CVE-2008-4867

Name	CVE-2008-4867
Description	Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as used by MPlayer, allows context-dependent attackers to have an unknown impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	high
Debian Bugs	504977

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ffmpeg (PTS)	stretch (security), stretch	7:3.2.14-1~deb9u1	fixed
	buster, buster (security)	7:4.1.4-1~deb10u1	fixed
	bullseye, sid	7:4.2.2-1	fixed
kino (PTS)	jessie	1.3.4-2.1	fixed
	stretch	1.3.4-2.2	fixed
	bullseye, sid, buster	1.3.4+dfsg0-1	fixed
mplayer (PTS)	stretch	2:1.3.0-6	fixed
	bullseye, sid, buster	2:1.3.0-8	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
ffmpeg	source	(unstable)	0.svn20080206-14
ffmpeg	source	etch	(not affected)
ffmpeg-debian	source	(unstable)	0.svn20080206-14	504977
gstreamer0.10-ffmpeg	source	(unstable)	0.10.3-2
gstreamer0.10-ffmpeg	source	etch	(not affected)
kino	source	(unstable)	1.0.0-1
kino	source	etch	(not affected)
mplayer	source	(unstable)	1.0~rc2-14
mplayer	source	etch	(not affected)

Notes

[etch] - ffmpeg <not-affected> (Vulnerable code not present)
[etch] - mplayer <not-affected> (Vulnerable code not present)
[etch] - kino <not-affected> (Does not ship ffmpeg)
[etch] - gstreamer0.10-ffmpeg <not-affected> (Vulnerable code not present)