OpenSuSE has issued an advisory on November 27: http://lists.opensuse.org/opensuse-updates/2015-11/msg00146.html The upstream security page shows several security issues fixed in 2.4.11 (and the same ones fixed in 2.8), as well as some newer ones fixed in 2.8.2 and 2.8.3, at least some of which probably affect 2.4.11. We'll need to ask upstream to roll a new 2.4.x release will all of the latest fixes. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/666134/
Some more CVEs: http://lwn.net/Vulnerabilities/669407/ From this OpenSuSE advisory from December 27: http://lists.opensuse.org/opensuse-updates/2015-12/msg00118.html There are also more CVEs fixed in 2.8.4.
FFmpeg 2.4.12 has been released on December 10, with all the latest security fixes. Updated packages uploaded for Mageia 5. Note that there are core and tainted builds for this package. Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: The update_dimensions function in libavcodec/vp8.c in FFmpeg before 2.4.12, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file (CVE-2015-6761). The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.4.11 does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG image, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted image with two or more of these chunks (CVE-2015-6818). The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.4.11 does not check for a matching AAC frame syntax element before proceeding with Spectral Band Replication calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted AAC data (CVE-2015-6820). The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before 2.4.11 does not properly maintain the encoding context, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted MPEG data (CVE-2015-6821). The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.4.11 does not properly maintain height and width values in the video context, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via crafted LucasArts Smush video data (CVE-2015-6822). The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.4.11 does not initialize certain context data, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data (CVE-2015-6823). The sws_init_context function in libswscale/utils.c in FFmpeg before 2.4.11 does not initialize certain pixbuf data structures, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted video data (CVE-2015-6824). The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg before 2.4.11 mishandles certain memory-allocation failures, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via a crafted file, as demonstrated by an AVI file (CVE-2015-6825). The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg before 2.4.11 does not initialize certain structure members, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted RV30 or RV40 RealVideo data (CVE-2015-6826). The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.4.12 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data (CVE-2015-8216). The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data (CVE-2015-8219). The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.4.12 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers (CVE-2015-8363). Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.4.12 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data (CVE-2015-8364). The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.4.12 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data (CVE-2015-8365). The h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg before 2.4.12 does not validate the relationship between the number of threads and the number of slices, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted H.264 data (CVE-2015-8661). The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.4.12 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data (CVE-2015-8662). The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.4.12 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file (CVE-2015-8663). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6818 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6821 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6822 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6824 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6825 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6826 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8365 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8663 http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n2.4.12 http://ffmpeg.org/download.html http://ffmpeg.org/security.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-2.4.12-1.mga5 libavcodec56-2.4.12-1.mga5 libpostproc53-2.4.12-1.mga5 libavformat56-2.4.12-1.mga5 libavutil54-2.4.12-1.mga5 libswscaler3-2.4.12-1.mga5 libavfilter5-2.4.12-1.mga5 libswresample1-2.4.12-1.mga5 libffmpeg-devel-2.4.12-1.mga5 libffmpeg-static-devel-2.4.12-1.mga5 from ffmpeg-2.4.12-1.mga5.src.rpm
Assignee: shlomif => qa-bugs
LWN reference for the last three CVEs: http://lwn.net/Vulnerabilities/671740/ from this openSUSE advisory on January 12: http://lists.opensuse.org/opensuse-updates/2016-01/msg00025.html
mga5 x86_64 Mate $ urpmqf --whatrequires ffmpeg | sort | uniq > list $ cat list 2mandvd devede dvdstyler fdesktoprecorder feff ffdiaporama ffmpeg ffmulticonverter imagination kdenlive kino kmediafactory konvertible luciole miro mythtv-plugin-archive ps3mediaserver pymecavideo synfig videoconvert winff xvidcap zoneminder No experience with any of these so picked out kino and ffmpeg. Ran the tests below before and after the two sets of updates (Core and Tainted). Disabled Tainted Release and Tainted Updates and ran MageiaUpdate. Nothing turned up so: # urpmi --downgrade ffmpeg This removed some packages and offered ffmpeg-2.4.9-1.mga5.x86_64. Installed that and experimented with kino and used ffmpeg to convert an mp4 file to avi. Both looked OK although, as before, the avi file looked a little pixelated. Enabled Core Updates Testing and installed ffmpeg-2.4.12-1 which pulled in all the other packages listed except development packages. Installed those afterwards, another 37 packages. Used kino to open an m4v file, import to DV and run under PAL. Frame-stepping, random indexing on timeline, rewind, saving still frame and save project all worked. I think the important bit here is the importing of a file to DV (Direct Video?). $ ffmpeg -i Lauren.m4v Lauren.avi ffmpeg version 2.4.9 Copyright (c) 2000-2015 the FFmpeg developers built on May 17 2015 20:05:51 with gcc 4.9.2 (GCC) configuration: --prefix=/usr --enable-shared --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-x11grab --enable-runtime-cpudetect --enable-libdc1394 --enable-libschroedinger --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libnut --enable-libgsm --enable-libcelt --enable-libopus --disable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-libmp3lame --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-version3 --enable-libx264 --enable-libvo-aacenc --enable-libvo-amrwbenc --enable-libxvid libavutil 54. 7.100 / 54. 7.100 libavcodec 56. 1.100 / 56. 1.100 libavformat 56. 4.101 / 56. 4.101 libavdevice 56. 0.100 / 56. 0.100 libavfilter 5. 1.100 / 5. 1.100 libswscale 3. 0.100 / 3. 0.100 libswresample 1. 1.100 / 1. 1.100 libpostproc 53. 0.100 / 53. 0.100 Input #0, mov,mp4,m4a,3gp,3g2,mj2, from 'Lauren.m4v': Metadata: major_brand : M4V minor_version : 1 compatible_brands: M4V M4A mp42isom .......... Stream mapping: Stream #0:1 -> #0:0 (h264 (native) -> mpeg4 (native)) Stream #0:0 -> #0:1 (aac (native) -> mp3 (libmp3lame)) Press [q] to stop, [?] for help frame= 488 fps=0.0 q=24.8 size= 1143kB time=00:00:16.90 bitrate= 554.0kbits/frame= 938 fps=937 q=24.8 size= 1953kB time=00:00:31.89 bitrate= 501.6kbits/frame= 1399 fps=932 q=31.0 size= 2719kB time=00:00:47.25 bitrate= 471.4kbits/frame= 1870 fps=934 q=31.0 size= 3785kB time=00:01:02.90 bitrate= 492.9kbits/frame= 2147 fps=952 q=31.0 Lsize= 4342kB time=00:01:11.81 bitrate= 495.3kbits/s video:3094kB audio:1122kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 2.977621% The input file was converted and played OK if a little pixelated. Repeated all this with Tainted Release/Updates and Tainted Updates Testing enabled. Bothe kino and ffmpeg worked as before. Within the limits of my knowledge ffmpeg looks OK for Core and Tainted release.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
mga5 i586 vbox Mate Installed the tainted packages and tested them as above. Looks OK. However I have not managed to get back to the Core Release version; in spite of disabling the tainted repositories downgrading always offers the tainted ffmpeg.
Right - done it. Installed the Core Updates Testing packages and successfully converted a video file from one format to another. OK then for 32-bits. Validating this.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OKCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK MGA-32-OK => MGA5-64-OK MGA5-32-OK
advisory added to svn
CC: (none) => tmbWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0018.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for the remaining CVEs: http://lwn.net/Vulnerabilities/672075/