Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.
CVE: (none) => CVE-2017-15186 CVE-2017-15672 CVE-2017-16840
http://ffmpeg.org/security.html only lists CVE-2017-15186, so I don't know where you got the other CVEs from. We do need to update to 3.3.5. It has been built by Shlomi (I believe it was packaged by one of his apprentices), but they forgot to file a bug for it.
Summary: [UPDATE REQUEST] ffmpeg CVE-2017-16840. => ffmpeg 3.3.5 (fixes CVE-2017-15186)Assignee: bugsquad => shlomif
Note that there are core and tainted builds for this package. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 https://bugs.mageia.org/show_bug.cgi?id=14042#c6 Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: This update provides ffmpeg version 3.3.5, which fixes several security vulnerabilities and other bugs which were corrected upstream. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15186 https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.5 http://ffmpeg.org/download.html http://ffmpeg.org/security.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-3.3.5-1.mga6 libavcodec57-3.3.5-1.mga6 libpostproc54-3.3.5-1.mga6 libavformat57-3.3.5-1.mga6 libavutil55-3.3.5-1.mga6 libavresample3-3.3.5-1.mga6 libswscaler4-3.3.5-1.mga6 libavfilter6-3.3.5-1.mga6 libswresample2-3.3.5-1.mga6 libffmpeg-devel-3.3.5-1.mga6 libffmpeg-static-devel-3.3.5-1.mga6 from ffmpeg-3.3.5-1.mga6.src.rpm
Assignee: shlomif => qa-bugs
Mageia 6 :: x86_64 From Core Updates Testing: - ffmpeg-3.3.5-1.mga6.x86_64 - lib64avcodec57-3.3.5-1.mga6.x86_64 - lib64avfilter6-3.3.5-1.mga6.x86_64 - lib64avformat57-3.3.5-1.mga6.x86_64 - lib64avresample3-3.3.5-1.mga6.x86_64 - lib64avutil55-3.3.5-1.mga6.x86_64 - lib64postproc54-3.3.5-1.mga6.x86_64 - lib64swresample2-3.3.5-1.mga6.x86_64 - lib64swscaler4-3.3.5-1.mga6.x86_64 Installed the development packages as well. $ ffmpeg -n -i findmusic.avi findmusic.mkv $ file findmusic.mkv findmusic.mkv: Matroska data $ ffmpeg -i Ceres_PIA20182.mov Ceres.mp4 $ ffmpeg -i Ceres.mp4 Ceres.webm Very slow, frame by frame conversion for 160MB file, so crashed out of that. The shortened output played OK in vlc. $ ffmpeg -i Proxima_B.webm proxima.avi $ ffmpeg -i OrbitingJupiter.mp4 -n Juno.mov That failed on the encoding - probably needs tainted. $ ffmpeg -i Trappist-1.mkv trappist.flv $ ffmpeg -i trappist.flv trappist.mkv $ ffmpeg -i trappist.flv trappist.avi $ ffmpeg -i trappist.avi trappist_2.mkv $ ffmpeg -i trappist.flv trappist.wmv All the converted files could be played in vlc or mplayer with audio and subtitles tracks where provided. Enabled tainted updates testing and updated ffmpeg packages again. - ffmpeg-3.3.5-1.mga6.tainted.x86_64 - lib64avcodec57-3.3.5-1.mga6.tainted.x86_64 - lib64avfilter6-3.3.5-1.mga6.tainted.x86_64 - lib64avformat57-3.3.5-1.mga6.tainted.x86_64 - lib64avresample3-3.3.5-1.mga6.tainted.x86_64 - lib64avutil55-3.3.5-1.mga6.tainted.x86_64 - lib64ffmpeg-devel-3.3.5-1.mga6.tainted.x86_64 - lib64ffmpeg-static-devel-3.3.5-1.mga6.tainted.x86_64 - lib64opencore-amr-devel-0.1.3-1.mga6.tainted.x86_64 - lib64postproc54-3.3.5-1.mga6.tainted.x86_64 - lib64swresample2-3.3.5-1.mga6.tainted.x86_64 - lib64swscaler4-3.3.5-1.mga6.tainted.x86_64 - lib64vo-amrwbenc-devel-0.1.3-2.mga6.tainted.x86_64 - lib64x264-devel-0.148-0.20170120.stable.5.mga6.tainted.x86_64 - lib64x265-devel-2.2-1.mga6.tainted.x86_64 - lib64xvidcore-devel-1.3.4-3.mga6.tainted.x86_64 $ ffmpeg -i OrbitingJupiter.mp4 -n Juno.mov That failed on the encoding - probably needs tainted. $ ffmpeg -i Trappist-1.mkv trappist.flv $ ffmpeg -i trappist.flv trappist.mkv $ ffmpeg -i trappist.flv trappist.avi $ ffmpeg -i trappist.avi trappist_2.mkv $ ffmpeg -i trappist.flv trappist.wmv All the converted files could be played in vlc or mplayer with audio and subtitles tracks where provided. Enabled tainted updates testing and updated ffmpeg packages again. - ffmpeg-3.3.5-1.mga6.tainted.x86_64 - lib64avcodec57-3.3.5-1.mga6.tainted.x86_64 - lib64avfilter6-3.3.5-1.mga6.tainted.x86_64 - lib64avformat57-3.3.5-1.mga6.tainted.x86_64 - lib64avresample3-3.3.5-1.mga6.tainted.x86_64 - lib64avutil55-3.3.5-1.mga6.tainted.x86_64 - lib64ffmpeg-devel-3.3.5-1.mga6.tainted.x86_64 - lib64ffmpeg-static-devel-3.3.5-1.mga6.tainted.x86_64 - lib64opencore-amr-devel-0.1.3-1.mga6.tainted.x86_64 - lib64postproc54-3.3.5-1.mga6.tainted.x86_64 - lib64swresample2-3.3.5-1.mga6.tainted.x86_64 - lib64swscaler4-3.3.5-1.mga6.tainted.x86_64 - lib64vo-amrwbenc-devel-0.1.3-2.mga6.tainted.x86_64 - lib64x264-devel-0.148-0.20170120.stable.5.mga6.tainted.x86_64 - lib64x265-devel-2.2-1.mga6.tainted.x86_64 - lib64xvidcore-devel-1.3.4-3.mga6.tainted.x86_64 Ran successful ffmpeg tests with another set of files apart from this one: $ ffmpeg -i OrbitingJupiter.mp4 -n Juno.mov which succeeded this time. $ ffmpeg -i pia20055-16.gif L-dwarf.flv The initial animated gif could be viewed using eom. Audio files converted fine and played OK with mplayer and play. $ ffmpeg -i CherryOhBaby.wav cob.flac $ ffmpeg -i cob.flac cob.mp3 $ ffmpeg -i JoyToTheWorld.ogg carol.flac Rip an audio track from a video file: $ ffmpeg -i Nabucco.mp4 -f mp3 -ab 44100 -vn nabucco.mp3 That worked fine and the output file sounded OK using play.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Sorry for the doubled text above. Finger trouble at 3 in the morning.
In VirtualBox, M6, MATE, 32-bit Package(s) under test: ffmpeg libavcodec57 libpostproc54 libavformat57 libavutil55 libswscaler4 libavfilter6 default install of ffmpeg libavcodec57 libpostproc54 libavformat57 libavutil55 libswscaler4 libavfilter6 [root@localhost ffmpeg_test]# urpmi ffmpeg Package ffmpeg-3.3.4-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavcodec57 Package libavcodec57-3.3.4-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libpostproc54 Package libpostproc54-3.3.4-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavformat57 Package libavformat57-3.3.4-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavutil55 Package libavutil55-3.3.4-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libswscaler4 Package libswscaler4-3.3.4-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavfilter6 Package libavfilter6-3.3.4-1.mga6.tainted.i586 is already installed ffmpeg -i canon_org.mov -ar 22050 -s 240x140 canon.mp4 ffmpeg -i ob_org.flv -ar 22050 -s 240x140 ob.wmv ffmpeg -i sony_org.mp4 -ar 48000 -vb 303000 -r 30 -s 640x480 -aspect 4:3 -vcodec mpeg4 sony_resize.mp4 ffmpeg -i waiting_for_santa_org.wmv -ar 48000 waiting_for_santa.mp4 ffmpeg -i star_wars_org.wav star_wars.mp3 ffmpeg -i james_bond_theme_org.mp3 james_bond_theme.webm ffmpeg -i james_bond_theme.webm james_bond_theme.flac ffmpeg -i waiting_for_santa_org.wmv waiting_for_santa.mp3 All processes proceeded correctly. Created files play with VLC install ffmpeg libavcodec57 libpostproc54 libavformat57 libavutil55 libswscaler4 libavfilter6 from updates_testing [root@localhost wilcal]# urpmi ffmpeg Package ffmpeg-3.3.5-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavcodec57 Package libavcodec57-3.3.5-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libpostproc54 Package libpostproc54-3.3.5-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavformat57 Package libavformat57-3.3.5-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavutil55 Package libavutil55-3.3.5-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libswscaler4 Package libswscaler4-3.3.5-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavfilter6 Package libavfilter6-3.3.5-1.mga6.tainted.i586 is already installed ffmpeg -i canon_org.mov -ar 22050 -s 240x140 canon.mp4 ffmpeg -i ob_org.flv -ar 22050 -s 240x140 ob.wmv ffmpeg -i sony_org.mp4 -ar 48000 -vb 303000 -r 30 -s 640x480 -aspect 4:3 -vcodec mpeg4 sony_resize.mp4 ffmpeg -i waiting_for_santa_org.wmv -ar 48000 waiting_for_santa.mp4 ffmpeg -i star_wars_org.wav star_wars.mp3 ffmpeg -i james_bond_theme_org.mp3 james_bond_theme.webm ffmpeg -i james_bond_theme.webm james_bond_theme.flac ffmpeg -i waiting_for_santa_org.wmv waiting_for_santa.mp3 All processes proceeded correctly. Created files play with VLC
CC: (none) => wilcal.int
Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Good to go
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0446.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED