32964 – ffmpeg new security issue CVE-2023-47342

Bug 32964 - ffmpeg new security issue CVE-2023-47342

Summary: ffmpeg new security issue CVE-2023-47342

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-13 15:45 CET by Nicolas Salguero
Modified:	2024-03-22 01:21 CET (History)
CC List:	5 users (show)

See Also:	31677
Source RPM:	ffmpeg-5.1.3-3.mga9,ffmpeg-5.1.3-3.mga9.tainted
CVE:	CVE-2023-47342
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-13 15:45:04 CET

According to http://ffmpeg.org/security.html:
  - CVE-2023-47342 is fixed in versions 5.1.4, 6.0.1 and 6.1.
  - CVE-2023-47344 is fixed in version 6.1.

Mageia 9 is also affected.

Nicolas Salguero 2024-03-13 15:45:46 CET

CVE: (none) => CVE-2023-47342, CVE-2023-47344
Source RPM: (none) => ffmpeg-5.1.3-7.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-03-13 15:46:20 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31677

Comment 1 Lewis Smith 2024-03-13 20:39:34 CET

My M9 version is 'ffmpeg-5.1.3-3.mga9.tainted'.

The related bug says "fixed upstream in 6.0", so a 6.1 update for both M9 & Cauldron looks in order.

ffmpeg has not been version updated in Cauldron since 5.1.3; but has since had 6 updates/rebuilds. Maybe this is what stops simply version updating it.

Assigning globally; CC'ing Stig & DavidG who have had affair with this.
CC'ing luigi hoping he might comment on both the bugs.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => Both fixed in version 6.1
CC: (none) => geiger.david68210, luigiwalser, smelror

Comment 2 David Walser 2024-03-13 22:21:10 CET

Yeah we can't upgrade M9 to a new branch, but it is possible to ask upstream to release a new 5.1.x if the current one is missing fixes.

Comment 3 Nicolas Salguero 2024-03-14 09:50:41 CET

Hi,

When looking at the commit f7ac3512f5b5cb8eb149f37300b43461d8e93af3, which fixes CVE-2023-47344, according to http://ffmpeg.org/security.html, it appears that the fix is in the file libavcodec/jpegxl_parser.c, which does not exist in version 5.1.x (and there is no function "read_vlc_prefix" in version 5.1.x).

So I think we are only affected by CVE-2023-47342.

Best regards,

Nico.

CVE: CVE-2023-47342, CVE-2023-47344 => CVE-2023-47342
Summary: ffmpeg new security issues CVE-2023-47342 and CVE-2023-47344 => ffmpeg new security issue CVE-2023-47342
Status comment: Both fixed in version 6.1 => Fixed upstream in 5.1.4

Comment 4 Nicolas Salguero 2024-03-19 16:33:04 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Out of array access in avformat/rtsp. (CVE-2023-47342)

References:
http://ffmpeg.org/security.html
========================

Updated packages in core/updates_testing:
========================
ffmpeg-5.1.4-1.mga9
lib(64)avcodec59-5.1.4-1.mga9
lib(64)avfilter8-5.1.4-1.mga9
lib(64)avformat59-5.1.4-1.mga9
lib(64)avutil57-5.1.4-1.mga9
lib(64)ffmpeg-devel-5.1.4-1.mga9
lib(64)ffmpeg-static-devel-5.1.4-1.mga9
lib(64)postproc56-5.1.4-1.mga9
lib(64)swresample4-5.1.4-1.mga9
lib(64)swscaler6-5.1.4-1.mga9

from SRPM:
ffmpeg-5.1.4-1.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
ffmpeg-5.1.4-1.mga9.tainted
lib(64)avcodec59-5.1.4-1.mga9.tainted
lib(64)avfilter8-5.1.4-1.mga9.tainted
lib(64)avformat59-5.1.4-1.mga9.tainted
lib(64)avutil57-5.1.4-1.mga9.tainted
lib(64)ffmpeg-devel-5.1.4-1.mga9.tainted
lib(64)ffmpeg-static-devel-5.1.4-1.mga9.tainted
lib(64)postproc56-5.1.4-1.mga9.tainted
lib(64)swresample4-5.1.4-1.mga9.tainted
lib(64)swscaler6-5.1.4-1.mga9.tainted

from SRPM:
ffmpeg-5.1.4-1.mga9.tainted.src.rpm

Status comment: Fixed upstream in 5.1.4 => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: ffmpeg-5.1.3-7.mga10.src.rpm => ffmpeg-5.1.3-3.mga9.src.rpm
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

katnatek 2024-03-19 20:18:37 CET

Source RPM: ffmpeg-5.1.3-3.mga9.src.rpm => ffmpeg-5.1.3-3.mga9,ffmpeg-5.1.3-3.mga9.tainted

katnatek 2024-03-19 20:19:59 CET

Keywords: (none) => advisory

Comment 5 katnatek 2024-03-19 21:48:52 CET

RH  mageia 9 x86_64 

Update to core packages

installing lib64swresample4-5.1.4-1.mga9.x86_64.rpm lib64postproc56-5.1.4-1.mga9.x86_64.rpm lib64avformat59-5.1.4-1.mga9.x86_64.rpm lib64swscaler6-5.1.4-1.mga9.x86_64.rpm lib64avfilter8-5.1.4-1.mga9.x86_64.rpm lib64avutil57-5.1.4-1.mga9.x86_64.rpm lib64avcodec59-5.1.4-1.mga9.x86_64.rpm ffmpeg-5.1.4-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/8: lib64avutil57         ######################################################################################
      2/8: lib64swresample4      ######################################################################################
      3/8: lib64avcodec59        ######################################################################################
      4/8: lib64postproc56       ######################################################################################
      5/8: lib64swscaler6        ######################################################################################
      6/8: lib64avformat59       ######################################################################################
      7/8: lib64avfilter8        ######################################################################################
      8/8: ffmpeg                ######################################################################################
      1/8: removing ffmpeg-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      2/8: removing lib64avformat59-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      3/8: removing lib64avfilter8-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      4/8: removing lib64avcodec59-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      5/8: removing lib64swresample4-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      6/8: removing lib64postproc56-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      7/8: removing lib64swscaler6-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################
      8/8: removing lib64avutil57-5.1.3-3.mga9.tainted.x86_64
                                 ######################################################################################

Play a video

ffplay Sailor\ Moon\ Cosmos\ AMV\ -\ Makenai\ \(Sailor\ Star\ Song\).mp4 
ffplay version 5.1.4 Copyright (c) 2003-2023 the FFmpeg developers
  built with gcc 12 (Mageia 12.3.0-3.mga9)
  configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-runtime-cpudetect --enable-libaom --enable-libdc1394 --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libgsm --enable-libcelt --enable-libopenmpt --enable-libopus --disable-libopencv --enable-libopenjpeg --enable-libvidstab --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libmfx --enable-libpulse --enable-libv4l2 --enable-opencl --enable-libmp3lame --enable-sndio --enable-libdav1d --disable-decoder=aac --disable-encoder=aac
  libavutil      57. 28.100 / 57. 28.100

Not issues

Comment 6 katnatek 2024-03-19 22:03:32 CET

RH mageia 9 x86_64

update to tainted versions

installing lib64swscaler6-5.1.4-1.mga9.tainted.x86_64.rpm lib64avformat59-5.1.4-1.mga9.tainted.x86_64.rpm lib64avfilter8-5.1.4-1.mga9.tainted.x86_64.rpm ffmpeg-5.1.4-1.mga9.tainted.x86_64.rpm lib64postproc56-5.1.4-1.mga9.tainted.x86_64.rpm lib64swresample4-5.1.4-1.mga9.tainted.x86_64.rpm lib64avutil57-5.1.4-1.mga9.tainted.x86_64.rpm lib64avcodec59-5.1.4-1.mga9.tainted.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/8: lib64avutil57         ######################################################################################
      2/8: lib64swresample4      ######################################################################################
      3/8: lib64avcodec59        ######################################################################################
      4/8: lib64swscaler6        ######################################################################################
      5/8: lib64postproc56       ######################################################################################
      6/8: lib64avformat59       ######################################################################################
      7/8: lib64avfilter8        ######################################################################################
      8/8: ffmpeg                ######################################################################################
      1/8: removing ffmpeg-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      2/8: removing lib64avformat59-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      3/8: removing lib64avfilter8-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      4/8: removing lib64avcodec59-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      5/8: removing lib64swresample4-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      6/8: removing lib64postproc56-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      7/8: removing lib64swscaler6-5.1.4-1.mga9.x86_64
                                 ######################################################################################
      8/8: removing lib64avutil57-5.1.4-1.mga9.x86_64
                                 ######################################################################################

Play the same video with ffplay, not issues

katnatek 2024-03-21 19:47:38 CET

CC: (none) => andrewsfarm

Comment 7 katnatek 2024-03-21 19:48:32 CET

Lack of additional test Give the OK

Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2024-03-21 20:44:27 CET

I think a test of encoding, as well as playing, would be a good idea for this one. Let me see what I can work up.

Comment 9 Thomas Andrews 2024-03-21 22:15:45 CET

Changed my mind after reading part of man ffmpeg:

"ffmpeg calls the libavformat library (containing demuxers) to read input files and get packets containing encoded data from them."

Since the CVE involves the avformat library, playing a video should be a sufficient test.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 katnatek 2024-03-21 22:25:26 CET

(In reply to Thomas Andrews from comment #9)
> Changed my mind after reading part of man ffmpeg:
> 
> "ffmpeg calls the libavformat library (containing demuxers) to read input
> files and get packets containing encoded data from them."
> 
> Since the CVE involves the avformat library, playing a video should be a
> sufficient test.
> 
> Validating.

Just to give you some peace, I convert a .webm video to a .mp4 without issues

Comment 11 Mageia Robot 2024-03-22 01:21:22 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0083.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.