FFmpeg 0.7.5 "Peace" and 0.8.4 "Love" close a number of holes in the "svq3_get_se_golomb()" function which could be used by a remote attacker to compromise an application.
Keywords: (none) => Security
Component: RPM Packages => Security
Taking this one, updating to 0.7.5.
Status: NEW => ASSIGNEDCC: (none) => doktor5000Assignee: bugsquad => doktor5000
OK, for cauldron it should be already fixed, we already have 0.8.4. For Mageia 1 i'll see if i can find the relevant commit. But on a sidenote: The 0.6 series we have in Mageia 1 has been declared deprecated/unmaintained today: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4bd37ca6aec8f88a8ee9fa979ea6090db1b9e44d @Dave: Is there a CVE for this, couldn't seem to find one on quick search?
Advisory from Secunia: https://secunia.com/advisories/46134/
No cve. I don't know if there will be one. Fyi, I found out about this from the H Security rss feed. http://www.h-online.com/security/news/item/FFmpeg-updates-close-security-holes-1349155.html
There is now ffmpeg-0.6.3-2.1.mga1 in core/updates_testing to validate. ------------------------------------------------------- Suggested advisory: ------------------- This update addresses the folloving CVEs: - CVE-2011-1196 (denial of service and possible code execution via malformed OGG file) http://code.google.com/p/chromium/issues/detail?id=71788 - CVE-2011-3362 (arbitrary code execution via malformed CAVS file) http://www.ocert.org/advisories/ocert-2011-002.html Other fixes in this release: - fix unchecked return values of function "svq3_get_ue_golomb()" that may cause a crash, patch from upstream, rediffed for our ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=patch;h=979bea13003ef489d95d2538ac2fb1c26c6f103b ------------------------------------------------------- Steps to reproduce: - install/update to update candidate Additional notes: - internal ffmpeg regression testing was already done, procedure can be looked up here: http://git.videolan.org/?p=ffmpeg.git;a=blob_plain;f=doc/fate.txt;hb=HEAD
Assignee: doktor5000 => qa-bugs
There is now also ffmpeg-0.6.3-2.1.mga1 in tainted/updates_testing to validate, same advisory as above.
According to CVE-2011-3362 mplayer <=1.0_rc4 is also affected by this CVE, as it is statically built against affected ffmpeg. We have MPlayer SVN-1.rc4.0.r32713.5.mga1.tainted-4.5.2
According to 'urpmq --whatrequires-recursive ffmpeg', kdenlive and kino both use ffmpeg, presumably when converting in the final stages, so either could be used to test.
vlc and xbmc both use ffmpeg and can also be used for testing IIRC. And yes, mplayer also contains a copy of ffmpeg, also may gstreamer0.10-ffmpeg. Will check that in the next few days.
I've tested playing various video files with ffplay, and converting audio files between various formats using konvertible, on my i586 system. I then installed the tainted version, and repeated the tests. The srpms for this are ffmpeg-0.6.3-2.1.mga1.src.rpm ffmpeg-0.6.3-2.1.mga1.tainted.src.rpm
Should we hold on until todays updates are included too, or go ahead with this update, and open a new bug report for ... http://www.h-online.com/security/news/item/FFmpeg-updates-address-further-security-issues-1353568.html
Well, citing from your link: "In total, holes have been closed in more than 30 demuxers and decoders" That's gonna be a patch-mess, i'd prefer to have this in a seperate update as this one is already validated, so push it.
Has this been tested on x86-64?
I'm trying to install the update on x86_64 but MageiaUpdate won't install it: Sorry, the following package cannot be selected: - ffmpeg-0.6.3-2.1.mga1.tainted.x86_64 (due to conflicts with lib64ffmpeg52-0.6.3-2.1.mga1.tainted.x86_64) Installing via urpmi would work, but I won't do it until we have worked out what happens here.
CC: (none) => stormi
Because of bug #2317, the following packages will require linking from Tainted Release to Tainted Updates. In general, bug #2317 forces us to link every "tainted" dependency of a "tainted" update that has a "core" equivalent, because the user can update from the Core Release package to the Tainted Updates one, thus requiring deps from Tainted Release. Yeah, bug #2317 is a real pain. ---------------------------------------- Running checks for "ffmpeg" using media "Core Release" and "Tainted Updates Testing". ---------------------------------------- Mageia release 1 (Official) for i586 Latest version found in "Core Release" is ffmpeg-0.6.3-1.mga1 Latest version found in "Tainted Updates Testing" is ffmpeg-0.6.3-2.1.mga1.tainted ---------------------------------------- The following packages will require linking: libfaad2_2-2.7-2.mga1 (Tainted Release) liblame0-3.98.4-2.mga1 (Tainted Release) libopencore-amr0-0.1.2-3.mga1 (Tainted Release) libvo-aacenc0-0.1.1-2.mga1.tainted (Tainted Release) libvo-amrwbenc0-0.1.1-2.mga1.tainted (Tainted Release) libx264_110-0.110-0.20101203.2.mga1 (Tainted Release) ----------------------------------------
For x86_64, depcheck gives no package to link, strange.
but the same deps are marked as needing linking for lib64ffmpeg52, so here is the list for x86_64 [samuel@localhost mga_packages]$ ./depcheck lib64ffmpeg52 "Core Release" "Tainted Updates Testing" ---------------------------------------- Running checks for "lib64ffmpeg52" using media "Core Release" and "Tainted Updates Testing". ---------------------------------------- Mageia release 1 (Official) for x86_64 Latest version found in "Core Release" is lib64ffmpeg52-0.6.3-1.mga1 Latest version found in "Tainted Updates Testing" is lib64ffmpeg52-0.6.3-2.1.mga1.tainted ---------------------------------------- The following packages will require linking: lib64faad2_2-2.7-2.mga1 (Tainted Release) lib64lame0-3.98.4-2.mga1 (Tainted Release) lib64opencore-amr0-0.1.2-3.mga1 (Tainted Release) lib64vo-aacenc0-0.1.1-2.mga1.tainted (Tainted Release) lib64vo-amrwbenc0-0.1.1-2.mga1.tainted (Tainted Release) lib64x264_110-0.110-0.20101203.2.mga1 (Tainted Release) ---------------------------------------- Done.
Also, the devel packages for ffmpeg will require those extra links: i586: libfaad2-devel-2.7-2.mga1 (Tainted Release) liblame-devel-3.98.4-2.mga1 (Tainted Release) libopencore-amr-devel-0.1.2-3.mga1 (Tainted Release) libvo-aacenc-devel-0.1.1-2.mga1.tainted (Tainted Release) libvo-amrwbenc-devel-0.1.1-2.mga1.tainted (Tainted Release) libx264-devel-0.110-0.20101203.2.mga1 (Tainted Release) x86_64: lib64faad2-devel-2.7-2.mga1 (Tainted Release) lib64lame-devel-3.98.4-2.mga1 (Tainted Release) lib64opencore-amr-devel-0.1.2-3.mga1 (Tainted Release) lib64vo-aacenc-devel-0.1.1-2.mga1.tainted (Tainted Release) lib64vo-amrwbenc-devel-0.1.1-2.mga1.tainted (Tainted Release) lib64x264-devel-0.110-0.20101203.2.mga1 (Tainted Release)
That can't possibly be true, the dependencies of FFmpeg didn't change at all in this update.
CC: (none) => anssi.hannula
The depcheck script needs to be changed to exclude the packages that are recursively required by the Core Release version of the package, when a Core Release version does exist, as the package being updated via mgaapplet must already be installed.
It does that already Dave. What it is finding here are the extra packages recursively required by upgrading from the core/release version to the tainted/updates_testing version. There obviously will be some. If those packages are not provided in update media then the update with mageiaupdate will fail as at the moment it cannot search in release media. There is a bug in urpmq --requires-recursive bug 1754 where it doesn't find all recursive requires sometimes which can lead to false positives or false negatives. I dont think that is the case here though. Anybody updating with mageiaupdate currently from ffmpeg in core/release to the one in tainted/updates (when this is pushed) will not be able to select it as it will have missing dependencies.
Depends on: (none) => 2317
Ah, correct, this update is affected if user has core/release installed and tainted/updates installed.
I meant "core/release version installed and tainted/updates repo enabled"
Testing complete x86_64 Advisory: ------------------- This update addresses the folloving CVEs: - CVE-2011-1196 (denial of service and possible code execution via malformed OGG file) http://code.google.com/p/chromium/issues/detail?id=71788 - CVE-2011-3362 (arbitrary code execution via malformed CAVS file) http://www.ocert.org/advisories/ocert-2011-002.html Other fixes in this release: - fix unchecked return values of function "svq3_get_ue_golomb()" that may cause a crash, patch from upstream, rediffed for our ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=patch;h=979bea13003ef489d95d2538ac2fb1c26c6f103b ------------------------------------------------------- SRPM's: ffmpeg-0.6.3-2.1.mga1.src.rpm ffmpeg-0.6.3-2.1.mga1.tainted.src.rpm Please note that this requires a number of links to be made to update media. libfaad2_2-2.7-2.mga1 (Tainted Release) libfaad2-devel-2.7-2.mga1 (Tainted Release) liblame0-3.98.4-2.mga1 (Tainted Release) liblame-devel-3.98.4-2.mga1 (Tainted Release) libopencore-amr0-0.1.2-3.mga1 (Tainted Release) libopencore-amr-devel-0.1.2-3.mga1 (Tainted Release) libvo-aacenc0-0.1.1-2.mga1.tainted (Tainted Release) libvo-aacenc-devel-0.1.1-2.mga1.tainted (Tainted Release) libvo-amrwbenc0-0.1.1-2.mga1.tainted (Tainted Release) libvo-amrwbenc-devel-0.1.1-2.mga1.tainted (Tainted Release) libx264_110-0.110-0.20101203.2.mga1 (Tainted Release) libx264-devel-0.110-0.20101203.2.mga1 (Tainted Release) And the 64 bit versions. Could sysadmin please push the srpms and make the required links. Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED