Bug 6485

Summary: blender affected by security issues fixed in ffmpeg 0.5.10
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cmrisolde, davidwhodgins, fundawang, stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: has_procedure MGA1-32-OK MGA1-64-OK
Source RPM: blender-2.49b-11.1.mga1.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 5033, 6427    

Description David Walser 2012-06-17 00:33:29 CEST 
ffmpeg 0.5.10 was released on June 9th, fixing some security issues.

blender is built with an internal copy of ffmpeg, which has been updated.

Advisory:
========================

Updated blender package fixes security vulnerabilities:

* dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)

* kmvc: Check palsize (CVE-2011-3952)

Blender's internal copy of ffmpeg has been updated to 0.5.10 to fix
these issues, as well as some other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852
========================

Updated packages in {core,tainted}/updates_testing:
========================
blender-2.49b-11.3.mga1

from blender-2.49b-11.3.mga1.src.rpm
David Walser 2012-06-17 00:33:45 CEST

CC: (none) => fundawang
Blocks: (none) => 6427

Comment 1 David Walser 2012-06-17 00:34:11 CEST 
This update was built by Funda Wang.
David Walser 2012-06-17 02:23:40 CEST

Blocks: (none) => 5033

Comment 2 Samuel Verschelde 2012-07-24 12:36:31 CEST 
Testing procedure: follow http://www.youtube.com/watch?v=caIg7sIX6d4

CC: (none) => stormi

Samuel Verschelde 2012-07-24 12:36:39 CEST

Whiteboard: (none) => has_procedure

Comment 3 Carolyn Rowse 2012-07-28 17:04:47 CEST 
I had a few spare minutes so I thought I'd have a go with Mga1 i586, but the tutorial doesn't match what's on the interface I've got.  I see someone else left a comment underneath that the tutorial's out of date.

Carolyn

CC: (none) => isolde

Comment 4 David Walser 2012-07-28 17:08:02 CEST 
How so?  The blender version hasn't been updated and it seemed to match well enough when Claire and I followed it to QA a previous update of this package.
Comment 5 Carolyn Rowse 2012-07-28 19:35:23 CEST 
The very first thing I was supposed to click on (multires) brought up some options that didn't look anything like in the tutorial and I couldn't work out how to get to where the tutor was.  I haven't got a clue about Blender anyway, which doesn't help.

Unfortunately I won't have time to have another go now.

Carolyn
Comment 6 Samuel Verschelde 2012-08-05 15:08:52 CEST 
After discussing with David, it appears that we don't need to push the tainted build, it belongs to another bug report.
Comment 7 Dave Hodgins 2012-08-05 23:04:43 CEST 
Testing Mageia 1 i586 now.

CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2012-08-06 00:27:13 CEST 
Testing complete on Mageia 1 i586

Whiteboard: has_procedure => has_procedure MGA1-32-OK

Comment 9 Dave Hodgins 2012-08-06 00:51:26 CEST 
Testing complete on Mageia 1 x86-64.

Could someone on the sysadmin team push the srpm
blender-2.49b-11.3.mga1
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated blender package fixes security vulnerabilities:

* dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)

* kmvc: Check palsize (CVE-2011-3952)

Blender's internal copy of ffmpeg has been updated to 0.5.10 to fix
these issues, as well as some other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852

https://bugs.mageia.org/show_bug.cgi?id=6485

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK

Comment 10 Thomas Backlund 2012-08-06 18:04:26 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0199

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED