The avidemux package is unfortunately still building with a bundled ffmpeg instead of the system one. There have been several security issues fixed in ffmpeg since the versions bundled with avidemux were released. Avidemux versions 2.6.6 (Mageia 4) and 2.6.8 (Cauldron) have FFmpeg 1.2.1, which should be updated to 1.2.7. Avidemux version 2.5.6 (Mageia 3) has FFmpeg 0.9, which is no longer supported upstream. The last 0.9.x release was 0.9.4 in March, which is missing fixes for CVE-2012-5150 and CVE-2014-4610. If it's possible to update it to 0.10.x, 0.10.14 fixes those CVEs as well. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated the bundled ffmpeg in Mageia 4 and Cauldron to 1.2.7. Updated the bundled ffmpeg in Mageia 3 to 0.10.14 and adapted it so that built. Hopefully it works :o) Advisory: ======================== Updated avidemux packages fix security vulnerabilities: Avidemux built with a bundled set of FFmpeg libraries. The bundled FFmpeg versions have been updated to 0.10.14 in Mageia 3 and 1.2.7 in Mageia 4 to fix several security issues and other bugs fixed upstream in FFmpeg. References: http://ffmpeg.org/security.html ======================== Updated packages in core/updates_testing: ======================== avidemux-2.5.6-6.1.mga3 avidemux-gtk-2.5.6-6.1.mga3 avidemux-qt-2.5.6-6.1.mga3 avidemux-cli-2.5.6-6.1.mga3 libavidemux-2.6.6-2.1.mga4 avidemux-devel-2.6.6-2.1.mga4 from SRPMS: avidemux-2.5.6-6.1.mga3.src.rpm avidemux-2.6.6-2.1.mga4.src.rpm
Version: Cauldron => 4Assignee: fundawang => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Assigning back to Funda. David pointed the mess Funda made duplicating the same source in several SRPMS in Mageia 4. They should be merged or the others should use what the main avidemux SRPM builds, not all building their own bundled copies of avidemux.
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
I believe that the compiled bundled ffmpeg code only ends up in the libavidemux package (and not the cli, qt, or plugins packages), so for the purposes of this security update, it's OK to go. These SRPMS really should be recombined though.
CC: qa-bugs => fundawangAssignee: fundawang => qa-bugs
First look at this thing it's very old and does not do well with large video, newer formats. Lets see what happens when I update it.
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 32-bit Package(s) under test: avidemux avidemux-gtk avidemux-qt avidemux-cli default install of avidemux/gtk/qt/cli [root@localhost wilcal]# urpmi avidemux Package avidemux-2.5.6-6.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi avidemux-gtk Package avidemux-gtk-2.5.6-6.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.5.6-6.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.5.6-6.mga3.tainted.i586 is already installed install avidemux/gtk/qt/cli from updates_testing [root@localhost wilcal]# urpmi avidemux Package avidemux-2.5.6-6.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi avidemux-gtk Package avidemux-gtk-2.5.6-6.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.5.6-6.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.5.6-6.1.mga3.i586 is already installed I am going to fail this update. While the avidemux-2.5.6-6.mga3 version does poorly with newer video formats it does even poorer, or not at all, after being updated to avidemux-2.5.6-6.1. I can open some mp4 videos with the 6-6 version but after the update to the 6-6.1, using the same test videos, it complains about the audio format and the video it converts to has no audio track. That tells me whatever was done here integrating with a newer ffmpeg was done incorrectly. There are so many formats and ways to test this we could probably test this forever and find holes everywhere. I have tested all three versions with multiple video formats. The updates install cleanly so maybe we pass on the work-ability of this thing and let folks who use it create new bugs. But, all of those Bugs are going to be upstream.
It wasn't done "incorrectly," but like I said in Comment 0, I was taking a chance by updating it to FFmpeg 0.10 and knew it might not work. So I'll have to move it back to the 0.9 branch and see if I can rediff some commits for the last few CVEs.
Whiteboard: MGA3TOO => MGA3TOO feedback
Thanks David. I've put together a little test procedure here so when your ready I'll run it again. I've a pretty busy weekend ahead of me but I can certainly run the tests on M3 32-bit pretty quickly.
Test procedure: 1) Select three video files with common formats: mp4 flv mov All three files will play using ffplay. Example: ffplay canon.mov 2) Import all three files into the gtk & qt versions of avidemux All three files should play both video and audio. Audio & Video should be in sync 3) Export the files in avi ( default ) and mp4 format using gtk & qt 4) In a terminal run the following command: avidemux2_cli --load "file.flv" --save "file1.mp4" --output-format mp4 --quit 5) Exported files should play using ffplay and/or VLC. Both Video and Audio should be in sync 6) Update avidemux from updates_testing 7) Repeat steps 1, 2, 3 and 4 8) Exported files should play using ffplay and/or VLC. Both Video and Audio should be in sync
Feel free to test the mga4 update while waiting for me to fix the mga3 one.
In VirtualBox, M4, KDE, 32-bit There appears to be no avidemux-gti in M4 Package(s) under test: libavidemux ( tainted ) avidemux-qt avidemux-cli default install of avidemux/qt/cli [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.6.6-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.6.6-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi libavidemux Package libavidemux-2.6.6-2.mga4.tainted.i586 is already installed avidemux3-qt plays and correctly exports mp4 & avi files avidemux3_cli --load "canon.mov" --save "canon2.mp4" --output-format mp4 --quit correctly exports mp4 file install libavidemux avidemux/qt/cli from updates_testing [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.6.6-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.6.6-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi libavidemux Package libavidemux-2.6.6-2.1.mga4.i586 is already installed avidemux3-qt plays mov but errors "Only AAC & mpegaudio supported for audio" when attempting avi export.
Bundled ffmpeg for Mageia 3 build is now 0.9.4, plus these patches from the 0.10.x branch to fix additional security issues: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2facb10f705ab3f34b7a050107d7556b388c068c http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6a968073daa74ffb98368fefd476a4562ce84e1b http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e7f5dacd55deeee8a866020b8463f829b2c5971f Advisory: ======================== Updated avidemux packages fix security vulnerabilities: Avidemux built with a bundled set of FFmpeg libraries. The bundled FFmpeg versions have been updated to 0.9.4 in Mageia 3 and 1.2.7 in Mageia 4 to fix several security issues and other bugs fixed upstream in FFmpeg. For the Mageia 3 update, additional patches from the FFmpeg 0.10 branch were added to fix a user after free in matroska and integer overflows in lzo. References: http://ffmpeg.org/security.html ======================== Updated packages in core/updates_testing: ======================== avidemux-2.5.6-6.2.mga3 avidemux-gtk-2.5.6-6.2.mga3 avidemux-qt-2.5.6-6.2.mga3 avidemux-cli-2.5.6-6.2.mga3 libavidemux-2.6.6-2.1.mga4 avidemux-devel-2.6.6-2.1.mga4 from SRPMS: avidemux-2.5.6-6.2.mga3.src.rpm avidemux-2.6.6-2.1.mga4.src.rpm
Whiteboard: MGA3TOO feedback => MGA3TOO
In VirtualBox, M3, KDE, 32-bit Package(s) under test: avidemux avidemux-gtk avidemux-qt avidemux-cli default install of avidemux/gtk/qt/cli Password: [root@localhost wilcal]# urpmi avidemux Package avidemux-2.5.6-6.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi avidemux-gtk Package avidemux-gtk-2.5.6-6.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.5.6-6.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.5.6-6.mga3.tainted.i586 is already installed avidemux3-gtk plays mov & mp4 files and correctly exports avi files avidemux3-qt plays mov & mp4 files and correctly exports avi files avidemux3_cli --load "ob.flv" --save "ob1.mp4" --output-format mp4 --quit correctly exports mp4 file install avidemux/gtk/qt/cli from updates_testing [root@localhost wilcal]# urpmi avidemux Package avidemux-2.5.6-6.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi avidemux-gtk Package avidemux-gtk-2.5.6-6.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.5.6-6.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.5.6-6.2.mga3.i586 is already installed avidemux3-gtk plays mov & mp4 files and correctly exports avi files avidemux3-qt plays mov & mp4 files and correctly exports avi files avidemux3_cli --load "ob.flv" --save "ob2.mp4" --output-format mp4 --quit correctly exports mp4 file What I can say at this point is that using the update_testing files is not detrimental to the operation of avidemux. It seems to work the same after the update as it does before. Although there appears to be quite a few things I wouldn't be comfortable with. For M3 32-bit it's a go. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: avidemux avidemux-gtk avidemux-qt avidemux-cli default install of avidemux/gtk/qt/cli [root@localhost wilcal]# urpmi avidemux Package avidemux-2.5.6-6.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi avidemux-gtk Package avidemux-gtk-2.5.6-6.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.5.6-6.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.5.6-6.mga3.tainted.x86_64 is already installed avidemux3-gtk plays mov files and correctly exports avi files avidemux3-qt plays mov files and correctly exports avi files avidemux3_cli --load "ob.flv" --save "ob1.mp4" --output-format mp4 --quit correctly exports mp4 file install avidemux/gtk/qt/cli from updates_testing [root@localhost wilcal]# urpmi avidemux Package avidemux-2.5.6-6.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi avidemux-gtk Package avidemux-gtk-2.5.6-6.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi avidemux-qt Package avidemux-qt-2.5.6-6.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi avidemux-cli Package avidemux-cli-2.5.6-6.2.mga3.x86_64 is already installed avidemux3-gtk plays mov files and correctly exports avi files avidemux3-qt plays mov files and correctly exports avi files avidemux3_cli --load "ob.flv" --save "ob2.mp4" --output-format mp4 --quit correctly exports mp4 file I can say at this point is that using the update_testing files is not detrimental to the operation of avidemux. Although there appears to be quite a few things, like dealing with the latest mp4 formats, that are a problem. This is probably as good as it gets. For M3 64-bit it's a go. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Hmm, the tainted builds do not seem to be present in either mga3 or mga4. I've built them and will include them in this update (I'd already published the advisory and moved the other non-tainted packages so I figured this was the easiest option for me, but really this shouldn't have been validated without those builds in place! Some post release testing of tainted builds appreciated.
CC: (none) => mageia
Update pushed. http://advisories.mageia.org/MGASA-2014-0297.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/606889/