Bug 11747

Summary:	ffmpeg update to 1.1.8
Product:	Mageia	Reporter:	Oden Eriksson <oe>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	luigiwalser, rverschelde, stormi-mageia, sysadmin-bugs, tmb
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/586334/
Whiteboard:	has_procedure advisory mga3-32-ok MGA3-64-OK
Source RPM:	ffmpeg	CVE:
Status comment:

Description Oden Eriksson 2013-11-24 11:18:01 CET

======================================================
Name: CVE-2013-0872
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0872
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=21cd905cd44a4bbafe8631bbaa6021d328413ce5
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The swr_init function in libswresample/swresample.c in FFmpeg before
1.1.3 allows remote attackers to have an unspecified impact via an
invalid or unsupported (1) input or (2) output channel layout, related
to an out-of-bounds array access.



======================================================
Name: CVE-2013-0873
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0873
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4f1279154ee9baf2078241bf5619774970d18b25
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The read_header function in libavcodec/shorten.c in FFmpeg before
1.1.3 allows remote attackers to have an unspecified impact via an
invalid channel count, related to "freeing invalid addresses."



======================================================
Name: CVE-2013-0874
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0874
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e1219cdaf9fb4bc8cea410e1caf802373c1bfe51
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The (1) doubles2str and (2) shorts2str functions in libavcodec/tiff.c
in FFmpeg before 1.1.3 allow remote attackers to have an unspecified
impact via a crafted TIFF image, related to an out-of-bounds array
access.



======================================================
Name: CVE-2013-0875
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0875
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1ac0fa50eff30d413206cffa5f47f7fe6d4849b1
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in
FFmpeg before 1.1.3 allows remote attackers to have an unspecified
impact via a crafted PNG image, related to an out-of-bounds array
access.



======================================================
Name: CVE-2013-0876
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0876
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5260edee7e5bd975837696c8c8c1a80eb2fbd7c1
Reference: CONFIRM:http://www.ffmpeg.org/security.html

Multiple integer overflows in the (1) old_codec37 and (2) old_codec47
functions in libavcodec/sanm.c in FFmpeg before 1.1.3 allow remote
attackers to have an unspecified impact via crafted LucasArts Smush
data, which triggers an out-of-bounds array access.



======================================================
Name: CVE-2013-0877
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0877
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=365270aec5c2b9284230abc702b11168818f14cf
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The old_codec37 function in libavcodec/sanm.c in FFmpeg before 1.1.3
allows remote attackers to have an unspecified impact via crafted
LucasArts Smush data that has a large size when decoded, related to an
out-of-bounds array access.



======================================================
Name: CVE-2013-0878
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0878
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f5955d9f6f9ffdb81864c3de1c7b801782a55725
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The advance_line function in libavcodec/targa.c in FFmpeg before 1.1.3
allows remote attackers to have an unspecified impact via crafted
Targa image data, related to an out-of-bounds array access.



======================================================
Name: CVE-2013-4263
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4263
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20130821 Re: CVE Request: FFmpeg 2.0.1 multiple problems
Reference: URL:http://www.openwall.com/lists/oss-security/2013/08/21/11
Reference: CONFIRM:http://www.ffmpeg.org/security.html
Reference: CONFIRM:https://github.com/FFmpeg/FFmpeg/commit/e43a0a232dbf6d3c161823c2e07c52e76227a1bc

libavfilter in FFmpeg before 2.0.1 allows has unspecified impact and
remote vectors related to a crafted "plane," which triggers an
out-of-bounds heap write.



======================================================
Name: CVE-2013-4264
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4264
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20130821 Re: CVE Request: FFmpeg 2.0.1 multiple problems
Reference: URL:http://www.openwall.com/lists/oss-security/2013/08/21/11
Reference: CONFIRM:http://www.ffmpeg.org/security.html
Reference: CONFIRM:https://github.com/FFmpeg/FFmpeg/commit/2960576378d17d71cc8dccc926352ce568b5eec1
Reference: CONFIRM:https://trac.ffmpeg.org/ticket/2842

The kempf_decode_tile function in libavcodec/g2meet.c in FFmpeg before
2.0.1 allows remote attackers to cause a denial of service
(out-of-bounds heap write) via a G2M4 encoded file.



======================================================
Name: CVE-2013-4265
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4265
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: MLIST:[oss-security] 20130821 Re: CVE Request: FFmpeg 2.0.1 multiple problems
Reference: URL:http://www.openwall.com/lists/oss-security/2013/08/21/11
Reference: CONFIRM:http://www.ffmpeg.org/security.html
Reference: CONFIRM:https://github.com/FFmpeg/FFmpeg/commit/c94f9e854228e0ea00e1de8769d8d3f7cab84a55

The av_reallocp_array function in libavutil/mem.c in FFmpeg before
2.0.1 has an unspecified impact and remote vectors related to a "wrong
return code" and a resultant NULL pointer dereference.



======================================================
Name: CVE-2013-0860
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0860
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3e196e4def03c7a91423803402f84d638d316c33
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=68a0477bc0af026db971ddba22541029a9e8715b
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The ff_er_frame_end function in libavcodec/error_resilience.c in
FFmpeg before 1.0.4 and 1.1.x before 1.1.1 does not properly verify
that a frame is fully initialized, which allows remote attackers to
trigger a NULL pointer dereference via crafted picture data.



======================================================
Name: CVE-2013-0861
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0861
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=43c6b45a53a186a187f7266e4d6bd3c2620519f1
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4cd1dad91ae97fe1f0dd534c3f5566787566f137
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.1 allows remote attackers to trigger
memory corruption via vectors related to the channel layout.



======================================================
Name: CVE-2013-0862
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0862
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f4fb841ad13bab66d4fb0c7ff2a94770df7815d8
Reference: CONFIRM:http://www.ffmpeg.org/security.html

Multiple integer overflows in the process_frame_obj function in
libavcodec/sanm.c in FFmpeg before 1.1.2 allow remote attackers to
have an unspecified impact via crafted image dimensions in LucasArts
Smush video data, which triggers an out-of-bounds array access.



======================================================
Name: CVE-2013-0863
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0863
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=62c9beda0c189db5cb61fa772057e3af9521f293
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=89e16e675d3cbe76cf4581f98bf4ac300cab0286
Reference: CONFIRM:http://www.ffmpeg.org/security.html

Buffer overflow in the rle_decode function in libavcodec/sanm.c in
FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to
have an unspecified impact via crafted LucasArts Smush video data.



======================================================
Name: CVE-2013-0864
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0864
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9547034f9120187e23ad76424dd4d70247e62212
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The gif_copy_img_rect function in libavcodec/gifdec.c in FFmpeg before
1.1.2 performs an incorrect calculation for an "end pointer," which
allows remote attackers to have an unspecified impact via crafted GIF
data that triggers an out-of-bounds array access.



======================================================
Name: CVE-2013-0865
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0865
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=08e2c7a45f82b897a285548c257972eb1ad352c5
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f3d16706060ab6ae6dc78f15359fab3fd87c9495
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.



======================================================
Name: CVE-2013-0866
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0866
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47e462eecc0a47ad40f59376199f93f227e21d13
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c459c7b23efffab762560e41ad6a2c0dbbfd4915
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large number of channels in an AAC file,
which triggers an out-of-bounds array access.



======================================================
Name: CVE-2013-0867
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0867
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ef1538121fa6daeb1767510f1d4ae2c306c9fec
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The decode_slice_header function in libavcodec/h264.c in FFmpeg before
1.1.2 does not properly check when the pixel format changes, which
allows remote attackers to have unspecified impact via crafted H.264
video data, related to an out-of-bounds array access.



======================================================
Name: CVE-2013-0868
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0868
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6baa54924980e1f0e8121e4715d16ed1adcd2a23
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=75e88db33013eaa7ab74457f5556df677b4ffb42
Reference: CONFIRM:http://www.ffmpeg.org/security.html

libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
to have an unspecified impact via crafted Huffyuv data, related to an
out-of-bounds write and (1) unchecked return codes from the init_vlc
function and (2) "len==0 cases."



======================================================
Name: CVE-2013-0869
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0869
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130107
Category: 
Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=eaa9d2cd6b8c1e2722d5bfc56ea67fde865200ce
Reference: CONFIRM:http://www.ffmpeg.org/security.html

The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2
allows remote attackers to have an unspecified impact via crafted
H.264 data, related to an SPS and slice mismatch and an out-of-bounds
array access.





Reproducible: 

Steps to Reproduce:

Oden Eriksson 2013-11-24 11:18:27 CET

Source RPM: (none) => ffmpeg

Comment 1 Oden Eriksson 2013-11-24 11:19:32 CET

Adding all these CVEs in this bug and worry about dupes or if it's been fixed later.

Comment 2 David Walser 2013-11-24 18:21:52 CET

It doesn't appear that any of those CVEs are relevant for us, as we already have versions 1.1.5 in Mageia 3 and 2.0.2 in Cauldron.  That being said, I've meant to update ffmpeg just because, and forgot to do so before Mageia 2 closed.  You might want to update to 0.10.10 that I just checked into Mageia 2 SVN for MBS.  For Mageia 3, we should update to 1.1.7 that I just checked into SVN.  It has apparently become impossible to find information on security fixes in ffmpeg, so it'd probably just be a MGAA announced as a bugfix update, unless you have more information.

Comment 3 Oden Eriksson 2013-11-26 11:36:55 CET

http://ffmpeg.org/security.html does not say much.

Comment 4 David Walser 2013-11-26 14:28:40 CET

(In reply to Oden Eriksson from comment #3)
> http://ffmpeg.org/security.html does not say much.

No and it's never up to date, but at least their git commit messages used to identify the CVEs being fixed.  They don't do that anymore.

Comment 5 Oden Eriksson 2013-11-26 14:49:46 CET

In the #ffmpeg-devel channel:

<oden> hello. trying to understand what security fixes has been fixed in 0.10 since 0.10.6 to 0.10.10. http://ffmpeg.org/security.html does not say.
<michaelni> oden, ill try to update the page, but 0.10 is quite old

Comment 6 Oden Eriksson 2013-11-26 16:07:41 CET

(In reply to Oden Eriksson from comment #5)
> In the #ffmpeg-devel channel:
> 
> <oden> hello. trying to understand what security fixes has been fixed in
> 0.10 since 0.10.6 to 0.10.10. http://ffmpeg.org/security.html does not say.
> <michaelni> oden, ill try to update the page, but 0.10 is quite old

<michaelni> oden, security page updated, ill add CVE# where they are missing as soon as they are assigned

Comment 7 Oden Eriksson 2013-11-26 16:11:59 CET

http://www.openwall.com/lists/oss-security/2013/11/26/7 <- for FFmpeg 2.1

Comment 8 Oden Eriksson 2013-11-26 16:32:06 CET

(In reply to Oden Eriksson from comment #6)
> (In reply to Oden Eriksson from comment #5)
> > In the #ffmpeg-devel channel:
> > 
> > <oden> hello. trying to understand what security fixes has been fixed in
> > 0.10 since 0.10.6 to 0.10.10. http://ffmpeg.org/security.html does not say.
> > <michaelni> oden, ill try to update the page, but 0.10 is quite old
> 
> <michaelni> oden, security page updated, ill add CVE# where they are missing
> as soon as they are assigned

<michaelni> oden, there where some things backported that may or may not be security relevant, for example a infinite loop fix, also there was some fixes merged from libav that i belive where redundant and fixed previously. also i dont think any ffmpeg version or fork from the 0.10 times is completely free of security issues

Comment 9 David Walser 2014-02-10 00:14:01 CET

I've ffmpeg to versions 1.1.8 for Mageia 3 and 2.0.3 for Mageia 4.

I don't know what all security vulnerabilities were fixed since 1.1.5, as they don't usually tag commits with CVEs anymore.  Version 1.1.8 has commits that indicate CVE-2012-6617 and CVE-2013-0845, so we at least have those two, but I don't want to include an incomplete list in the advisory.  If anyone can obtain more information about this, we could enhance the advisory.

This bug will be for the Mageia 3 update, and we'll use Bug 12698 for the Mageia 4 update.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

This updates provides ffmpeg version 1.1.8, which fixes several unspecified
security vulnerabilities and other bugs which were corrected upstream.

References:
http://git.videolan.org/?p=ffmpeg.git;a=log;h=n1.1.8
http://ffmpeg.org/olddownload.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-1.1.8-1.mga3
libavcodec54-1.1.8-1.mga3
libpostproc52-1.1.8-1.mga3
libavformat54-1.1.8-1.mga3
libavutil52-1.1.8-1.mga3
libswscaler2-1.1.8-1.mga3
libavfilter3-1.1.8-1.mga3
libswresample0-1.1.8-1.mga3
libffmpeg-devel-1.1.8-1.mga3
libffmpeg-static-devel-1.1.8-1.mga3

from ffmpeg-1.1.8-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2014-02-10 00:14:37 CET

Summary: Multiple vulnerabilities in ffmpeg => ffmpeg update to 1.1.8

Comment 10 Samuel Verschelde 2014-02-10 16:49:49 CET

Basic testing procedure at https://bugs.mageia.org/show_bug.cgi?id=8065#c6

Don't forget to test packages from both core and tainted.

CC: (none) => stormi
Whiteboard: (none) => has_procedure

Comment 11 Rémi Verschelde 2014-02-13 16:01:21 CET

Testing complete Mageia 3 x86_64.

CC: (none) => remi
Whiteboard: has_procedure => has_procedure MGA3-64-OK

Comment 12 claire robinson 2014-02-13 16:19:18 CET

Testing mga3 32

Comment 13 claire robinson 2014-02-13 16:37:41 CET

Testing complete mga3 32

Whiteboard: has_procedure MGA3-64-OK => has_procedure mga3-32-ok MGA3-64-OK

Comment 14 claire robinson 2014-02-13 17:10:38 CET

Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok MGA3-64-OK => has_procedure advisory mga3-32-ok MGA3-64-OK
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2014-02-13 21:07:25 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0066.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-02-14 18:50:40 CET

URL: (none) => http://lwn.net/Vulnerabilities/586334/
CC: (none) => luigiwalser