oCERT reported a vulnerability that affects the flic video codec support in ffmpeg. Quoting:
"The MPlayer package  is vulnerable to an arbitrary offset dereference
vulnerability, which could be exploited by malicious remote attacker. The
vulnerability is caused by the MPlayer's flic codec (flicvideo.c) on 8 bits
per pixel videos because the codec does not check received values. This could
be exploited jumping to arbitrary code by opening a specially crafted file."
They were particularly concerned about the ffmpeg inclusion in mplayer. The affected file (flicvideo.c) is also present in libextractor as provided by Fedora 12. It looks as though the only thing using libextractor in Fedora is doodle (local search program, like Spotlight). This would mean a user would have to download a specially crafted file and store it locally, and be using doodle to index files. I don't know whether or not doodle would be problematic here, i.e. if it's just reading metadata it might not cause any problems at all.
Later versions of libextractor have removed the embedded ffmpeg sources.
Created attachment 448516 [details]
patch from upstream to correct the issue
This will be fixed as part of ffmpeg 0.6.1.
This is now public:
Neither ffmpeg nor mplayer are shipped in any supported products, however libextractor in Fedora 12 does contain embedded ffmpeg. Later versions of libextractor have removed embedded ffmpeg; not sure if it is possible to update libextractor in Fedora 12 to the version in Fedora 13; if not, it should be patched to correct the flaw.
The patch to correct the flaw is here:
Created libextractor tracking bugs for this issue
Affects: fedora-12 [bug 638265]
ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is not available in fedora:
| checking whether to enable the FFmpeg thumbnail extractor... no
(In reply to comment #6)
> ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is
> not available in fedora:
> | checking whether to enable the FFmpeg thumbnail extractor... no
Ok, great, thank you for checking that. I'll close the Fedora tracker then.