FFmpeg 3.3.8 has been released on July 17, fixing a few security issues: https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.8 http://ffmpeg.org/download.html http://ffmpeg.org/security.html Additionally, 3.3.7, released on April 13, fixed several security issues as well. Updated builds in progress.
Note that there are core and tainted builds for this package. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 https://bugs.mageia.org/show_bug.cgi?id=14042#c6 Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: This update provides ffmpeg version 3.3.8, which fixes several security vulnerabilities and other bugs which were corrected upstream. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13302 https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.8 http://ffmpeg.org/download.html http://ffmpeg.org/security.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-3.3.8-1.mga6 libavcodec57-3.3.8-1.mga6 libpostproc54-3.3.8-1.mga6 libavformat57-3.3.8-1.mga6 libavutil55-3.3.8-1.mga6 libavresample3-3.3.8-1.mga6 libswscaler4-3.3.8-1.mga6 libavfilter6-3.3.8-1.mga6 libswresample2-3.3.8-1.mga6 libffmpeg-devel-3.3.8-1.mga6 libffmpeg-static-devel-3.3.8-1.mga6 from ffmpeg-3.3.8-1.mga6.src.rpm
Assignee: luigiwalser => qa-bugsKeywords: (none) => has_procedure
Debian has issued an advisory for this on July 17: https://www.debian.org/security/2018/dsa-4249
There are PoC files for some of the CVEs but no download links are presented and no relevant results are returned by Google search. ------------------------------------------------------------------------------ Using core version of ffmpeg: $ ffmpeg -i Big_Buck_Bunny_1080p.divx bunny.avi This appeared to work but at the end there ws an error - "[mp3 @ 0x70da40] invalid new backstep -1" vlc was able to play bunny.avi with sound but not mplayer showed video only. Converted HowtoGiveCPR.m4v to cpr.avi. That worked with sound with both vlc and mplayer. $ ffmpeg -i 'MP4_DIVX_AAC-LC-(mkvmerge).mkv' output2.avi This terminated with these lines: [matroska,webm @ 0x2422a00] Format matroska,webm detected only with low score of 1, misdetection possible! Truncating packet of size 13344 to 6 [matroska,webm @ 0x2422a00] EBML header parsing failed MP4_DIVX_AAC-LC-(mkvmerge).mkv: Invalid data found when processing input Noted that the conversion output contained "--enable-libmp3lame --disable-decoder=aac --disable-encoder=aac" Something similar happened in this instance: $ ffmpeg -i Elephants_Dream_720p.divx elephants.mp4 "Automatic encoder selection failed for output stream #0:1. Default encoder for format mp4 (codec aac) is probably disabled. Please choose an encoder manually. Error selecting an encoder for stream 0:1" Combined MP4 and SRT files to generate a video file with subtitles which showed up using mplayer. $ ffmpeg -n -i video.mp4 -f srt -i video.srt -c:s mov_text -metadata:s:s:0 language=eng -c:v copy -c:a copy video_st.mp4 ------------------------------------------------------------------------------- Updated the ffmpeg packages from the tainted repository. Ran similar tests. The MP4_DIVX_AAC-LC MKV file failed to convert, in exactly the same way as earlier. Another, large MKV file was successfully converted - 392MB -> 731MB. $ ffmpeg -i ADifferentSun.mkv output3.avi The output file played fine in vlc with clear sound. This conversion worked - 374MB to 185MB. $ ffmpeg -i Elephants_Dream_720p.divx elephants.mp4 Sound works in mplayer. $ ffmpeg -i pangaea.mp4 Pangaea.avi This worked fine as well and rendered well in vlc. It is an analyphic 3D film and the stereo aspect was preserved perfectly across the conversion. No soundtrack. $ ffmpeg -i Fashion_DivX720p_ASP.divx Fashion.avi Sound and vision OK for Fashion.avi in mplayer. Both sets of updates look OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
In VirtualBox, M6, MATE, 32-bit Package(s) under test: ffmpeg libavcodec57 libpostproc54 libavformat57 libavutil55 libswscaler4 libavfilter6 default install of ffmpeg libavcodec57 libpostproc54 libavformat57 libavutil55 libswscaler4 libavfilter6 [root@localhost wilcal]# urpmi ffmpeg Package ffmpeg-3.3.6-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavcodec57 Package libavcodec57-3.3.6-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libpostproc54 Package libpostproc54-3.3.6-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavformat57 Package libavformat57-3.3.6-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavutil55 Package libavutil55-3.3.6-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libswscaler4 Package libswscaler4-3.3.6-1.mga6.tainted.i586 is already installed [root@localhost wilcal]# urpmi libavfilter6 Package libavfilter6-3.3.6-1.mga6.tainted.i586 is already installed ffmpeg -i canon_org.mov -ar 22050 -s 240x140 canon_1.mp4 ffmpeg -i ob_org.flv -ar 22050 -s 240x140 ob_1.wmv ffmpeg -i sony_org.mp4 -ar 48000 -vb 303000 -r 30 -s 640x480 -aspect 4:3 -vcodec mpeg4 sony_resize_1.mp4 ffmpeg -i waiting_for_santa_org.wmv -ar 48000 waiting_for_santa_1.mp4 ffmpeg -i star_wars_org.wav star_wars_1.mp3 ffmpeg -i james_bond_theme_org.mp3 james_bond_theme_1.webm ffmpeg -i james_bond_theme_1.webm james_bond_theme_1.flac ffmpeg -i waiting_for_santa_org.wmv waiting_for_santa_1.mp3 All processes proceeded correctly. Created files play with VLC install ffmpeg libavcodec57 libpostproc54 libavformat57 libavutil55 libswscaler4 libavfilter6 from updates_testing [root@localhost ffmpeg_test]# urpmi ffmpeg Package ffmpeg-3.3.8-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavcodec57 Package libavcodec57-3.3.8-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libpostproc54 Package libpostproc54-3.3.8-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavformat57 Package libavformat57-3.3.8-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavutil55 Package libavutil55-3.3.8-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libswscaler4 Package libswscaler4-3.3.8-1.mga6.tainted.i586 is already installed [root@localhost ffmpeg_test]# urpmi libavfilter6 Package libavfilter6-3.3.8-1.mga6.tainted.i586 is already installed ffmpeg -i canon_org.mov -ar 22050 -s 240x140 canon_2.mp4 ffmpeg -i ob_org.flv -ar 22050 -s 240x140 ob_2.wmv ffmpeg -i sony_org.mp4 -ar 48000 -vb 303000 -r 30 -s 640x480 -aspect 4:3 -vcodec mpeg4 sony_resize_2.mp4 ffmpeg -i waiting_for_santa_org.wmv -ar 48000 waiting_for_santa_2.mp4 ffmpeg -i star_wars_org.wav star_wars_2.mp3 ffmpeg -i james_bond_theme_org.mp3 james_bond_theme_2.webm ffmpeg -i james_bond_theme_1.webm james_bond_theme_2.flac ffmpeg -i waiting_for_santa_org.wmv waiting_for_santa_2.mp3 All processes proceeded correctly. Created files play with VLC
CC: (none) => wilcal.int
Keywords: (none) => validated_updateWhiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0319.html
Status: NEW => RESOLVEDResolution: (none) => FIXED