These issues were fixed in ffmpeg 1.1.14, 1.2.8, 2.2.7, and 2.3.3, but the 2.0 and 2.1 branches haven't been updated yet. We'll need an update for the 2.0 branch for Mageia 4. The bundled avidemux will need to be updated to 1.2.8 in Mageia 4 (done already in Cauldron) and patched in Mageia 3. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
ffmpeg 0.10.15 has fixes for CVE-2013-0848, CVE-2013-0852, CVE-2013-0860, CVE-2013-3672, CVE-2013-3674, and CVE-2013-7020, all of which may potentially affect the 0.9 bundled in Avidemux 2.5.6. Backporting patches for all of those, in addition to the two new CVEs, for a Mageia 3 update, is probably not worth the effort at this point. The update to the bundled ffmpeg 1.2.8 for the avidemux in Mageia 4 has been committed in SVN.
URL: (none) => https://marc.info/?l=oss-security&m=140817544727495&w=2CC: (none) => cjw
Blocks: (none) => 14556
Blocks: 14556 => (none)
Mageia 3 has been moved to Bug 14556, fixing CVE-2014-5271 and CVE-2014-5272. I just saw that there are newer CVEs CVE-2014-854[1-9] that were fixed in 1.2.9, 2.2.9, and 2.4.2. All of those releases have been superceded by newer releases already. No CVEs have been listed for the newer releases, but there are likely security fixes in there as well. I asked upstream to make a new 2.0.x release, and they are working on it. The avidemux package will need to updated again to ffmpeg 1.2.10.
Summary: ffmpeg new security issues CVE-2014-5271 and CVE-2014-5272 => ffmpeg new security issues CVE-2014-527[12] and CVE-2014-854[1-9]Whiteboard: MGA3TOO => (none)
FFmpeg's 2.0 branch looks to have the commits for 2.0.6, it just needs to be tagged and released now. The avidemux update for FFmpeg 1.2.10 is building in Cauldron now and is committed in Mageia 4 SVN.
Blocks: (none) => 14562
Blocks: 14562 => (none)
The 2.0.6 tarball is out. It contains fixes for CVE-2014-527[12] and CVE-2014-854[1-8]. I think CVE-2014-8549 only applied to the 2.4 branch. Updated package uploaded for Mageia 4. Note to QA, there is a PoC for the first CVE in this bug: https://trac.ffmpeg.org/ticket/2760 Note that this package has both core and tainted builds. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: A heap-based buffer overflow in the encode_slice function in libavcodec/proresenc_kostya.c in FFmpeg before 2.0.6 can cause a crash, allowing a malicious image file to cause a denial of service (CVE-2014-5271). libavcodec/iff.c in FFmpeg before 2.0.6 allows an attacker to have an unspecified impact via a crafted iff image, which triggers an out-of-bounds array access, related to the rgb8 and rgbn formats (CVE-2014-5272). libavcodec/mjpegdec.c in FFmpeg before 2.0.6 considers only dimension differences, and not bits-per-pixel differences, when determining whether an image size has changed, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MJPEG data (CVE-2014-8541). libavcodec/utils.c in FFmpeg before 2.0.6 omits a certain codec ID during enforcement of alignment, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted JV data (CVE-2014-8542). libavcodec/mmvideo.c in FFmpeg before 2.0.6 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data (CVE-2014-8543). libavcodec/tiff.c in FFmpeg before 2.0.6 does not properly validate bits-per-pixel fields, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted TIFF data (CVE-2014-8544). libavcodec/pngdec.c in FFmpeg before 2.0.6 accepts the monochrome-black format without verifying that the bits-per-pixel value is 1, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted PNG data (CVE-2014-8545). Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.0.6 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Cinepak video data (CVE-2014-8546). libavcodec/gifdec.c in FFmpeg before 2.0.6 does not properly compute image heights, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted GIF data (CVE-2014-8547). Off-by-one error in libavcodec/smc.c in FFmpeg before 2.0.6 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Quicktime Graphics (aka SMC) video data (CVE-2014-8548). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8542 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8545 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8546 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8547 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8548 http://git.videolan.org/?p=ffmpeg.git;a=log;h=n2.0.6 http://ffmpeg.org/olddownload.html http://ffmpeg.org/security.html http://openwall.com/lists/oss-security/2014/08/16/6 ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-2.0.6-1.mga4 libavcodec55-2.0.6-1.mga4 libpostproc52-2.0.6-1.mga4 libavformat55-2.0.6-1.mga4 libavutil52-2.0.6-1.mga4 libswscaler2-2.0.6-1.mga4 libavfilter3-2.0.6-1.mga4 libswresample0-2.0.6-1.mga4 libffmpeg-devel-2.0.6-1.mga4 libffmpeg-static-devel-2.0.6-1.mga4 from ffmpeg-2.0.6-1.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
With the Mageia 4 i586 ffmpeg, I was able to reproduce the segfault with the CVE-2014-5271 PoC and verify that the update fixes it.
Testing Mageia 4 i586. I used mplayer to play some video files and ffmpeg to convert some. With core ffmpeg, I was able to play and convert this one: http://trailers.divx.com/divx_prod/profiles/Fashion_DivX720p_ASP.divx (from http://www.divx.com/en/devices/profiles/video ) converting with: ffmpeg -i Fashion_DivX720p_ASP.divx output.avi With core ffmpeg, I was able to play the following video with mplayer, but it only had video and no sound, and ffmpeg was unable to convert it, all this because it uses AAC audio format, so this was expected. With tainted ffmpeg, I was able to play the following one with sound and convert with ffmpeg: http://download.wavetlan.com/SVV/Media/HTTP/mkv/MP4_DIVX_AAC-LC-(mkvmerge).mkv (from http://download.wavetlan.com/SVV/Media/HTTP/http-mkv.htm ) converting with: ffmpeg -i MP4_DIVX_AAC-LC-\(mkvmerge\).mkv output2.avi
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Tested Mageia 4 x86-64 . The procedure illustrated by David Walser in Comment 6 works fine.
CC: (none) => shlomifWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0464.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: https://marc.info/?l=oss-security&m=140817544727495&w=2 => http://lwn.net/Vulnerabilities/622608/