Bug 26072 - FFmpeg 4.1.5 (fixes CVE-2019-13390, CVE-2019-17539, and CVE-2019-17542)
Summary: FFmpeg 4.1.5 (fixes CVE-2019-13390, CVE-2019-17539, and CVE-2019-17542)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK MGA7-32-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-14 18:33 CET by David Walser
Modified: 2021-10-28 20:26 CEST (History)
3 users (show)

See Also:
Source RPM: ffmpeg-4.1.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-01-14 18:33:03 CET
FFmpeg 4.1.5 has been released on January 7, fixing more security issues:
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.5
http://ffmpeg.org/download.html
http://ffmpeg.org/security.html
Comment 1 David Walser 2020-01-15 04:17:29 CET
Note that there are core and tainted builds for this package.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8065#c6
https://bugs.mageia.org/show_bug.cgi?id=14042#c6

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

This update provides ffmpeg version 4.1.5, which fixes several security
vulnerabilities and other bugs which were corrected upstream.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17542
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.5
http://ffmpeg.org/download.html
http://ffmpeg.org/security.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-4.1.5-1.mga7
libavcodec58-4.1.5-1.mga7
libpostproc55-4.1.5-1.mga7
libavformat58-4.1.5-1.mga7
libavutil56-4.1.5-1.mga7
libavresample4-4.1.5-1.mga7
libswscaler5-4.1.5-1.mga7
libavfilter7-4.1.5-1.mga7
libswresample3-4.1.5-1.mga7
libffmpeg-devel-4.1.5-1.mga7
libffmpeg-static-devel-4.1.5-1.mga7

from ffmpeg-4.1.5-1.mga7.src.rpm

Keywords: (none) => has_procedure
Assignee: bugsquad => qa-bugs

Comment 2 Brian Rockwell 2020-01-16 02:02:45 CET
mga7-64

- ffmpeg-4.1.5-1.mga7.x86_64
- lib64avcodec58-4.1.5-1.mga7.x86_64
- lib64avfilter7-4.1.5-1.mga7.x86_64
- lib64avformat58-4.1.5-1.mga7.x86_64
- lib64avresample4-4.1.5-1.mga7.x86_64
- lib64avutil56-4.1.5-1.mga7.x86_64
- lib64postproc55-4.1.5-1.mga7.x86_64
- lib64swresample3-4.1.5-1.mga7.x86_64
- lib64swscaler5-4.1.5-1.mga7.x86_64

$ ffmpeg -v
ffmpeg version 4.1.5 Copyright (c) 2000-2020 the FFmpeg developers
  built with gcc 8.3.1 (Mageia 8.3.1-0.20190524.1.mga7) 20190524
  configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-runtime-cpudetect --enable-libaom --enable-libdc1394 --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libgsm --enable-libcelt --enable-libopus --enable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-avresample --enable-opencl --enable-libmp3lame --enable-sndio --enable-libdav1d --disable-decoder=aac --disable-encoder=aac
  libavutil      56. 22.100 / 56. 22.100
  libavcodec     58. 35.100 / 58. 35.100
  libavformat    58. 20.100 / 58. 20.100
  libavdevice    58.  5.100 / 58.  5.100
  libavfilter     7. 40.101 /  7. 40.101
  libavresample   4.  0.  0 /  4.  0.  0
  libswscale      5.  3.100 /  5.  3.100
  libswresample   3.  3.100 /  3.  3.100
  libpostproc    55.  3.100 / 55.  3.100


converted a video
converted an m4a to mp3
converted a wav to ogg

my tests work

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Backlund 2020-01-19 10:20:39 CET
tainted packages also need testing

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Brian Rockwell 2020-01-19 15:33:15 CET
I get the following when I try to pick ffmpeg 4.1.5.1 (i586)

"Sorry, the following package cannot be selected:

- libavcodec58-4.1.5-1.mga7.tainted.i586 (due to unsatisfied libx264.so.155)"

So I went back and tried to install that lib and got the same message.  Dependency issue?

Whiteboard: MGA7-64-OK => MGA7-64-OK feedback

Comment 5 Brian Rockwell 2020-01-19 15:34:16 CET
(In reply to Brian Rockwell from comment #4)
> I get the following when I try to pick ffmpeg 4.1.5.1 (i586)
> 
> "Sorry, the following package cannot be selected:
> 
> - libavcodec58-4.1.5-1.mga7.tainted.i586 (due to unsatisfied libx264.so.155)"
> 
> So I went back and tried to install that lib and got the same message. 
> Dependency issue?

This was all when trying to pick ffmpeg from the tainted library.
Comment 6 David Walser 2020-01-19 15:47:09 CET
You need to enable tainted updates.
David Walser 2020-01-19 16:26:44 CET

Whiteboard: MGA7-64-OK feedback => MGA7-64-OK

Comment 7 Brian Rockwell 2020-01-20 16:40:39 CET
Thanks David, that worked - 

The following 14 packages are going to be installed:

- ffmpeg-4.1.5-1.mga7.tainted.i586
- libavcodec58-4.1.5-1.mga7.tainted.i586
- libavfilter7-4.1.5-1.mga7.tainted.i586
- libavformat58-4.1.5-1.mga7.tainted.i586
- libavresample4-4.1.5-1.mga7.tainted.i586
- libavutil56-4.1.5-1.mga7.tainted.i586
- libopencore-amr0-0.1.5-2.mga7.tainted.i586
- libpostproc55-4.1.5-1.mga7.tainted.i586
- libswresample3-4.1.5-1.mga7.tainted.i586
- libswscaler5-4.1.5-1.mga7.tainted.i586
- libvo-amrwbenc0-0.1.3-3.mga7.tainted.i586
- libx264_155-0.155-0.20181228.stable.1.mga7.tainted.i586
- libx265_169-3.0-2.mga7.tainted.i586
- libxvidcore4-1.3.5-3.1.mga7.tainted.i586

$ ffmpeg -version
ffmpeg version 4.1.5 Copyright (c) 2000-2020 the FFmpeg developers
built with gcc 8.3.1 (Mageia 8.3.1-0.20190524.1.mga7) 20190524
configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib --shlibdir=/usr/lib --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-runtime-cpudetect --enable-libaom --enable-libdc1394 --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libgsm --enable-libcelt --enable-libopus --enable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-avresample --enable-opencl --enable-libmp3lame --enable-sndio --enable-libdav1d --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-version3 --enable-libx264 --enable-libx265 --enable-libvo-amrwbenc --enable-libxvid
libavutil      56. 22.100 / 56. 22.100
libavcodec     58. 35.100 / 58. 35.100
libavformat    58. 20.100 / 58. 20.100
libavdevice    58.  5.100 / 58.  5.100
libavfilter     7. 40.101 /  7. 40.101
libavresample   4.  0.  0 /  4.  0.  0
libswscale      5.  3.100 /  5.  3.100
libswresample   3.  3.100 /  3.  3.100
libpostproc    55.  3.100 / 55.  3.100


Converted some flac files to mp3's
Converted video from one format to another.

Works for me.

Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK

Thomas Backlund 2020-01-22 11:17:40 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2020-01-22 11:38:43 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0046.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2020-07-10 20:16:17 CEST
CVE-2019-13390 was also fixed in 4.1.5.

Summary: FFmpeg 4.1.5 (fixes CVE-2019-17539 and CVE-2019-17542) => FFmpeg 4.1.5 (fixes CVE-2019-13390, CVE-2019-17539, and CVE-2019-17542)

Comment 10 David Walser 2021-09-03 19:57:56 CEST
CVE-2020-2204[68] and CVE-2020-22054 were also fixed in 4.1.5:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/
Comment 11 David Walser 2021-10-20 17:48:14 CEST
CVE-2020-22025 also fixed in 4.1.5:
https://www.debian.org/security/2021/dsa-4990
Comment 12 David Walser 2021-10-28 20:06:37 CEST
Fixed in 4.2.2 and possibly 4.1.5 if 4.1.x was affected are:
CVE-2020-2089[12569] CVE-2020-20902 CVE-2021-3809[2-4]:
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009650.html
Comment 13 David Walser 2021-10-28 20:26:28 CEST
(In reply to David Walser from comment #12)
> Fixed in 4.2.2 and possibly 4.1.5 if 4.1.x was affected are:
> CVE-2020-2089[12569] CVE-2020-20902 CVE-2021-3809[2-4]:
> https://lists.suse.com/pipermail/sle-security-updates/2021-October/009650.
> html

openSUSE reference:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HVCB2YATP2LRWUBIGFYZQUFV52VSFT2B/

Note You need to log in before you can comment on or make changes to this bug.