788, CVE-2012-2790,
133 CVE-2012-2777, CVE-2012-2784
134 </pre>
135 <h3>0.10.3</h3>
136 <p>
137 Fixes following vulnerabilities:
138 </p>
139 <pre>
140 CVE-2012-0947, CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, CVE-2012-2780,
141 CVE-2012-2781, CVE-2012-2805,
142 </pre>
143 <h3>0.10</h3>
144 <p>
145 Fixes following vulnerabilities:
146 </p>
147 <pre>
148 CVE-2011-3929, CVE-2011-3934, CVE-2011-3935, CVE-2011-3936,
149 CVE-2011-3937, CVE-2011-3940, CVE-2011-3941, CVE-2011-3944,
150 CVE-2011-3945, CVE-2011-3946, CVE-2011-3947, CVE-2011-3949,
151 CVE-2011-3950, CVE-2011-3951, CVE-2011-3952
152 </pre>
153 <p>
154 and several others that do not have a CVE number.
155 Many of these issues can be exploited when a remote file is
156 played back and some are probable arbitrary code execution vulnerabilities.
157 </p>
158
159 <p>
160 FFmpeg 0.10 is unaffected by:
161 </p>
162 <pre>
163 CVE-2011-3930, CVE-2011-3931, CVE-2011-3932, CVE-2011-3933,
164 CVE-2011-3938, CVE-2011-3939, CVE-2011-3942, CVE-2011-3943,
165 CVE-2011-3948.
166 </pre>
167
168 <h2>FFmpeg 0.9</h2>
169 <h3>0.9.1</h3>
170 <p>
171 Fixes following vulnerabilities:
172 </p>
173 <pre>
174 CVE-2011-3893, CVE-2011-3895,
175
176 CVE-2012-0847 FFmpeg ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi:
177 add missing check in avfilter_filter_samples()
178
179 CVE-2012-0848 FFmpeg 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1:
180 Fix wrong samples count and crash.
181
182 CVE-2012-0849 FFmpeg 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec:
183 Fix integer overflow leading to a segfault
184
185 CVE-2012-0850 FFmpeg 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr:
186 Fix memory corruption.
187
188 CVE-2012-0851 FFmpeg 7fff64e00d886fde11d61958888c82b461cf99b9 h264:
189 check chroma_format_idc range.
190
191 CVE-2012-0852 FFmpeg 608708009f69ba4cecebf05120c696167494c897 adpcm:
192 Fix crash
193
194 CVE-2012-0853 FFmpeg 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3:
195 Fix crash in tonal component decoding.
196
197 CVE-2012-0854 FFmpeg 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5
198 CODEC_ID_SOL_DPCM: Fix used write buffer.
199
200 CVE-2012-0855 FFmpeg 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec:
201 Check curtileno for validity
202
203 CVE-2012-0856 FFmpeg 21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec:
204 Fix regression / crash with lowres.
205
206 CVE-2012-0857 FFmpeg 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec:
207 Fix crash in get_qcx
208
209 CVE-2012-0858 FFmpeg 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten:
210 Fix invalid free()
211
212 CVE-2012-0859 FFmpeg 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis:
213 Fix last quarter of CVE-2011-3893
214 </pre>
215 <p>and more security issues that
216 have no CVE number. Many of these issues can be exploited when a remote file is
217 played back and a few are probable arbitrary code execution vulnerabilities</p>
218
219
220 <h2>FFmpeg 0.8</h2>
221 <h3>0.8.11</h3>
222 <p>
223 Fixes following vulnerabilities:
224 </p>
225 <pre>
226 CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
227 CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
228 Several security issues that dont have CVE numbers.
229 </pre>
230
231 <h3>0.8.10</h3>
232 <p>Fixes CVE-2011-3893 and CVE-2011-3895, and many more</p>
233
234 <h3>0.8.7</h3>
235 <p>Fixes CVE-2011-4352/NGS00145, CVE-2011-4579/NGS00148, CVE-2011-4351, NGS00144, CVE-2011-4353 among others</p>
236
237 <h3>0.8.6</h3>
238 <p>Fixes CVE-2011-3892 among others</p>
239
240 <h3>0.8.5</h3>
241 <p>Fixes CVE-2011-4364 among others</p>
242
243 <h2>FFmpeg 0.7</h2>
244 <h3>0.7.12</h3>
245 <p>
246 Fixes following vulnerabilities:
247 </p>
248 <pre>
249 CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
250 CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
251 Several security issues that dont have CVE numbers.
252 </pre>
253
254 <h3>0.7.11</h3>
255 <p>Fixes CVE-2011-3893 and CVE-2011-3895, and many more</p>
256
257 <h3>0.7.8</h3>
258 <p>Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4351, CVE-2011-4353</p>
259
260 <h3>0.7.7</h3>
261 <p>Fixes CVE-2011-3892</p>
262
263 <h3>0.7.6</h3>
264 <p>Fixes CVE-2011-4364 among others</p>
265
266 <h2>FFmpeg 0.6</h2>
267 <h3>0.6.5</h3>
268 <p>Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895</p>
269
270 <h3>0.6.4</h3>
271 <p>Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4353, CVE-2011-4351, CVE-2011-4364</p>
272
273 <h2>FFmpeg 0.5</h2>
274 <h3>0.5.8</h3>
275 <p>Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895</p>
276
277 <h3>0.5.7</h3>
278 <p>CVE-2011-4353</p>
279
280 <h3>0.5.6</h3>
281 <p>Fixes CVE-2011-4579, CVE-2011-4351</p>
282
283 <h3>0.5.5</h3>
284 <p>Fixes CVE-2011-3504, CVE-2011-3362, CVE-2011-3973, CVE-2011-3974</p>
285
286 <h3>0.5.4</h3>
287 <p>Fixes CVE-2010-3908, CVE-2011-0722, CVE-2010-4704, CVE-2011-0480, CVE-2011-0723</p>