Bug 6427

Summary: [Update Request] Update ffmpeg to fix several security issues
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: anssi.hannula, doktor5000, luigiwalser, marja11, qa-bugs, shlomif
Version: 1Keywords: TRACKER
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ffmpeg-0.6.6-0.1.mga1 CVE:
Status comment:
Bug Depends on: 6483, 6484, 6485, 6486, 6955, 6956    
Bug Blocks:    

Description Funda Wang 2012-06-12 11:15:38 CEST 
We are updating ffmpeg 0.6.5 for Mageia 1 already. But 0.6.6 fixed other security issues here:

This version addresses a number a number of bugs such as security and compilation issues that have been brought to our attention. Among other fixes, this release features includes security updates for the, DV decoder (CVE-2011-3929 and CVE-2011-3936), VQA Video Decoder (CVE-2012-0947), DPCM codecs (CVE-2011-3951), AAC SBR (CVE-2012-0850), H.264 (CVE-2012-0851), ADPCM (CVE-2012-0852), Shorten (CVE-2012-0858), and the KMVC decoder (CVE-2011-3952).

Please note that blender is also updated to fixes security problems shipped with bundled ffmpeg with same code base:

DV decoder (CVE-2011-3929 and CVE-2011-3936), nsvdec (CVE-2011-3940), Atrac3
(CVE-2012-0853), mjpegdec (CVE-2011-3947) and the VQA video decoder (CVE-2012-0947), DPCM codecs (CVE-2011-3951), H.264 (CVE-2012-0851),
ADPCM (CVE-2012-0852), and the KMVC decoder (CVE-2011-3952).
Comment 1 David Walser 2012-06-12 14:29:36 CEST 
gstreamer0.10-ffmpeg, mplayer, and avidemux should also be updated if we are updating ffmpeg.  See the tracker bug for the previous ffmpeg update (Bug 4146).

We should also make separate bugs for QA for these different packages.

CC: (none) => luigiwalser

Comment 2 David Walser 2012-06-12 14:31:47 CEST 
Also, I don't believe the list of CVEs you listed for blender/ffmpeg 0.5.10 is correct.  That looks like the CVE list from ffmpeg 0.5.8.
Comment 3 David Walser 2012-06-12 14:39:27 CEST 
The upstream changelogs show the following.

For ffmpeg 0.5.10, included in the blender update [1]:
- dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)
- h264: Add check for invalid chroma_format_idc (CVE-2012-0851)
- adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)
- kmvc: Check palsize (CVE-2011-3952)
- several other bugfixes

For ffmpeg 0.6.6, which will affect mplayer, gstreamer0.10-ffmpeg, and avidemux also once they are built, we have [2]:
- dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
- vqavideo: return error if image size is not a multiple of block size (CVE-2012-0947)
- dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)
- aacsbr: prevent out of bounds memcpy() (CVE-2012-0850)
- h264: Add check for invalid chroma_format_idc (CVE-2012-0851)
- adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)
- shorten: check for realloc failure (CVE-2012-0858)
- shorten: Use separate pointers for the allocated memory for decoded samples (CVE-2012-0858)
- kmvc: Check palsize (CVE-2011-3952)
- several other bugfixes

Unfortunately the ffmpeg 0.10.4 changelog [3] (which would affect Mageia 2) has no helpful information, so I don't know if we need an update there.

[1] - http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=3a66ab0b888799d3f0b48fea868c85f3e6454c05;hb=9eaec5b8f010c805fd8e77216a1ec67eb20b1466
[2] - http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=6f753216f5383eb296802efe1dbd3eea0ed589af;hb=62133b38ed043b57eeecbe7fc8b6f187fd92e5e0
[3] - http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=17ca5c9e3881ffa4fc040bef5f7d2868f9b84836;hb=8c0c0e9eb3341fe42a2a9315cef5af21e94c4855
David Walser 2012-06-12 14:41:09 CEST

CC: (none) => doktor5000

David Walser 2012-06-12 14:41:52 CEST

CC: (none) => shlomif

Manuel Hiebel 2012-06-14 13:06:22 CEST

Component: RPM Packages => Security

Comment 4 claire robinson 2012-06-15 11:49:00 CEST 
This doesn't seem ready for QA yet?
Comment 5 David Walser 2012-06-15 15:17:02 CEST 
Indeed, and I didn't know Funda wasn't even CC'd on this :o(

I'll assign back to him.

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 6 claire robinson 2012-06-15 16:06:53 CEST 
When it's ready could you create separate bugs for blender, avidemux etc please
Comment 7 David Walser 2012-06-16 20:19:20 CEST 
Digging through the git logs, it looks like in the 0.10 branch, previous fixes for CVE-2012-0851 and CVE-2011-3937 were accidentally reverted, and they were put back in 0.10.4.  So that means we need to update ffmpeg in Mageia 2 as well.

- h264: Add check for invalid chroma_format_idc (CVE-2012-0851)
- h263dec: Disallow width/height changing with frame threads (CVE-2011-3937)

Do we have any packages in Mageia 2 still building an internal copy of ffmpeg?
Comment 8 David Walser 2012-06-16 21:21:51 CEST 
Ugh, it looks like avidemux comes with an internal copy of ffmpeg-0.9.

The following CVEs have been fixed since, the current 0.9 is 0.9.2.

- vqavideodev: Check image dimensions, fixes out of heap array read
  (CVE-2012-0947)
- vorbis: make sure ch is non zero before calling vorbis_residue_decode
  (CVE-2011-3895)
- ogg: Avoid the possibility to read out-of-bounds of a static global
  array in Vorbis decoding (CVE-2011-3893)
- mkv: Fix a bug where a pointer was cached to an array that might
  later move due to a realloc() (CVE-2011-3893)

We should update its internal copy to that if it can't build against system 0.10.
David Walser 2012-06-16 21:22:32 CEST

CC: (none) => anssi.hannula

Comment 9 David Walser 2012-06-16 22:52:25 CEST 
For ffmpeg 0.6.6, here's a more complete CVE list:
- nsvdec: Fix use of uninitialized streams, Be more careful with
          av_malloc(), nsvdec: Propagate errors (CVE-2011-3940)
- dv: Fix small stack overread, check stype, Fix null pointer
      dereference due to ach=0 (CVE-2011-3929 and CVE-2011-3936)
- atrac3: Fix crash in tonal component decoding (CVE-2012-0853)
- mjpegbdec: Fix overflow in SOS (CVE-2011-3947)
- kgv1dec: Increase offsets array size so it is large enough
           (CVE-2011-3945)
- vqavideo: return error if image size is not a multiple of block size
            (CVE-2012-0947)
- dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)
- aacsbr: prevent out of bounds memcpy() (CVE-2012-0850)
- h264: Add check for invalid chroma_format_idc (CVE-2012-0851)
- adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)
- shorten: check for realloc failure (CVE-2012-0858)
- shorten: Use separate pointers for the allocated memory for decoded
           samples (CVE-2012-0858)
- kmvc: Check palsize (CVE-2011-3952)
- several other bugfixes
David Walser 2012-06-17 00:15:16 CEST

Depends on: (none) => 6483

David Walser 2012-06-17 00:26:19 CEST

Depends on: (none) => 6484

David Walser 2012-06-17 00:33:45 CEST

Depends on: (none) => 6485

David Walser 2012-06-17 01:02:28 CEST

Depends on: (none) => 6486

Comment 10 David Walser 2012-06-17 01:09:20 CEST 
OK I've converted this into a tracking bug.  Here's the current status.

Mageia 1:
ffmpeg - Bug 6484
mplayer - Bug 6483
blender - Bug 6485
gstreamer0.10-ffmpeg - not fixed
avidemux - not fixed (needs fixes from ffmpeg 0.6.6)

Mageia 2:
ffmpeg - Bug 6486
avidemux - not fixed (needs fixes from ffmpeg 0.9.2)
Comment 11 Marja Van Waes 2012-07-06 13:15:41 CEST 
(In reply to comment #10)
> OK I've converted this into a tracking bug.  Here's the current status.
> 
setting TRACKER keyword

Keywords: (none) => TRACKER
CC: (none) => marja11

Comment 12 David Walser 2012-08-02 23:09:23 CEST 
Apparently gstreamer0.10-ffmpeg was changed to use external ffmpeg in the previous update (Bug 4152).  If so, all that needs fixed is avidemux.
Comment 13 David Walser 2012-08-04 22:40:45 CEST 
I'm looking through the avidemux 2.5.6 (from Mageia 2/Cauldron) tarball, and I don't see any ffmpeg code.  However, I saw this in the avidemux 2.5.6 release announcement [1]:
*Updated the FFmpeg libraries (version 0.9)

Am I missing something?

[1] - http://fixounet.free.fr/avidemux/news.html
Comment 14 David Walser 2012-08-04 22:42:01 CEST 
Looking at the avidemux from Mageia 1 ChangeLog, it's missing the fixes from ffmpeg 0.6.5 (included in the previous mplayer update in January) as well.
Comment 15 David Walser 2012-08-04 23:01:39 CEST 
(In reply to comment #13)
> I'm looking through the avidemux 2.5.6 (from Mageia 2/Cauldron) tarball, and I
> don't see any ffmpeg code.  However, I saw this in the avidemux 2.5.6 release
> announcement [1]:
> *Updated the FFmpeg libraries (version 0.9)
> 
> Am I missing something?
> 
> [1] - http://fixounet.free.fr/avidemux/news.html

It's a bundled tarball in avidemux/ADM_libraries (thanks Florian).
David Walser 2012-08-05 02:38:45 CEST

Depends on: (none) => 6955

David Walser 2012-08-05 02:38:51 CEST

Depends on: (none) => 6956

Comment 16 David Walser 2012-08-05 02:40:26 CEST 
Final list.

Mageia 1:
ffmpeg - Bug 6484
mplayer - Bug 6483
blender - Bug 6485
avidemux - Bug 6955

Mageia 2:
ffmpeg - Bug 6486
avidemux - Bug 6956
Comment 17 David Walser 2012-08-18 16:08:51 CEST 
All better now :o)

Status: NEW => RESOLVED
Resolution: (none) => FIXED