Bug 14556 - ffmpeg new security issues CVE-2014-5271 and CVE-2014-5272
Summary: ffmpeg new security issues CVE-2014-5271 and CVE-2014-5272
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/622608/
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK a...
Keywords: validated_update
Depends on:
Reported: 2014-11-14 19:10 CET by David Walser
Modified: 2014-11-21 19:03 CET (History)
4 users (show)

See Also:
Source RPM: ffmpeg-1.1.12-1.mga3.src.rpm
Status comment:


Description David Walser 2014-11-14 19:10:31 CET
+++ This bug was initially created as a clone of Bug #14042 +++

These issues were fixed in ffmpeg 1.1.14, 1.2.8, 2.2.7, and 2.3.3.
Comment 1 David Walser 2014-11-14 19:30:32 CET
Updated package uploaded for Mageia 3.

Note to QA, there is a PoC for the first CVE in this bug:

Also note that there are both core and tainted builds for this package.

Testing procedure:


Updated ffmpeg packages fix security vulnerabilities:

A heap-based buffer overflow in the encode_slice function in
libavcodec/proresenc_kostya.c in FFmpeg before 1.1.14 can cause a crash,
allowing a malicious image file to cause a denial of service (CVE-2014-5271).

libavcodec/iff.c in FFmpeg before 1.1.14 allows an attacker to have an
unspecified impact via a crafted iff image, which triggers an out-of-bounds
array access, related to the rgb8 and rgbn formats (CVE-2014-5272).


Updated packages in {core,tainted}/updates_testing:

from ffmpeg-1.1.14-1.mga3.src.rpm

Depends on: 14042 => (none)
Assignee: bugsquad => qa-bugs
Source RPM: ffmpeg-2.0.5-1.mga4.src.rpm => ffmpeg-1.1.12-1.mga3.src.rpm
Whiteboard: (none) => has_procedure

Comment 2 olivier charles 2014-11-15 13:57:17 CET
Testing on Mageia3-64 real HW

With current packages :

# rpm -q ffmpeg lib64avcodec54 lib64ffmpeg-devel

Followed PoC mentionned in comment 2.

$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_ks -y out.mov
which crashed on :
Unknown encoder 'prores_ks'

$ ffmpeg -codecs | grep -i Apple
which gave 3 Apple ProRes encoders :
prores, prores_anatoliy, prores_kostya

Tried the 3 decoders
$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_kostya -y out.mov
$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores -y out.mov
$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_anatoliy -y out2.mov
but could not reproduce the segmentation fault as all worked well.

Followed testing procedure mentionned in comment 2 with a demo.mkv file.

$ ffmpeg -i mkv_demo.mkv output.avi
OK but no sound in this file as AC-3 (ATSC A/52) decoder is needed.
As I didn't want to update now to tainted packages, I let that sit.

$ ffmpeg -i mkv_demo.mkv output.wmv
$ ffmpeg -i mkv_demo.mkv output.flv

That latter one complained of a bitrate problem with flv
([adpcm_swf @ 0x231d9a0] Sample rate must be 11025, 22050 or 44100)
so :
$ ffmpeg -i mkv_demo.mkv -ar 44100 output2.flv

Converted flv file back to mkv :
$ ffmpeg -i output2.flv output3.mkv

Updated to testing packages :

- ffmpeg-1.1.14-1.mga3.x86_64
- lib64avcodec54-1.1.14-1.mga3.x86_64
- lib64avfilter3-1.1.14-1.mga3.x86_64
- lib64avformat54-1.1.14-1.mga3.x86_64
- lib64avutil52-1.1.14-1.mga3.x86_64
- lib64ffmpeg-devel-1.1.14-1.mga3.x86_64
- lib64ffmpeg-static-devel-1.1.14-1.mga3.x86_64
- lib64postproc52-1.1.14-1.mga3.x86_64
- lib64swresample0-1.1.14-1.mga3.x86_64
- lib64swscaler2-1.1.14-1.mga3.x86_64

Tried PoC
which gave exactly the same results (inclunding prores_ks unknown)

Then followed testing procedure
which gave same results too including no sound in avi file.

Updated to testing tainted packages :

- ffmpeg-1.1.14-1.mga3.tainted.x86_64
- lib64avcodec54-1.1.14-1.mga3.tainted.x86_64
- lib64avfilter3-1.1.14-1.mga3.tainted.x86_64
- lib64avformat54-1.1.14-1.mga3.tainted.x86_64
- lib64avutil52-1.1.14-1.mga3.tainted.x86_64
- lib64ffmpeg-devel-1.1.14-1.mga3.tainted.x86_64
- lib64ffmpeg-static-devel-1.1.14-1.mga3.tainted.x86_64
- lib64postproc52-1.1.14-1.mga3.tainted.x86_64
- lib64swresample0-1.1.14-1.mga3.tainted.x86_64
- lib64swscaler2-1.1.14-1.mga3.tainted.x86_64
- lib64vo-aacenc-devel-0.1.2-2.mga3.tainted.x86_64
- lib64vo-amrwbenc-devel-0.1.1-4.mga3.tainted.x86_64

PoC = same results
Testing procedure = same results but this time had sound in output.avi

Conclusion : 
testing packages seem to work fine but I don't dare put the MGA3-64-OK as I couldn't reproduce PoC

CC: (none) => olchal

Comment 3 David Walser 2014-11-15 17:01:21 CET
Olivier, try prores_kostya instead of prores_ks.  Thanks.
Comment 4 olivier charles 2014-11-15 17:06:00 CET
Already dit it along with the 2 other prores decoders I found in lib64avcodec54 but they all worked without fault :

"Tried the 3 decoders
$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_kostya -y out.mov
$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores -y out.mov
$ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_anatoliy -y out2.mov
but could not reproduce the segmentation fault as all worked well."
Comment 5 David Walser 2014-11-15 17:11:03 CET
Thanks Olivier.  You can add the OK.  Sometimes we can't reproduce the issues.  I had the same thing happen yesterday with the ImageMagick and GraphicsMagick bugs.
Comment 6 olivier charles 2014-11-15 17:12:40 CET
Ok, done David.

Whiteboard: has_procedure => has_procedure MGA3-64-OK

Comment 7 David Walser 2014-11-15 17:36:22 CET
Testing on Mageia 3 i586 I wasn't able to reproduce the segfault either.  On Mageia 4 i586, I was able to.
Comment 8 David Walser 2014-11-17 23:12:55 CET
Testing Mageia 3 i586.  I used mplayer to play some video files and ffmpeg to convert some.

With core ffmpeg, I was able to play and convert this one:

(from http://www.divx.com/en/devices/profiles/video )

converting with: ffmpeg -i Fashion_DivX720p_ASP.divx output.avi

With core ffmpeg, I was able to play the following video with mplayer, but it only had video and no sound, and ffmpeg was unable to convert it, all this because it uses AAC audio format, so this was expected.

With tainted ffmpeg, I was able to play the following one with sound and convert with ffmpeg:

(from http://download.wavetlan.com/SVV/Media/HTTP/http-mkv.htm )

converting with: ffmpeg -i MP4_DIVX_AAC-LC-\(mkvmerge\).mkv output2.avi

Whiteboard: has_procedure MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK

Comment 9 Rémi Verschelde 2014-11-19 13:43:22 CET
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 10 Mageia Robot 2014-11-21 13:45:49 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2014-11-21 19:03:18 CET

URL: https://marc.info/?l=oss-security&m=140817544727495&w=2 => http://lwn.net/Vulnerabilities/622608/

Note You need to log in before you can comment on or make changes to this bug.