Bug 2820 - Security update for ffmpeg
Summary: Security update for ffmpeg
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://ffmpeg.org/index.html
Whiteboard:
Keywords: Security, validated_update
Depends on: 2317
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-23 22:04 CEST by Dave Hodgins
Modified: 2011-10-20 15:23 CEST (History)
5 users (show)

See Also:
Source RPM: ffmpeg-0.6.3-2.mga1.tainted.src.rpm
CVE:
Status comment:


Attachments

Description Dave Hodgins 2011-09-23 22:04:56 CEST
FFmpeg 0.7.5 "Peace" and 0.8.4 "Love" close a number of holes in the "svq3_get_se_golomb()" function which could be used by a remote attacker to compromise an application.
Dave Hodgins 2011-09-23 22:05:13 CEST

Keywords: (none) => Security

Manuel Hiebel 2011-09-23 22:13:31 CEST

Component: RPM Packages => Security

Comment 1 Florian Hubold 2011-09-23 22:28:12 CEST
Taking this one, updating to 0.7.5.

Status: NEW => ASSIGNED
CC: (none) => doktor5000
Assignee: bugsquad => doktor5000

Comment 2 Florian Hubold 2011-09-23 22:38:49 CEST
OK, for cauldron it should be already fixed, we already have 0.8.4.
For Mageia 1 i'll see if i can find the relevant commit.

But on a sidenote: The 0.6 series we have in Mageia 1 has been declared deprecated/unmaintained today: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4bd37ca6aec8f88a8ee9fa979ea6090db1b9e44d

@Dave: Is there a CVE for this, couldn't seem to find one on quick search?
Comment 3 Florian Hubold 2011-09-23 22:56:37 CEST
Advisory from Secunia: https://secunia.com/advisories/46134/
Comment 4 Dave Hodgins 2011-09-24 01:12:28 CEST
No cve.  I don't know if there will be one.

Fyi, I found out about this from the H Security rss feed.
http://www.h-online.com/security/news/item/FFmpeg-updates-close-security-holes-1349155.html
Comment 5 Florian Hubold 2011-09-30 14:42:34 CEST
There is now ffmpeg-0.6.3-2.1.mga1 in core/updates_testing to validate.
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the folloving CVEs:

- CVE-2011-1196
 (denial of service and possible code execution via malformed OGG file)
  http://code.google.com/p/chromium/issues/detail?id=71788

- CVE-2011-3362
  (arbitrary code execution via malformed CAVS file)
  http://www.ocert.org/advisories/ocert-2011-002.html

Other fixes in this release:

- fix unchecked return values of function "svq3_get_ue_golomb()" that may cause a crash, patch from upstream, rediffed for our ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=patch;h=979bea13003ef489d95d2538ac2fb1c26c6f103b
-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate

Additional notes:

- internal ffmpeg regression testing was already done, procedure can be looked up here:
http://git.videolan.org/?p=ffmpeg.git;a=blob_plain;f=doc/fate.txt;hb=HEAD

Assignee: doktor5000 => qa-bugs

Comment 6 Florian Hubold 2011-09-30 14:45:15 CEST
There is now also ffmpeg-0.6.3-2.1.mga1 in tainted/updates_testing to validate, same advisory as above.
Comment 7 claire robinson 2011-10-02 11:32:16 CEST
According to CVE-2011-3362

mplayer <=1.0_rc4 is also affected by this CVE, as it is statically built against affected ffmpeg.

We have MPlayer SVN-1.rc4.0.r32713.5.mga1.tainted-4.5.2
Comment 8 claire robinson 2011-10-03 17:49:21 CEST
According to 'urpmq --whatrequires-recursive ffmpeg', kdenlive and kino both use ffmpeg, presumably when converting in the final stages, so either could be used to test.
Comment 9 Florian Hubold 2011-10-03 21:43:11 CEST
vlc and xbmc both use ffmpeg and can also be used for testing IIRC.
And yes, mplayer also contains a copy of ffmpeg, also may gstreamer0.10-ffmpeg.

Will check that in the next few days.
Comment 10 Dave Hodgins 2011-10-04 04:50:09 CEST
I've tested playing various video files with ffplay, and converting audio
files between various formats using konvertible, on my i586 system.

I then installed the tainted version, and repeated the tests.

The srpms for this are
ffmpeg-0.6.3-2.1.mga1.src.rpm
ffmpeg-0.6.3-2.1.mga1.tainted.src.rpm
Comment 11 Dave Hodgins 2011-10-04 23:26:56 CEST
Should we hold on until todays updates are included too, or go ahead
with this update, and open a new bug report for ...
http://www.h-online.com/security/news/item/FFmpeg-updates-address-further-security-issues-1353568.html
Comment 12 Florian Hubold 2011-10-05 20:12:37 CEST
Well, citing from your link:

"In total, holes have been closed in more than 30 demuxers and decoders"
That's gonna be a patch-mess, i'd prefer to have this in a seperate update as this one is already validated, so push it.
Comment 13 Dave Hodgins 2011-10-05 23:35:30 CEST
Has this been tested on x86-64?
Comment 14 Samuel Verschelde 2011-10-07 22:38:43 CEST
I'm trying to install the update on x86_64 but MageiaUpdate won't install it:

Sorry, the following package cannot be selected:

- ffmpeg-0.6.3-2.1.mga1.tainted.x86_64 (due to conflicts with lib64ffmpeg52-0.6.3-2.1.mga1.tainted.x86_64)

Installing via urpmi would work, but I won't do it until we have worked out what happens here.

CC: (none) => stormi

Comment 15 Samuel Verschelde 2011-10-08 10:23:02 CEST
Because of bug #2317, the following packages will require linking from Tainted Release to Tainted Updates. In general, bug #2317 forces us to link every "tainted" dependency of a "tainted" update that has a "core" equivalent, because the user can update from the Core Release package to the Tainted Updates one, thus requiring deps from Tainted Release.

Yeah, bug #2317 is a real pain.

----------------------------------------
Running checks for "ffmpeg" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 1 (Official) for i586
Latest version found in "Core Release" is ffmpeg-0.6.3-1.mga1
Latest version found in "Tainted Updates Testing" is ffmpeg-0.6.3-2.1.mga1.tainted
----------------------------------------
The following packages will require linking:

libfaad2_2-2.7-2.mga1 (Tainted Release)
liblame0-3.98.4-2.mga1 (Tainted Release)
libopencore-amr0-0.1.2-3.mga1 (Tainted Release)
libvo-aacenc0-0.1.1-2.mga1.tainted (Tainted Release)
libvo-amrwbenc0-0.1.1-2.mga1.tainted (Tainted Release)
libx264_110-0.110-0.20101203.2.mga1 (Tainted Release)
----------------------------------------
Comment 16 Samuel Verschelde 2011-10-08 10:28:10 CEST
For x86_64, depcheck gives no package to link, strange.
Comment 17 Samuel Verschelde 2011-10-08 10:31:16 CEST
but the same deps are marked as needing linking for lib64ffmpeg52, so here is the list for x86_64

[samuel@localhost mga_packages]$ ./depcheck lib64ffmpeg52 "Core Release" "Tainted Updates Testing"
----------------------------------------
Running checks for "lib64ffmpeg52" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is lib64ffmpeg52-0.6.3-1.mga1
Latest version found in "Tainted Updates Testing" is lib64ffmpeg52-0.6.3-2.1.mga1.tainted
----------------------------------------
The following packages will require linking:

lib64faad2_2-2.7-2.mga1 (Tainted Release)
lib64lame0-3.98.4-2.mga1 (Tainted Release)
lib64opencore-amr0-0.1.2-3.mga1 (Tainted Release)
lib64vo-aacenc0-0.1.1-2.mga1.tainted (Tainted Release)
lib64vo-amrwbenc0-0.1.1-2.mga1.tainted (Tainted Release)
lib64x264_110-0.110-0.20101203.2.mga1 (Tainted Release)
----------------------------------------
Done.
Comment 18 Samuel Verschelde 2011-10-08 11:12:12 CEST
Also, the devel packages for ffmpeg will require those extra links:

i586:
libfaad2-devel-2.7-2.mga1 (Tainted Release)
liblame-devel-3.98.4-2.mga1 (Tainted Release)
libopencore-amr-devel-0.1.2-3.mga1 (Tainted Release)
libvo-aacenc-devel-0.1.1-2.mga1.tainted (Tainted Release)
libvo-amrwbenc-devel-0.1.1-2.mga1.tainted (Tainted Release)
libx264-devel-0.110-0.20101203.2.mga1 (Tainted Release)

x86_64:
lib64faad2-devel-2.7-2.mga1 (Tainted Release)
lib64lame-devel-3.98.4-2.mga1 (Tainted Release)
lib64opencore-amr-devel-0.1.2-3.mga1 (Tainted Release)
lib64vo-aacenc-devel-0.1.1-2.mga1.tainted (Tainted Release)
lib64vo-amrwbenc-devel-0.1.1-2.mga1.tainted (Tainted Release)
lib64x264-devel-0.110-0.20101203.2.mga1 (Tainted Release)
Comment 19 Anssi Hannula 2011-10-09 03:30:49 CEST
That can't possibly be true, the dependencies of FFmpeg didn't change at all in this update.

CC: (none) => anssi.hannula

Comment 20 Dave Hodgins 2011-10-09 04:33:09 CEST
The depcheck script needs to be changed to exclude the packages that
are recursively required by the Core Release version of the package,
when a Core Release version does exist, as the package being updated
via mgaapplet must already be installed.
Comment 21 claire robinson 2011-10-09 10:18:27 CEST
It does that already Dave.

What it is finding here are the extra packages recursively required by upgrading from the core/release version to the tainted/updates_testing version. There obviously will be some.

If those packages are not provided in update media then the update with mageiaupdate will fail as at the moment it cannot search in release media.

There is a bug in urpmq --requires-recursive bug 1754 where it doesn't find all recursive requires sometimes which can lead to false positives or false negatives. I dont think that is the case here though.

Anybody updating with mageiaupdate currently from ffmpeg in core/release to the one in tainted/updates (when this is pushed) will not be able to select it as it will have missing dependencies.
claire robinson 2011-10-09 10:24:00 CEST

Depends on: (none) => 2317

Comment 22 Anssi Hannula 2011-10-09 15:07:39 CEST
Ah, correct, this update is affected if user has core/release installed and tainted/updates installed.
Comment 23 Anssi Hannula 2011-10-09 15:08:11 CEST
I meant "core/release version installed and tainted/updates repo enabled"
Comment 24 claire robinson 2011-10-10 11:33:42 CEST
Testing complete x86_64

Advisory:
-------------------
This update addresses the folloving CVEs:

- CVE-2011-1196
 (denial of service and possible code execution via malformed OGG file)
  http://code.google.com/p/chromium/issues/detail?id=71788

- CVE-2011-3362
  (arbitrary code execution via malformed CAVS file)
  http://www.ocert.org/advisories/ocert-2011-002.html

Other fixes in this release:

- fix unchecked return values of function "svq3_get_ue_golomb()" that may cause
a crash, patch from upstream, rediffed for our ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=patch;h=979bea13003ef489d95d2538ac2fb1c26c6f103b
-------------------------------------------------------


SRPM's:
ffmpeg-0.6.3-2.1.mga1.src.rpm
ffmpeg-0.6.3-2.1.mga1.tainted.src.rpm

Please note that this requires a number of links to be made to update media.


libfaad2_2-2.7-2.mga1 (Tainted Release)
libfaad2-devel-2.7-2.mga1 (Tainted Release)
liblame0-3.98.4-2.mga1 (Tainted Release)
liblame-devel-3.98.4-2.mga1 (Tainted Release)
libopencore-amr0-0.1.2-3.mga1 (Tainted Release)
libopencore-amr-devel-0.1.2-3.mga1 (Tainted Release)
libvo-aacenc0-0.1.1-2.mga1.tainted (Tainted Release)
libvo-aacenc-devel-0.1.1-2.mga1.tainted (Tainted Release)
libvo-amrwbenc0-0.1.1-2.mga1.tainted (Tainted Release)
libvo-amrwbenc-devel-0.1.1-2.mga1.tainted (Tainted Release)
libx264_110-0.110-0.20101203.2.mga1 (Tainted Release)
libx264-devel-0.110-0.20101203.2.mga1 (Tainted Release)


And the 64 bit versions.

Could sysadmin please push the srpms and make the required links.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 25 Thomas Backlund 2011-10-20 15:23:00 CEST
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.