ffmpeg prior to 1.1.5 contains several security vulnerabilities: * CVE-2013-3671: The format_line function in log.c in libavutil uses inapplicable offset data during a certain category calculation, which allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via crafted data that triggers a log message. * CVE-2013-3672: The mm_decode_inter function in mmvideo.c in libavcodec does not validate the relationship between a horizontal coordinate and a width value, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted American Laser Games (ALG) MM Video data. * CVE-2013-3673: The gif_decode_frame function in gifdec.c in libavcodec does not properly manage the disposal methods of frames, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted GIF data. * CVE-2013-3674: The cdg_decode_frame function in cdgraphics.c in libavcodec does not validate the presence of non-header data in a buffer, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted CD Graphics Video data. The ffmpeg packages have been updated to fix above security vulnerabilities, with extra bugs-fixes. Reproducible: Steps to Reproduce:
====================================================== Name: CVE-2013-3670 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3670 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130524 Category: Reference: MISC:http://ffmpeg.org/security.html Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652 Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb The rle_unpack function in vmdav.c in libavcodec in FFmpeg git 20130328 through 20130501 does not properly use the bytestream2 API, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted RLE data. NOTE: the vendor has listed this as an issue fixed in 1.2.1, but the issue is actually in new code that was not shipped with the 1.2.1 release or any earlier release. ====================================================== Name: CVE-2013-3671 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3671 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130524 Category: Reference: CONFIRM:http://ffmpeg.org/security.html Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7edb984dd051b6919d7d8471c70499273f31b0fa Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cc0dd86580b3257f22a4981a79eb5fa6804182b6 The format_line function in log.c in libavutil in FFmpeg before 1.2.1 uses inapplicable offset data during a certain category calculation, which allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via crafted data that triggers a log message. ====================================================== Name: CVE-2013-3672 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3672 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130524 Category: Reference: CONFIRM:http://ffmpeg.org/security.html Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330 Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8d3c99e825317b7efda5fd12e69896b47c700303 The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg before 1.2.1 does not validate the relationship between a horizontal coordinate and a width value, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted American Laser Games (ALG) MM Video data. ====================================================== Name: CVE-2013-3673 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3673 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130524 Category: Reference: CONFIRM:http://ffmpeg.org/security.html Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ee5e97c46e30fb3d6f9f78cc3313dbc06528b37 Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=d23b8462b5a4a9da78ed45c4a7a3b35d538df909 The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg before 1.2.1 does not properly manage the disposal methods of frames, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted GIF data. ====================================================== Name: CVE-2013-3674 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3674 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130524 Category: Reference: CONFIRM:http://ffmpeg.org/security.html Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942 The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before 1.2.1 does not validate the presence of non-header data in a buffer, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted CD Graphics Video data. ====================================================== Name: CVE-2013-3675 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3675 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130524 Category: Reference: CONFIRM:http://ffmpeg.org/security.html Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=524d0d2cfc7bab1b348f85e7c0369859e63781cf Reference: CONFIRM:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=9dd04f6d8cdd1c10c28b2cb4252c1a41df581915 The process_frame_obj function in sanm.c in libavcodec in FFmpeg before 1.2.1 does not validate width and height values, which allows remote attackers to cause a denial of service (intger overflow, out-of-bounds array access, and application crash) via crafted LucasArts Smush video data.
CC: (none) => oe
Where did you all get that list of CVEs? I only see CVE-2013-2495 being mentioned between 1.1.4 and 1.1.5: http://git.videolan.org/?p=ffmpeg.git;a=log;h=n1.1.5
CC: (none) => luigiwalser
Well, at least following commits related: CVE-2013-3673 gifdec: reset previous Graphic Control Extension disposal type http://git.videolan.org/?p=ffmpeg.git;a=commit;h=d23b8462b5a4a9da78ed45c4a7a3b35d538df909 1.1: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a4681d1043556718fb20c9026f8d1cec4e7f453f CVE-2013-3674 avcodec/cdgraphics: check buffer size before use http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942 1.1: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=151c2ca8c797a00927776bb77427dc0c77e641d2 CVE-2013-3675 sanm: Check dimensions before use Fixes integer overflow and out of array accesses http://git.videolan.org/?p=ffmpeg.git;a=commit;h=9dd04f6d8cdd1c10c28b2cb4252c1a41df581915 1.1 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=dafd8228bc0f7d9a6afd4e84a476b3a73e0a5a4b
No PoC's for any of these so basic ffmpeg checks only https://bugs.mageia.org/show_bug.cgi?id=8065#c6 Testing mga3 64
Whiteboard: (none) => has_procedure
Could somebody supply a list of srpm's & rpm's please.
We'll have to provide a proper advisory later. Here's the package list. Note these are in both core and tainted updates_testing. ffmpeg-1.1.5-1.mga3 libavcodec54-1.1.5-1.mga3 libpostproc52-1.1.5-1.mga3 libavformat54-1.1.5-1.mga3 libavutil52-1.1.5-1.mga3 libswscaler2-1.1.5-1.mga3 libavfilter3-1.1.5-1.mga3 libswresample0-1.1.5-1.mga3 libffmpeg-devel-1.1.5-1.mga3 libffmpeg-static-devel-1.1.5-1.mga3 from ffmpeg-1.1.5-1.mga3.src.rpm
Hmm, and http://ffmpeg.org/security.html says CVE-2013-2495 was supposed to have been fixed already in 1.1.4. Nothing is listed yet for 1.1.5. Their git is a confusing mess right now.
Did QA Training with Claire Robinson on this package update for ffmpeg found in Core Updates Testing, converted: -wmv to avi -wmv to mkv -avi to wmv for ffmpeg found in Tainted Updates Testing, did all of the above, additionally converted: -wma to mov (per the testing note at https://bugs.mageia.org/show_bug.cgi?id=8065#c6) I failed to convert to flv, but this was user error only, a failure to specify a valid frame rate. MGA3-64-OK
CC: (none) => sharpzq4300
Testing mga3 i586 complete. Followed the same kind of procedure as Adam H in comment 8, testing successfully conversion of various files with both ffmpeg from core and tainted updates_testing (wmv, avi, mkv, mov, flv with various codecs). @Adam H: You should add "MGA3-64-OK" in the Whiteboard section of the bug report, not in the comment. I did it for you. Waiting for the advisory to validate the update candidate.
CC: (none) => remiWhiteboard: has_procedure => has_procedure MGA3-32-OK MGA3-64-OK
Ping for the advisory please David.
I don't have it. ffmpeg's security page doesn't have it. I have no idea where Funda and Oden got their CVE lists from.
Thanks anyway David. Funda can you verify the CVE's fixed by this update and give an updated advisory for us please so we can validate and push this one. Thanks!
(In reply to claire robinson from comment #12) > Funda can you verify the CVE's fixed by this update and give an updated > advisory for us please so we can validate and push this one. Just see comment#0.
Thanks Funda. Validating. Advisory uploaded Could sysadmin please push from 3 core/tainted updates testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0182.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)