+++ This bug was initially created as a clone of Bug #14042 +++ These issues were fixed in ffmpeg 1.1.14, 1.2.8, 2.2.7, and 2.3.3.
Updated package uploaded for Mageia 3. Note to QA, there is a PoC for the first CVE in this bug: https://trac.ffmpeg.org/ticket/2760 Also note that there are both core and tainted builds for this package. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: A heap-based buffer overflow in the encode_slice function in libavcodec/proresenc_kostya.c in FFmpeg before 1.1.14 can cause a crash, allowing a malicious image file to cause a denial of service (CVE-2014-5271). libavcodec/iff.c in FFmpeg before 1.1.14 allows an attacker to have an unspecified impact via a crafted iff image, which triggers an out-of-bounds array access, related to the rgb8 and rgbn formats (CVE-2014-5272). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5272 http://git.videolan.org/?p=ffmpeg.git;a=log;h=n1.1.14 http://ffmpeg.org/olddownload.html http://ffmpeg.org/security.html http://openwall.com/lists/oss-security/2014/08/16/6 ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-1.1.14-1.mga3 libavcodec54-1.1.14-1.mga3 libpostproc52-1.1.14-1.mga3 libavformat54-1.1.14-1.mga3 libavutil52-1.1.14-1.mga3 libswscaler2-1.1.14-1.mga3 libavfilter3-1.1.14-1.mga3 libswresample0-1.1.14-1.mga3 libffmpeg-devel-1.1.14-1.mga3 libffmpeg-static-devel-1.1.14-1.mga3 from ffmpeg-1.1.14-1.mga3.src.rpm
Depends on: 14042 => (none)Assignee: bugsquad => qa-bugsSource RPM: ffmpeg-2.0.5-1.mga4.src.rpm => ffmpeg-1.1.12-1.mga3.src.rpmWhiteboard: (none) => has_procedure
Testing on Mageia3-64 real HW With current packages : --------------------- # rpm -q ffmpeg lib64avcodec54 lib64ffmpeg-devel ffmpeg-1.1.12-1.mga3 lib64avcodec54-1.1.12-1.mga3 lib64ffmpeg-devel-1.1.12-1.mga3 Followed PoC mentionned in comment 2. $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_ks -y out.mov which crashed on : Unknown encoder 'prores_ks' $ ffmpeg -codecs | grep -i Apple which gave 3 Apple ProRes encoders : prores, prores_anatoliy, prores_kostya Tried the 3 decoders $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_kostya -y out.mov $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores -y out.mov $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_anatoliy -y out2.mov but could not reproduce the segmentation fault as all worked well. Followed testing procedure mentionned in comment 2 with a demo.mkv file. $ ffmpeg -i mkv_demo.mkv output.avi OK but no sound in this file as AC-3 (ATSC A/52) decoder is needed. As I didn't want to update now to tainted packages, I let that sit. $ ffmpeg -i mkv_demo.mkv output.wmv OK $ ffmpeg -i mkv_demo.mkv output.flv That latter one complained of a bitrate problem with flv ([adpcm_swf @ 0x231d9a0] Sample rate must be 11025, 22050 or 44100) so : $ ffmpeg -i mkv_demo.mkv -ar 44100 output2.flv OK Converted flv file back to mkv : $ ffmpeg -i output2.flv output3.mkv OK Updated to testing packages : --------------------------- - ffmpeg-1.1.14-1.mga3.x86_64 - lib64avcodec54-1.1.14-1.mga3.x86_64 - lib64avfilter3-1.1.14-1.mga3.x86_64 - lib64avformat54-1.1.14-1.mga3.x86_64 - lib64avutil52-1.1.14-1.mga3.x86_64 - lib64ffmpeg-devel-1.1.14-1.mga3.x86_64 - lib64ffmpeg-static-devel-1.1.14-1.mga3.x86_64 - lib64postproc52-1.1.14-1.mga3.x86_64 - lib64swresample0-1.1.14-1.mga3.x86_64 - lib64swscaler2-1.1.14-1.mga3.x86_64 Tried PoC which gave exactly the same results (inclunding prores_ks unknown) Then followed testing procedure which gave same results too including no sound in avi file. Updated to testing tainted packages : ----------------------------------- - ffmpeg-1.1.14-1.mga3.tainted.x86_64 - lib64avcodec54-1.1.14-1.mga3.tainted.x86_64 - lib64avfilter3-1.1.14-1.mga3.tainted.x86_64 - lib64avformat54-1.1.14-1.mga3.tainted.x86_64 - lib64avutil52-1.1.14-1.mga3.tainted.x86_64 - lib64ffmpeg-devel-1.1.14-1.mga3.tainted.x86_64 - lib64ffmpeg-static-devel-1.1.14-1.mga3.tainted.x86_64 - lib64postproc52-1.1.14-1.mga3.tainted.x86_64 - lib64swresample0-1.1.14-1.mga3.tainted.x86_64 - lib64swscaler2-1.1.14-1.mga3.tainted.x86_64 - lib64vo-aacenc-devel-0.1.2-2.mga3.tainted.x86_64 - lib64vo-amrwbenc-devel-0.1.1-4.mga3.tainted.x86_64 PoC = same results Testing procedure = same results but this time had sound in output.avi Conclusion : ---------- testing packages seem to work fine but I don't dare put the MGA3-64-OK as I couldn't reproduce PoC
CC: (none) => olchal
Olivier, try prores_kostya instead of prores_ks. Thanks.
Already dit it along with the 2 other prores decoders I found in lib64avcodec54 but they all worked without fault : "Tried the 3 decoders $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_kostya -y out.mov $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores -y out.mov $ ffmpeg -v 9 -loglevel 99 -i favicon2.png -s 480x480 -c:v prores_anatoliy -y out2.mov but could not reproduce the segmentation fault as all worked well."
Thanks Olivier. You can add the OK. Sometimes we can't reproduce the issues. I had the same thing happen yesterday with the ImageMagick and GraphicsMagick bugs.
Ok, done David.
Whiteboard: has_procedure => has_procedure MGA3-64-OK
Testing on Mageia 3 i586 I wasn't able to reproduce the segfault either. On Mageia 4 i586, I was able to.
Testing Mageia 3 i586. I used mplayer to play some video files and ffmpeg to convert some. With core ffmpeg, I was able to play and convert this one: http://trailers.divx.com/divx_prod/profiles/Fashion_DivX720p_ASP.divx (from http://www.divx.com/en/devices/profiles/video ) converting with: ffmpeg -i Fashion_DivX720p_ASP.divx output.avi With core ffmpeg, I was able to play the following video with mplayer, but it only had video and no sound, and ffmpeg was unable to convert it, all this because it uses AAC audio format, so this was expected. With tainted ffmpeg, I was able to play the following one with sound and convert with ffmpeg: http://download.wavetlan.com/SVV/Media/HTTP/mkv/MP4_DIVX_AAC-LC-(mkvmerge).mkv (from http://download.wavetlan.com/SVV/Media/HTTP/http-mkv.htm ) converting with: ffmpeg -i MP4_DIVX_AAC-LC-\(mkvmerge\).mkv output2.avi
Whiteboard: has_procedure MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0473.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: https://marc.info/?l=oss-security&m=140817544727495&w=2 => http://lwn.net/Vulnerabilities/622608/