Bug 10506 - [Update Request]update ffmpeg to fix several security vulnerabilities
: [Update Request]update ffmpeg to fix several security vulnerabilities
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: has_procedure MGA3-32-OK MGA3-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-12 12:48 CEST by Funda Wang
Modified: 2014-05-08 18:06 CEST (History)
5 users (show)

See Also:
Source RPM: ffmpeg-1.1.5-1.mga3
CVE:


Attachments

Description Funda Wang 2013-06-12 12:48:10 CEST
ffmpeg prior to 1.1.5 contains several security vulnerabilities:

* CVE-2013-3671:
The format_line function in log.c in libavutil uses inapplicable offset data during a certain category calculation, which allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via crafted data that triggers a log message.

* CVE-2013-3672:
The mm_decode_inter function in mmvideo.c in libavcodec does not validate the relationship between a horizontal coordinate and a width value, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted American Laser Games (ALG) MM Video data.

* CVE-2013-3673:
The gif_decode_frame function in gifdec.c in libavcodec does not properly manage the disposal methods of frames, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted GIF data.

* CVE-2013-3674:
The cdg_decode_frame function in cdgraphics.c in libavcodec does not validate the presence of non-header data in a buffer, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted CD Graphics Video data.

The ffmpeg packages have been updated to fix above security vulnerabilities, with extra bugs-fixes.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-12 12:59:33 CEST
======================================================
Name: CVE-2013-3670
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3670
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130524
Category: 
Reference: MISC:http://ffmpeg.org/security.html
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb

The rle_unpack function in vmdav.c in libavcodec in FFmpeg git
20130328 through 20130501 does not properly use the bytestream2 API,
which allows remote attackers to cause a denial of service
(out-of-bounds array access and application crash) via crafted RLE
data.  NOTE: the vendor has listed this as an issue fixed in 1.2.1, but
the issue is actually in new code that was not shipped with the 1.2.1
release or any earlier release.



======================================================
Name: CVE-2013-3671
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3671
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130524
Category: 
Reference: CONFIRM:http://ffmpeg.org/security.html
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7edb984dd051b6919d7d8471c70499273f31b0fa
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cc0dd86580b3257f22a4981a79eb5fa6804182b6

The format_line function in log.c in libavutil in FFmpeg before 1.2.1
uses inapplicable offset data during a certain category calculation,
which allows remote attackers to cause a denial of service (invalid
pointer dereference and application crash) via crafted data that
triggers a log message.



======================================================
Name: CVE-2013-3672
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3672
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130524
Category: 
Reference: CONFIRM:http://ffmpeg.org/security.html
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8d3c99e825317b7efda5fd12e69896b47c700303

The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg
before 1.2.1 does not validate the relationship between a horizontal
coordinate and a width value, which allows remote attackers to cause a
denial of service (out-of-bounds array access and application crash)
via crafted American Laser Games (ALG) MM Video data.



======================================================
Name: CVE-2013-3673
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3673
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130524
Category: 
Reference: CONFIRM:http://ffmpeg.org/security.html
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ee5e97c46e30fb3d6f9f78cc3313dbc06528b37
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=d23b8462b5a4a9da78ed45c4a7a3b35d538df909

The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg
before 1.2.1 does not properly manage the disposal methods of frames,
which allows remote attackers to cause a denial of service
(out-of-bounds array access and application crash) via crafted GIF
data.



======================================================
Name: CVE-2013-3674
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3674
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130524
Category: 
Reference: CONFIRM:http://ffmpeg.org/security.html
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942

The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg
before 1.2.1 does not validate the presence of non-header data in a
buffer, which allows remote attackers to cause a denial of service
(out-of-bounds array access and application crash) via crafted CD
Graphics Video data.



======================================================
Name: CVE-2013-3675
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3675
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130524
Category: 
Reference: CONFIRM:http://ffmpeg.org/security.html
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=524d0d2cfc7bab1b348f85e7c0369859e63781cf
Reference:
CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=9dd04f6d8cdd1c10c28b2cb4252c1a41df581915

The process_frame_obj function in sanm.c in libavcodec in FFmpeg
before 1.2.1 does not validate width and height values, which allows
remote attackers to cause a denial of service (intger overflow,
out-of-bounds array access, and application crash) via crafted
LucasArts Smush video data.
Comment 2 David Walser 2013-06-12 14:25:02 CEST
Where did you all get that list of CVEs?

I only see CVE-2013-2495 being mentioned between 1.1.4 and 1.1.5:
http://git.videolan.org/?p=ffmpeg.git;a=log;h=n1.1.5
Comment 4 claire robinson 2013-06-13 10:49:44 CEST
No PoC's for any of these so basic ffmpeg checks only
https://bugs.mageia.org/show_bug.cgi?id=8065#c6

Testing mga3 64
Comment 5 claire robinson 2013-06-13 10:50:23 CEST
Could somebody supply a list of srpm's & rpm's please.
Comment 6 David Walser 2013-06-13 14:30:25 CEST
We'll have to provide a proper advisory later.

Here's the package list.  Note these are in both core and tainted updates_testing.

ffmpeg-1.1.5-1.mga3
libavcodec54-1.1.5-1.mga3
libpostproc52-1.1.5-1.mga3
libavformat54-1.1.5-1.mga3
libavutil52-1.1.5-1.mga3
libswscaler2-1.1.5-1.mga3
libavfilter3-1.1.5-1.mga3
libswresample0-1.1.5-1.mga3
libffmpeg-devel-1.1.5-1.mga3
libffmpeg-static-devel-1.1.5-1.mga3

from ffmpeg-1.1.5-1.mga3.src.rpm
Comment 7 David Walser 2013-06-13 14:49:24 CEST
Hmm, and http://ffmpeg.org/security.html says CVE-2013-2495 was supposed to have been fixed already in 1.1.4.  Nothing is listed yet for 1.1.5.  Their git is a confusing mess right now.
Comment 8 Adam H 2013-06-13 22:51:01 CEST
Did QA Training with Claire Robinson on this package update

for ffmpeg found in Core Updates Testing, converted:
-wmv to avi
-wmv to mkv
-avi to wmv

for ffmpeg found in Tainted Updates Testing, did all of the above, additionally converted:
-wma to mov 

(per the testing note at https://bugs.mageia.org/show_bug.cgi?id=8065#c6)

I failed to convert to flv, but this was user error only, a failure to specify a valid frame rate.

MGA3-64-OK
Comment 9 Rémi Verschelde 2013-06-22 13:43:16 CEST
Testing mga3 i586 complete.

Followed the same kind of procedure as Adam H in comment 8, testing successfully conversion of various files with both ffmpeg from core and tainted updates_testing (wmv, avi, mkv, mov, flv with various codecs).

@Adam H: You should add "MGA3-64-OK" in the Whiteboard section of the bug report, not in the comment. I did it for you.

Waiting for the advisory to validate the update candidate.
Comment 10 claire robinson 2013-06-25 08:40:27 CEST
Ping for the advisory please David.
Comment 11 David Walser 2013-06-25 12:02:07 CEST
I don't have it.  ffmpeg's security page doesn't have it.  I have no idea where Funda and Oden got their CVE lists from.
Comment 12 claire robinson 2013-06-25 12:36:53 CEST
Thanks anyway David.

Funda can you verify the CVE's fixed by this update and give an updated advisory for us please so we can validate and push this one.

Thanks!
Comment 13 Funda Wang 2013-06-26 04:40:12 CEST
(In reply to claire robinson from comment #12)
> Funda can you verify the CVE's fixed by this update and give an updated
> advisory for us please so we can validate and push this one.
Just see comment#0.
Comment 14 claire robinson 2013-06-26 10:29:24 CEST
Thanks Funda.

Validating. Advisory uploaded

Could sysadmin please push from 3 core/tainted updates testing to updates

Thanks!
Comment 15 Nicolas Vigier 2013-06-26 20:27:42 CEST
http://advisories.mageia.org/MGASA-2013-0182.html

Note You need to log in before you can comment on or make changes to this bug.