Bug 4146

Summary: ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 affect other packages
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: doktor5000
Version: 1   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://ffmpeg.org/
Whiteboard:
Source RPM: ffmpeg-0.6.4-0.1.mga1.src.rpm CVE:
Status comment:
Bug Depends on: 4147, 4152, 4153, 4154, 4157    
Bug Blocks:    

Description David Walser 2012-01-16 05:29:20 CET 
On January 12, ffmpeg issued version 0.6.5 to fix these security issues.  We should update to it for Mageia 1.  mplayer and blender are also likely affected by these (internal ffmpeg) and would need to be updated as well.

In Cauldron, ffmpeg and mplayer are not affected, but blender may be if its internal ffmpeg hasn't been updated recently.
Comment 1 Florian Hubold 2012-01-16 15:23:26 CET 
You forgot gstreamer0.10-ffmpeg and avidemux, all of these carry bundled copies of ffmpeg. Additionally i've stumbled about this: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54

Here's a short summary for that advisory:

* CVE-2011-3504: denial of service and possible code execution via
  malformed Matroska file

* CVE-2011-4351: denial of service and possible code execution via
  malformed file containing QDM2 stream

* CVE-2011-4352: denial of service and possible code execution via
  malformed file containing VP3 stream
 
* CVE-2011-4353: denial of service and possible code execution via
  malformed file containing VP5 or VP6 streams

* CVE-2011-4364: denial of service and possible code execution via
  malformed VMD file

* CVE-2011-4579: denial of service and possible code execution via
  malformed file containing svq1 stream

So the following packages should be checked and updated, also if the last mplayer update applies to them as well ( http://svnweb.mageia.org/packages?view=revision&revision=194375 )

- avidemux
- blender
- gstreamer0.10-ffmpeg
- ffmpeg
- mplayer

CC: (none) => doktor5000

Comment 2 David Walser 2012-01-16 15:52:21 CET 
OK Funda Wang has built an update for ffmpeg 0.6.5 and made Bug 4147 for it.

doktor5000 is building an update for this and previous missed updates for avidemux due to internal ffmpeg.  He'll post a bug for that shortly.

Let's use this bug to track the updates for all affected packages.

Summary: ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 => ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 affect other packages

David Walser 2012-01-16 15:53:07 CET

Depends on: (none) => 4147

David Walser 2012-01-16 16:05:21 CET

Depends on: 4147 => 4152

David Walser 2012-01-16 16:05:38 CET

Depends on: (none) => 4147

Comment 3 David Walser 2012-01-16 16:06:30 CET 
gstreamer0.10-ffmpeg is Bug 4152
Comment 4 David Walser 2012-01-16 16:12:13 CET 
Blender is Bug 4153

Depends on: (none) => 4153

Comment 5 David Walser 2012-01-16 16:15:26 CET 
mplayer is Bug 4154

Depends on: (none) => 4154

Comment 6 Manuel Hiebel 2012-01-16 16:52:35 CET 
(In reply to comment #5)
> mplayer is Bug 4154

(you can see that easily with https://bugs.mageia.org/showdependencytree.cgi?id=4146&hide_resolved=1 so no need to add comment)
David Walser 2012-01-16 17:03:22 CET

Depends on: (none) => 4157

Comment 7 David Walser 2012-03-21 20:58:50 CET 
All better now :o)

Status: NEW => RESOLVED
Resolution: (none) => FIXED