web/security: fill in some commit hashes
[ffmpeg-web.git] / src / security
1 <h1>FFmpeg Security</h1>
2
3 <p>Please report vulnerabilities to <a href="mailto:ffmpeg-security@ffmpeg.org">ffmpeg-security@ffmpeg.org</a></p>
4
5
6 <h2>FFmpeg 0.11</h2>
7 <h3>0.11</h3>
8 <p>
9 Fixes following vulnerabilities:
10 </p>
11 <pre>
12 CVE-2012-2772, cb7190cd2c691fd93e4d3664f3fce6c19ee001dd
13 CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f
14 CVE-2012-2775, 9d3032b960ae03066c008d6e6774f68b17a1d69d
15 CVE-2012-2776, ba775a54bc2136ec5da85385a923b05ee6fab159
16 CVE-2012-2777, 25715064c2ef4978672a91f8c856f3e8809a7c45
17 CVE-2012-2779, 229e4c133287955d5f3f837520a3602709b21950
18 CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7
19 CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998
20 CVE-2012-2784, 25715064c2ef4978672a91f8c856f3e8809a7c45
21 CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081
22                d462949974668ffb013467d12dc4934b9106fe19
23 CVE-2012-2786, d1c95d2ce39560e251fdb14f4af91b04fd7b845c
24 CVE-2012-2787, 01bf2ad7351fdaa2e21b6bdf963d22d6ffccb920
25 CVE-2012-2788, c41ac870470c614185e1752c11f892809022248a
26 CVE-2012-2789, 97a5addfcf0029d0f5538ed70cb38cae4108a618
27 CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6
28 CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389
29 CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
30 CVE-2012-2793, 83c7803f55b3231faeb93c1a634399a70fae9480
31 CVE-2012-2794, 5ad7335ebac2b38bb2a1c8df51a500b78461c05a
32 CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3
33                2a7063de547b1d8fb1cef523469390fb59fb2c50
34                b3a43515827f3d22a881c33b87384f01c86786fd
35 CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23
36 CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e
37 CVE-2012-2798, 72b9537d8886f679494651df517dfed9b420cf1f
38 CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3
39 CVE-2012-2800, f0bf9e9c2a65e9a2b9d9e4e94f99acb191dc7ae7
40 CVE-2012-2801, 1df49142bab1b7bccd11392aa9e819e297d21a6e
41 CVE-2012-2802, 2c22701c371c2f3dea21fcdbb97c981939fb77af
42 CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
43 CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04
44 </pre>
45
46 <h2>FFmpeg 0.10</h2>
47 <h3>0.10.3</h3>
48 <p>
49 Fixes following vulnerabilities:
50 </p>
51 <pre>
52 CVE-2012-0947, CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, CVE-2012-2780,
53 CVE-2012-2781, CVE-2012-2805,
54 </pre>
55 <h3>0.10</h3>
56 <p>
57 Fixes following vulnerabilities:
58 </p>
59 <pre>
60 CVE-2011-3929, CVE-2011-3934, CVE-2011-3935, CVE-2011-3936,
61 CVE-2011-3937, CVE-2011-3940, CVE-2011-3941, CVE-2011-3944,
62 CVE-2011-3945, CVE-2011-3946, CVE-2011-3947, CVE-2011-3949,
63 CVE-2011-3950, CVE-2011-3951, CVE-2011-3952
64 </pre>
65 <p>
66 and several others that do not have a CVE number.
67 Many of these issues can be exploited when a remote file is
68 played back and some are probable arbitrary code execution vulnerabilities.
69 </p>
70
71 <p>
72 FFmpeg 0.10 is unaffected by:
73 </p>
74 <pre>
75 CVE-2011-3930, CVE-2011-3931, CVE-2011-3932, CVE-2011-3933,
76 CVE-2011-3938, CVE-2011-3939, CVE-2011-3942, CVE-2011-3943,
77 CVE-2011-3948.
78 </pre>
79
80 <h2>FFmpeg 0.9</h2>
81 <h3>0.9.1</h3>
82 <p>
83 Fixes following vulnerabilities:
84 </p>
85 <pre>
86 CVE-2011-3893, CVE-2011-3895,
87
88 CVE-2012-0847 FFmpeg ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi:
89 add missing check in avfilter_filter_samples()
90
91 CVE-2012-0848 FFmpeg 5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1:
92 Fix wrong samples count and crash.
93
94 CVE-2012-0849 FFmpeg 1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec:
95 Fix integer overflow leading to a segfault
96
97 CVE-2012-0850 FFmpeg 944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr:
98 Fix memory corruption.
99
100 CVE-2012-0851 FFmpeg 7fff64e00d886fde11d61958888c82b461cf99b9 h264:
101 check chroma_format_idc range.
102
103 CVE-2012-0852 FFmpeg 608708009f69ba4cecebf05120c696167494c897 adpcm:
104 Fix crash
105
106 CVE-2012-0853 FFmpeg 9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3:
107 Fix crash in tonal component decoding.
108
109 CVE-2012-0854 FFmpeg 6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5
110 CODEC_ID_SOL_DPCM: Fix used write buffer.
111
112 CVE-2012-0855 FFmpeg 3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec:
113 Check curtileno for validity
114
115 CVE-2012-0856 FFmpeg 21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec:
116 Fix regression / crash with lowres.
117
118 CVE-2012-0857 FFmpeg 282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec:
119 Fix crash in get_qcx
120
121 CVE-2012-0858 FFmpeg 18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten:
122 Fix invalid free()
123
124 CVE-2012-0859 FFmpeg 6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis:
125 Fix last quarter of CVE-2011-3893
126 </pre>
127 <p>and more security issues that
128 have no CVE number. Many of these issues can be exploited when a remote file is
129 played back and a few are probable arbitrary code execution vulnerabilities</p>
130
131
132 <h2>FFmpeg 0.8</h2>
133 <h3>0.8.11</h3>
134 <p>
135 Fixes following vulnerabilities:
136 </p>
137 <pre>
138 CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
139 CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
140 Several security issues that dont have CVE numbers.
141 </pre>
142
143 <h3>0.8.10</h3>
144 <p>Fixes CVE-2011-3893 and CVE-2011-3895, and many more</p>
145
146 <h3>0.8.7</h3>
147 <p>Fixes CVE-2011-4352/NGS00145, CVE-2011-4579/NGS00148, CVE-2011-4351, NGS00144, CVE-2011-4353 among others</p>
148
149 <h3>0.8.6</h3>
150 <p>Fixes CVE-2011-3892 among others</p>
151
152 <h3>0.8.5</h3>
153 <p>Fixes CVE-2011-4364 among others</p>
154
155 <h2>FFmpeg 0.7</h2>
156 <h3>0.7.12</h3>
157 <p>
158 Fixes following vulnerabilities:
159 </p>
160 <pre>
161 CVE-2012-0853, CVE-2012-0858, CVE-2011-3929, CVE-2011-3936,
162 CVE-2011-3937, CVE-2011-3940, CVE-2011-3945, CVE-2011-3947
163 Several security issues that dont have CVE numbers.
164 </pre>
165
166 <h3>0.7.11</h3>
167 <p>Fixes CVE-2011-3893 and CVE-2011-3895, and many more</p>
168
169 <h3>0.7.8</h3>
170 <p>Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4351, CVE-2011-4353</p>
171
172 <h3>0.7.7</h3>
173 <p>Fixes CVE-2011-3892</p>
174
175 <h3>0.7.6</h3>
176 <p>Fixes CVE-2011-4364 among others</p>
177
178 <h2>FFmpeg 0.6</h2>
179 <h3>0.6.5</h3>
180 <p>Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895</p>
181
182 <h3>0.6.4</h3>
183 <p>Fixes CVE-2011-4352, CVE-2011-4579, CVE-2011-4353, CVE-2011-4351, CVE-2011-4364</p>
184
185 <h2>FFmpeg 0.5</h2>
186 <h3>0.5.8</h3>
187 <p>Fixes CVE-2011-3892, CVE-2011-3893, CVE-2011-3895</p>
188
189 <h3>0.5.7</h3>
190 <p>CVE-2011-4353</p>
191
192 <h3>0.5.6</h3>
193 <p>Fixes CVE-2011-4579, CVE-2011-4351</p>
194
195 <h3>0.5.5</h3>
196 <p>Fixes CVE-2011-3504, CVE-2011-3362, CVE-2011-3973, CVE-2011-3974</p>
197
198 <h3>0.5.4</h3>
199 <p>Fixes CVE-2010-3908, CVE-2011-0722, CVE-2010-4704, CVE-2011-0480, CVE-2011-0723</p>