Bug 6486

Summary: ffmpeg new security issues fixed in 0.10.4 [mga2]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: balaton, fundawang, lemonzest, sysadmin-bugs, tmb, warrendiogenese
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga2-64-OK, mga2-32-OK
Source RPM: ffmpeg-0.10.3-1.mga2.src.rpm CVE:
Status comment:
Bug Depends on: 2317    
Bug Blocks: 6427    

Description David Walser 2012-06-17 01:01:30 CEST 
ffmpeg 0.10.4 was released on June 9th, fixing two security issues.

It was committed to SVN by Funda Wang, and I submitted it to the build system.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* h263dec: Disallow width/height changing with frame threads
           (CVE-2011-3937)

These issues had been fixed in previous ffmpeg releases, but the fixes
were accidentally reverted before 0.10.3.  This updates ffmpeg to
0.10.4 which fixes this issues again and fixes other bugs as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.10.4-1.mga2
libavcodec53-0.10.4-1.mga2
libpostproc52-0.10.4-1.mga2
libavformat53-0.10.4-1.mga2
libavutil51-0.10.4-1.mga2
libswscaler2-0.10.4-1.mga2
libavfilter2-0.10.4-1.mga2
libswresample0-0.10.4-1.mga2
libffmpeg-devel-0.10.4-1.mga2
libffmpeg-static-devel-0.10.4-1.mga2

from ffmpeg-0.10.4-1.mga2.src.rpm
David Walser 2012-06-17 01:02:11 CEST

CC: sysadmin-bugs => (none)
Component: Release (media or process) => Security

David Walser 2012-06-17 01:02:28 CEST

CC: (none) => fundawang
Blocks: (none) => 6427

Comment 1 claire robinson 2012-06-19 13:24:05 CEST 
No PoC's
Comment 2 Simon Putt 2012-06-19 14:33:27 CEST 
Been working ok for the little transcoding jobs I've been doing (mostly phone movies to mp4)

CC: (none) => lemonzest

Comment 3 Zoltan Balaton 2012-06-25 23:58:15 CEST 
Found a test file for CVE-2012-0851 here:
http://ffmpeg.org/trac/ffmpeg/ticket/758
pointed to by this message:
http://www.openwall.com/lists/oss-security/2012/02/14/4

My 0.10.3-1 version ffmpeg on mga2 x86_64 did not crash but gave a lot of error messages to this file. I can't test the update though because I'm using a locally compiled ffmpeg package which is slightly different (to remove some dependencies I don't like).

CC: (none) => balaton

claire robinson 2012-06-29 14:20:27 CEST

Hardware: i586 => All
Summary: ffmpeg new security issues fixed in 0.10.4 => ffmpeg new security issues fixed in 0.10.4 [mga2]

Comment 4 William Murphy 2012-07-01 18:02:46 CEST 
Testing on Mageia 2 i586 and x86_64 from both core and tainted repos.

Had the same results as Zoltan for the CVE-2012-0851 test case. 

Tested for Mageia 1 as well and posted details for both in bug 6484, comment 7

Testing for ffmpeg-0.10.4-1.mga2.src.rpm complete.

-------------------------------------------------------------------------------
Update validated.
Thanks.

Advisory:
=========
Updated ffmpeg packages fix security vulnerabilities:

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* h263dec: Disallow width/height changing with frame threads
           (CVE-2011-3937)

These issues had been fixed in previous ffmpeg releases, but the fixes
were accidentally reverted before 0.10.3.  This updates ffmpeg to
0.10.4 which fixes this issues again and fixes other bugs as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.10.4-1.mga2
libavcodec53-0.10.4-1.mga2
libpostproc52-0.10.4-1.mga2
libavformat53-0.10.4-1.mga2
libavutil51-0.10.4-1.mga2
libswscaler2-0.10.4-1.mga2
libavfilter2-0.10.4-1.mga2
libswresample0-0.10.4-1.mga2
libffmpeg-devel-0.10.4-1.mga2
libffmpeg-static-devel-0.10.4-1.mga2

from ffmpeg-0.10.4-1.mga2.src.rpm

-------------------------------------------------------------------------------

Could sysadmin please push from {core,tainted}/updates_testing to
{core,tainted}/updates.

SRPMS:
ffmpeg-0.10.4-1.mga2.src.rpm

Keywords: (none) => validated_update
CC: (none) => fcs, sysadmin-bugs
Whiteboard: (none) => mga2-64-OK, mga2-32-OK

Comment 5 Thomas Backlund 2012-07-09 17:15:21 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0143

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 6 claire robinson 2012-07-09 18:23:13 CEST 
Sorry Thomas, this is affected by bug 2317 on updates from core/release to tainted updates.

./depcheck lib64avcodec53 "Core Release" "Tainted Updates Testing"
----------------------------------------
Running checks for "lib64avcodec53" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is lib64avcodec53-0.10.3-1.mga2
Latest version found in "Tainted Updates Testing" is lib64avcodec53-0.10.4-1.mga2.tainted
----------------------------------------
The following packages will require linking:

lib64lame0-3.99.5-1.mga2.tainted (Tainted Release)
lib64opencore-amr0-0.1.2-3.mga1 (Tainted Release)
lib64vo-aacenc0-0.1.1-2.mga2.tainted (Tainted Release)
lib64vo-amrwbenc0-0.1.1-3.mga2.tainted (Tainted Release)
lib64x264_120-0.120-0.20120306.stable.1.mga2.tainted (Tainted Release)
lib64xvid4-1.3.1-2.mga1 (Tainted Release)
----------------------------------------
Done.

These were spotted early on with mga1 so were never an issue once linked, we have to be aware of them now at this stage of mga2.

Status: RESOLVED => REOPENED
Depends on: (none) => 2317
Resolution: FIXED => (none)

Comment 7 Thomas Backlund 2012-07-09 18:36:19 CEST 
Linking done

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 8 claire robinson 2012-07-09 19:47:06 CEST 
Some more Thomas, the devel's. I've been through all the rpm's now so this *hopefully* should be all of them. It's still quite a manual process.

Sorry you are being inconvenienced too :(

./depcheck lib64ffmpeg-devel "Core Release" "Tainted Updates Testing"
----------------------------------------
Running checks for "lib64ffmpeg-devel" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is lib64ffmpeg-devel-0.10.3-1.mga2
Latest version found in "Tainted Updates Testing" is lib64ffmpeg-devel-0.10.4-1.mga2.tainted
----------------------------------------
The following packages will require linking:

lib64lame-devel-3.99.5-1.mga2.tainted (Tainted Release)
lib64opencore-amr-devel-0.1.2-3.mga1 (Tainted Release)
lib64vo-aacenc-devel-0.1.1-2.mga2.tainted (Tainted Release)
lib64vo-amrwbenc-devel-0.1.1-3.mga2.tainted (Tainted Release)
lib64x264-devel-0.120-0.20120306.stable.1.mga2.tainted (Tainted Release)
lib64xvid-devel-1.3.1-2.mga1 (Tainted Release)
----------------------------------------
Done.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 9 Thomas Backlund 2012-07-09 23:45:23 CEST 
devel packages linked

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED