Bug 14562 - avidemux new security issues CVE-2014-527[12] and CVE-2014-854[1-8]
Summary: avidemux new security issues CVE-2014-527[12] and CVE-2014-854[1-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://marc.info/?l=oss-security&m=1...
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-14 23:53 CET by David Walser
Modified: 2014-11-26 18:30 CET (History)
4 users (show)

See Also:
Source RPM: avidemux-2.6.6-2.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-14 23:53:20 CET
+++ This bug was initially created as a clone of Bug #14042 +++

These issues were fixed in 1.2.9, 2.0.6, 2.2.9, and 2.4.2.

The bundled avidemux will need to be updated to 1.2.10 in Mageia 4.
Comment 1 David Walser 2014-11-14 23:54:39 CET
Updated package currently building for Mageia 4.  Cauldron was updated today.

Depends on: 14042 => (none)
Source RPM: ffmpeg-2.0.5-1.mga4.src.rpm => avidemux-2.6.6-2.1.mga4.src.rpm

Comment 2 David Walser 2014-11-15 00:15:30 CET
Updated package uploaded for Mageia 4.

Note that there are both core and tainted builds for this package.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13643#c8

Advisory:
========================

Updated avidemux packages fix security vulnerabilities:

A heap-based buffer overflow in the encode_slice function in
libavcodec/proresenc_kostya.c in FFmpeg before 1.2.9 can cause a crash,
allowing a malicious image file to cause a denial of service (CVE-2014-5271).

libavcodec/iff.c in FFmpeg before 1.2.9 allows an attacker to have an
unspecified impact via a crafted iff image, which triggers an out-of-bounds
array access, related to the rgb8 and rgbn formats (CVE-2014-5272).

libavcodec/mjpegdec.c in FFmpeg before 1.2.9 considers only dimension
differences, and not bits-per-pixel differences, when determining whether an
image size has changed, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted MJPEG data (CVE-2014-8541).

libavcodec/utils.c in FFmpeg before 1.2.9 omits a certain codec ID during
enforcement of alignment, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted JV data (CVE-2014-8542).

libavcodec/mmvideo.c in FFmpeg before 1.2.9 does not consider all lines of
HHV Intra blocks during validation of image height, which allows remote
attackers to cause a denial of service (out-of-bounds access) or possibly
have unspecified other impact via crafted MM video data (CVE-2014-8543).

libavcodec/tiff.c in FFmpeg before 1.2.9 does not properly validate
bits-per-pixel fields, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted TIFF data (CVE-2014-8544).

libavcodec/pngdec.c in FFmpeg before 1.2.9 accepts the monochrome-black
format without verifying that the bits-per-pixel value is 1, which allows
remote attackers to cause a denial of service (out-of-bounds access) or
possibly have unspecified other impact via crafted PNG data (CVE-2014-8545).

Integer underflow in libavcodec/cinepak.c in FFmpeg before 1.2.9 allows
remote attackers to cause a denial of service (out-of-bounds access) or
possibly have unspecified other impact via crafted Cinepak video data
(CVE-2014-8546).

libavcodec/gifdec.c in FFmpeg before 1.2.9 does not properly compute image
heights, which allows remote attackers to cause a denial of service
(out-of-bounds access) or possibly have unspecified other impact via crafted
GIF data (CVE-2014-8547).

Off-by-one error in libavcodec/smc.c in FFmpeg before 1.2.9 allows remote
attackers to cause a denial of service (out-of-bounds access) or possibly
have unspecified other impact via crafted Quicktime Graphics (aka SMC) video
data (CVE-2014-8548).

Avidemux built with a bundled set of FFmpeg libraries.  The bundled FFmpeg
version have been updated from 1.2.7 to 1.2.10 to fix these security issues
and other bugs fixed upstream in FFmpeg.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8548
http://git.videolan.org/?p=ffmpeg.git;a=log;h=n2.0.6
http://ffmpeg.org/download.html
http://ffmpeg.org/security.html
http://openwall.com/lists/oss-security/2014/08/16/6
========================

Updated packages in {core,tainted}/updates_testing:
========================
libavidemux-2.6.6-2.2.mga4
avidemux-devel-2.6.6-2.2.mga4

from avidemux-2.6.6-2.2.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 3 David Walser 2014-11-15 00:16:08 CET
Oops, reposting the previous comment, fixing an error in the References.

Updated package uploaded for Mageia 4.

Note that there are both core and tainted builds for this package.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=13643#c8

Advisory:
========================

Updated avidemux packages fix security vulnerabilities:

A heap-based buffer overflow in the encode_slice function in
libavcodec/proresenc_kostya.c in FFmpeg before 1.2.9 can cause a crash,
allowing a malicious image file to cause a denial of service (CVE-2014-5271).

libavcodec/iff.c in FFmpeg before 1.2.9 allows an attacker to have an
unspecified impact via a crafted iff image, which triggers an out-of-bounds
array access, related to the rgb8 and rgbn formats (CVE-2014-5272).

libavcodec/mjpegdec.c in FFmpeg before 1.2.9 considers only dimension
differences, and not bits-per-pixel differences, when determining whether an
image size has changed, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted MJPEG data (CVE-2014-8541).

libavcodec/utils.c in FFmpeg before 1.2.9 omits a certain codec ID during
enforcement of alignment, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted JV data (CVE-2014-8542).

libavcodec/mmvideo.c in FFmpeg before 1.2.9 does not consider all lines of
HHV Intra blocks during validation of image height, which allows remote
attackers to cause a denial of service (out-of-bounds access) or possibly
have unspecified other impact via crafted MM video data (CVE-2014-8543).

libavcodec/tiff.c in FFmpeg before 1.2.9 does not properly validate
bits-per-pixel fields, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted TIFF data (CVE-2014-8544).

libavcodec/pngdec.c in FFmpeg before 1.2.9 accepts the monochrome-black
format without verifying that the bits-per-pixel value is 1, which allows
remote attackers to cause a denial of service (out-of-bounds access) or
possibly have unspecified other impact via crafted PNG data (CVE-2014-8545).

Integer underflow in libavcodec/cinepak.c in FFmpeg before 1.2.9 allows
remote attackers to cause a denial of service (out-of-bounds access) or
possibly have unspecified other impact via crafted Cinepak video data
(CVE-2014-8546).

libavcodec/gifdec.c in FFmpeg before 1.2.9 does not properly compute image
heights, which allows remote attackers to cause a denial of service
(out-of-bounds access) or possibly have unspecified other impact via crafted
GIF data (CVE-2014-8547).

Off-by-one error in libavcodec/smc.c in FFmpeg before 1.2.9 allows remote
attackers to cause a denial of service (out-of-bounds access) or possibly
have unspecified other impact via crafted Quicktime Graphics (aka SMC) video
data (CVE-2014-8548).

Avidemux built with a bundled set of FFmpeg libraries.  The bundled FFmpeg
version have been updated from 1.2.7 to 1.2.10 to fix these security issues
and other bugs fixed upstream in FFmpeg.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8548
http://git.videolan.org/?p=ffmpeg.git;a=log;h=n1.2.10
http://ffmpeg.org/download.html
http://ffmpeg.org/security.html
http://openwall.com/lists/oss-security/2014/08/16/6
========================

Updated packages in {core,tainted}/updates_testing:
========================
libavidemux-2.6.6-2.2.mga4
avidemux-devel-2.6.6-2.2.mga4

from avidemux-2.6.6-2.2.mga4.src.rpm
Comment 4 Herman Viaene 2014-11-25 15:52:10 CET
Tested on Mageia4-64 on HP6555b
I was able to load a 1.7Gb mpg file in avidemux and play it without problems.
Saved to avi, resulting file plays OK.
Used CLI to convert mgp to mp4: OK
Note: I didn't see a avidemux-gtk package, so not all tests from bug 13643 have been done.

CC: (none) => herman.viaene

Comment 5 David Walser 2014-11-25 15:54:26 CET
(In reply to Herman Viaene from comment #4)
> Tested on Mageia4-64 on HP6555b
> Note: I didn't see a avidemux-gtk package, so not all tests from bug 13643
> have been done.

avidemux-gtk doesn't exist anymore as of Mageia 4.  I'll add the OK tag.

Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 6 David Walser 2014-11-26 17:32:11 CET
I downloaded these two files to test both updates:
http://download.wavetlan.com/SVV/Media/HTTP/mkv/H264_mp3(mkvmerge).mkv
http://download.wavetlan.com/SVV/Media/HTTP/mkv/MP4_avc_mp3(720p)(SUPER).MKV

as well as this one to test the tainted update:
http://download.wavetlan.com/SVV/Media/HTTP/mkv/MP4_DIVX_AAC-LC-(mkvmerge).mkv

all from here:
http://download.wavetlan.com/SVV/Media/HTTP/http-mkv.htm

They play fine with mplayer and avidemux-qt (avidemux3_qt4).  With the tainted version, the last video plays sound successfully.

Used avidemux3_qt4 to convert them to avi format (by simply saving them with a .avi extension) and avidemux3_cli to convert them to mp4 format, like:
avidemux3_cli --load H264_mp3\(mkvmerge\).mkv --save file1.mp4 --output-format mp4 --quit

The resulting files all play fine with mplayer or avidemux-qt.

Tested successfully Mageia 4 i586.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 7 Rémi Verschelde 2014-11-26 17:48:11 CET
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 8 Mageia Robot 2014-11-26 18:30:09 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0491.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.