Bug 20757 - ffmpeg new security issues fixed in 3.3
Summary: ffmpeg new security issues fixed in 3.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-04-29 23:33 CEST by David Walser
Modified: 2018-01-01 11:39 CET (History)
5 users (show)

See Also:
Source RPM: ffmpeg-3.2.4-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-04-29 23:33:14 CEST
openSUSE has issued an advisory on April 28:
https://lists.opensuse.org/opensuse-updates/2017-04/msg00106.html
Comment 1 Nicolas Lécureuil 2017-04-30 09:10:27 CEST
available in updates_testing.

Do we push it now in core/release ?

CC: (none) => mageia

Comment 2 Marja Van Waes 2017-04-30 10:43:16 CEST
(In reply to Nicolas Lécureuil from comment #1)
> available in updates_testing.

Thanks :-)
> 
> Do we push it now in core/release ?


Shlomi, you're the registered maintainer... do you have any objection against pushing it to core/release now?

Btw, is Mga5 not affected?

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 3 David Walser 2017-04-30 12:00:04 CEST
Mageia 5 probably is affected, but we can't update it to 3.3.

The usual concern with ffmpeg is does it break building anything against it, so that needs to be tested.  As long as everything still builds fine, it can be pushed into release.
Comment 4 Shlomi Fish 2017-04-30 14:09:57 CEST
(In reply to Marja van Waes from comment #2)
> (In reply to Nicolas Lécureuil from comment #1)
> > available in updates_testing.
> 
> Thanks :-)
> > 
> > Do we push it now in core/release ?
> 
> 
> Shlomi, you're the registered maintainer... do you have any objection
> against pushing it to core/release now?
> 

I don't have an objection. Go for it.

> Btw, is Mga5 not affected?
Comment 5 Nicolas Lécureuil 2017-04-30 14:22:32 CEST
pushed in mga6 core/release
Comment 6 Nicolas Lécureuil 2017-04-30 14:29:56 CEST
i am patching mga5

the list of the CVE:

CVE-2017-7865
CVE-2017-7863
CVE-2017-7862
CVE-2017-7859
CVE-2016-10192
CVE-2016-10191
CVE-2016-10190
Comment 7 Nicolas Lécureuil 2017-04-30 16:38:24 CEST
CVE-2017-7866 is fixed on mga5 in the SVN
Comment 8 Nicolas Lécureuil 2017-04-30 16:49:51 CEST
CVE-2017-7862 is fixed on mga5 in the SVN
Nicolas Lécureuil 2017-05-01 01:36:46 CEST

Version: Cauldron => 5

Comment 9 David Walser 2017-07-09 01:39:57 CEST
Nicolas, do you have any more patches for this?
Comment 10 Nicolas Lécureuil 2017-08-14 22:20:44 CEST
no i need to look.
Comment 11 David Walser 2017-08-15 13:44:04 CEST
The one CVE listed in the git log for 3.3.3 was fixed here:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/0a709e2a10b8288a0cc383547924ecfe285cef89

More info here:
http://seclists.org/oss-sec/2017/q3/288
Comment 12 David Walser 2017-11-03 23:16:22 CET
CVE-2017-15672, fixed in git after 3.3.4, announced here today (November 3):
http://openwall.com/lists/oss-security/2017/11/03/4
Comment 13 David Walser 2017-11-08 02:38:31 CET
CVE-2017-15186:
http://openwall.com/lists/oss-security/2017/11/06/14
Comment 14 David Walser 2017-12-27 05:03:28 CET
We could try asking for one more 2.4.x update in #ffmpeg-devel, but I don't know if there's time.
Comment 15 David Walser 2017-12-31 03:40:22 CET
The upstream maintainer has updated the 2.4.x branch as requested and will roll a new release tomorrow, so we can get the last update packaged.
Comment 16 David Walser 2017-12-31 15:40:26 CET
Updated packages uploaded for Mageia 5.

Note that there are core and tainted builds for this package.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

This update provides ffmpeg version 2.4.14, which fixes several security
vulnerabilities and other bugs which were corrected upstream.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14171
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17081
http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=n2.4.14
http://ffmpeg.org/olddownload.html
http://ffmpeg.org/security.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-2.4.14-1.mga5
libavcodec56-2.4.14-1.mga5
libpostproc53-2.4.14-1.mga5
libavformat56-2.4.14-1.mga5
libavutil54-2.4.14-1.mga5
libswscaler3-2.4.14-1.mga5
libavfilter5-2.4.14-1.mga5
libswresample1-2.4.14-1.mga5
libffmpeg-devel-2.4.14-1.mga5
libffmpeg-static-devel-2.4.14-1.mga5

from ffmpeg-2.4.14-1.mga5.src.rpm

Assignee: shlomif => qa-bugs

Comment 17 Thomas Andrews 2018-01-01 05:20:49 CET
On real hardware, Athlon X2 7750, Geforce 9800GT video, Atheros wifi.

The following 8 packages are going to be installed:

- ffmpeg-2.4.14-1.mga5.tainted.x86_64
- lib64avcodec56-2.4.14-1.mga5.tainted.x86_64
- lib64avfilter5-2.4.14-1.mga5.tainted.x86_64
- lib64avformat56-2.4.14-1.mga5.tainted.x86_64
- lib64avutil54-2.4.14-1.mga5.tainted.x86_64
- lib64postproc53-2.4.14-1.mga5.tainted.x86_64
- lib64swresample1-2.4.14-1.mga5.tainted.x86_64
- lib64swscaler3-2.4.14-1.mga5.tainted.x86_64

According to the ffmpeg Wikipedia article, both vlc and Linux Firefox use ffmpeg for audio and video playback. So, after installing the updates, I played several videos with vlc, with both mp4 and mkv extensions, and I played several Youtube videos. Everything was excellent.

As I believe playback decoding is the most common use of ffmpeg, I am giving it an OK on this hardware.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2018-01-01 09:28:49 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Dave Hodgins 2018-01-01 09:36:53 CET
Core and Tainted versions tested under vb. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 19 Mageia Robot 2018-01-01 11:39:47 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0008.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.