Bug 17257

Summary: ffmpeg new security issues fixed in 2.8 branch
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/666134/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: ffmpeg-2.4.9-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-29 23:30:47 CET 
OpenSuSE has issued an advisory on November 27:
http://lists.opensuse.org/opensuse-updates/2015-11/msg00146.html

The upstream security page shows several security issues fixed in 2.4.11 (and the same ones fixed in 2.8), as well as some newer ones fixed in 2.8.2 and 2.8.3, at least some of which probably affect 2.4.11.  We'll need to ask upstream to roll a new 2.4.x release will all of the latest fixes.

Reproducible: 

Steps to Reproduce:
David Walser 2015-11-30 18:57:54 CET

URL: (none) => http://lwn.net/Vulnerabilities/666134/

Comment 1 David Walser 2015-12-28 21:47:19 CET 
Some more CVEs:
http://lwn.net/Vulnerabilities/669407/

From this OpenSuSE advisory from December 27:
http://lists.opensuse.org/opensuse-updates/2015-12/msg00118.html

There are also more CVEs fixed in 2.8.4.
Comment 2 David Walser 2016-01-13 19:49:11 CET 
FFmpeg 2.4.12 has been released on December 10, with all the latest security fixes.

Updated packages uploaded for Mageia 5.

Note that there are core and tainted builds for this package.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

The update_dimensions function in libavcodec/vp8.c in FFmpeg before 2.4.12,
as used in Google Chrome before 46.0.2490.71 and other products, relies on a
coefficient-partition count during multi-threaded operation, which allows
remote attackers to cause a denial of service (race condition and memory
corruption) or possibly have unspecified other impact via a crafted WebM file
(CVE-2015-6761).

The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.4.11
does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG
image, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via a
crafted image with two or more of these chunks (CVE-2015-6818).

The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.4.11 does
not check for a matching AAC frame syntax element before proceeding with
Spectral Band Replication calculations, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted AAC data (CVE-2015-6820).

The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before
2.4.11 does not properly maintain the encoding context, which allows remote
attackers to cause a denial of service (invalid pointer access) or possibly
have unspecified other impact via crafted MPEG data (CVE-2015-6821).

The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.4.11
does not properly maintain height and width values in the video context,
which allows remote attackers to cause a denial of service (segmentation
violation and application crash) or possibly have unspecified other impact
via crafted LucasArts Smush video data (CVE-2015-6822).

The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.4.11
does not initialize certain context data, which allows remote attackers to
cause a denial of service (segmentation violation) or possibly have
unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data
(CVE-2015-6823).

The sws_init_context function in libswscale/utils.c in FFmpeg before 2.4.11
does not initialize certain pixbuf data structures, which allows remote
attackers to cause a denial of service (segmentation violation) or possibly
have unspecified other impact via crafted video data (CVE-2015-6824).

The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg
before 2.4.11 mishandles certain memory-allocation failures, which allows
remote attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via a crafted file, as demonstrated by
an AVI file (CVE-2015-6825).

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg
before 2.4.11 does not initialize certain structure members, which allows
remote attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted RV30 or RV40 RealVideo
data (CVE-2015-6826).

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before
2.4.12 omits certain width and height checks, which allows remote attackers
to cause a denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted MJPEG data (CVE-2015-8216).

The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12
does not enforce minimum-value and maximum-value constraints on tile
coordinates, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via
crafted JPEG 2000 data (CVE-2015-8219).

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg
before 2.4.12 does not enforce uniqueness of the SIZ marker in a JPEG 2000
image, which allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have unspecified other impact
via a crafted image with two or more of these markers (CVE-2015-8363).

Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in
FFmpeg before 2.4.12 allows remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have unspecified other impact
via crafted image dimensions in Indeo Video Interactive data (CVE-2015-8364).

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before
2.4.12 does not verify that the data size is consistent with the number of
channels, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via
crafted Smacker data (CVE-2015-8365).

The h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg
before 2.4.12 does not validate the relationship between the number of
threads and the number of slices, which allows remote attackers to cause a
denial of service (out-of-bounds array access) or possibly have unspecified
other impact via crafted H.264 data (CVE-2015-8661).

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before
2.4.12 does not validate the number of decomposition levels before proceeding
with Discrete Wavelet Transform decoding, which allows remote attackers to
cause a denial of service (out-of-bounds array access) or possibly have
unspecified other impact via crafted JPEG 2000 data (CVE-2015-8662).

The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.4.12
preserves width and height values after a failure, which allows remote
attackers to cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via a crafted .mov file
(CVE-2015-8663).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6818
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6821
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6822
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6824
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6826
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8663
http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n2.4.12
http://ffmpeg.org/download.html
http://ffmpeg.org/security.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-2.4.12-1.mga5
libavcodec56-2.4.12-1.mga5
libpostproc53-2.4.12-1.mga5
libavformat56-2.4.12-1.mga5
libavutil54-2.4.12-1.mga5
libswscaler3-2.4.12-1.mga5
libavfilter5-2.4.12-1.mga5
libswresample1-2.4.12-1.mga5
libffmpeg-devel-2.4.12-1.mga5
libffmpeg-static-devel-2.4.12-1.mga5

from ffmpeg-2.4.12-1.mga5.src.rpm

Assignee: shlomif => qa-bugs

Comment 3 David Walser 2016-01-13 20:07:38 CET 
LWN reference for the last three CVEs:
http://lwn.net/Vulnerabilities/671740/

from this openSUSE advisory on January 12:
http://lists.opensuse.org/opensuse-updates/2016-01/msg00025.html
Comment 4 Len Lawrence 2016-01-14 16:53:35 CET 
mga5  x86_64  Mate

$ urpmqf --whatrequires ffmpeg | sort | uniq > list
$ cat list
2mandvd
devede
dvdstyler
fdesktoprecorder
feff
ffdiaporama
ffmpeg
ffmulticonverter
imagination
kdenlive
kino
kmediafactory
konvertible
luciole
miro
mythtv-plugin-archive
ps3mediaserver
pymecavideo
synfig
videoconvert
winff
xvidcap
zoneminder

No experience with any of these so picked out kino and ffmpeg.
Ran the tests below before and after the two sets of updates (Core and Tainted).

Disabled Tainted Release and Tainted Updates and ran MageiaUpdate.  Nothing turned up so:
# urpmi --downgrade ffmpeg
This removed some packages and offered ffmpeg-2.4.9-1.mga5.x86_64.  Installed that and experimented with kino and used ffmpeg to convert an mp4 file to avi.  Both looked OK although, as before, the avi file looked a little pixelated.

Enabled Core Updates Testing and installed ffmpeg-2.4.12-1 which pulled in all the other packages listed except development packages.  Installed those afterwards, another 37 packages.

Used kino to open an m4v file, import to DV and run under PAL.  Frame-stepping, random indexing on timeline, rewind, saving still frame and save project all worked.  I think the important bit here is the importing of a file to DV (Direct Video?).

$ ffmpeg -i Lauren.m4v Lauren.avi
ffmpeg version 2.4.9 Copyright (c) 2000-2015 the FFmpeg developers
  built on May 17 2015 20:05:51 with gcc 4.9.2 (GCC)
  configuration: --prefix=/usr --enable-shared --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-x11grab --enable-runtime-cpudetect --enable-libdc1394 --enable-libschroedinger --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libnut --enable-libgsm --enable-libcelt --enable-libopus --disable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-version3 --enable-libx264 --enable-libvo-aacenc --enable-libvo-amrwbenc --enable-libxvid
  libavutil      54.  7.100 / 54.  7.100
  libavcodec     56.  1.100 / 56.  1.100
  libavformat    56.  4.101 / 56.  4.101
  libavdevice    56.  0.100 / 56.  0.100
  libavfilter     5.  1.100 /  5.  1.100
  libswscale      3.  0.100 /  3.  0.100
  libswresample   1.  1.100 /  1.  1.100
  libpostproc    53.  0.100 / 53.  0.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'Lauren.m4v':
  Metadata:
    major_brand     : M4V 
    minor_version   : 1
    compatible_brands: M4V M4A mp42isom
..........
Stream mapping:
  Stream #0:1 -> #0:0 (h264 (native) -> mpeg4 (native))
  Stream #0:0 -> #0:1 (aac (native) -> mp3 (libmp3lame))
Press [q] to stop, [?] for help
frame=  488 fps=0.0 q=24.8 size=    1143kB time=00:00:16.90 bitrate= 554.0kbits/frame=  938 fps=937 q=24.8 size=    1953kB time=00:00:31.89 bitrate= 501.6kbits/frame= 1399 fps=932 q=31.0 size=    2719kB time=00:00:47.25 bitrate= 471.4kbits/frame= 1870 fps=934 q=31.0 size=    3785kB time=00:01:02.90 bitrate= 492.9kbits/frame= 2147 fps=952 q=31.0 Lsize=    4342kB time=00:01:11.81 bitrate= 495.3kbits/s    
video:3094kB audio:1122kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 2.977621%

The input file was converted and played OK if a little pixelated.

Repeated all this with Tainted Release/Updates and Tainted Updates Testing enabled.  Bothe kino and ffmpeg worked as before.

Within the limits of my knowledge ffmpeg looks OK for Core and Tainted release.

CC: (none) => tarazed25

Len Lawrence 2016-01-14 16:53:53 CET

Whiteboard: (none) => MGA5-64-OK

Comment 5 Len Lawrence 2016-01-14 18:25:36 CET 
mga5  i586 vbox  Mate

Installed the tainted packages and tested them as above.  Looks OK.
However I have not managed to get back to the Core Release version; in spite of disabling the tainted repositories downgrading always offers the tainted ffmpeg.
Comment 6 Len Lawrence 2016-01-14 18:55:32 CET 
Right - done it.  Installed the Core Updates Testing packages and successfully converted a video file from one format to another.  OK then for 32-bits.
Validating this.
Len Lawrence 2016-01-14 18:55:59 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OK
CC: (none) => sysadmin-bugs

Len Lawrence 2016-01-14 18:56:53 CET

Whiteboard: MGA5-64-OK MGA-32-OK => MGA5-64-OK MGA5-32-OK

Comment 7 Thomas Backlund 2016-01-15 02:43:52 CET 
advisory added to svn

CC: (none) => tmb
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 8 Mageia Robot 2016-01-15 02:53:16 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0018.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-01-15 19:56:46 CET 
LWN reference for the remaining CVEs:
http://lwn.net/Vulnerabilities/672075/