Bug 3431 - ffmpeg security update to version 0.6.4
Summary: ffmpeg security update to version 0.6.4
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://ffmpeg.org/#pr7dot8and8dot7
Whiteboard:
Keywords: validated_update
Depends on:
Blocks: 3670
  Show dependency treegraph
 
Reported: 2011-11-23 21:11 CET by Dave Hodgins
Modified: 2012-01-04 15:11 CET (History)
9 users (show)

See Also:
Source RPM: ffmpeg-0.6.3-2.1.mga1.tainted.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dave Hodgins 2011-11-23 21:11:28 CET 
From http://secunia.com/advisories/46888/

Some vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

 1) An error within the QDM2 decoder (libavcodec/qdm2.c) can be exploited to cause a buffer overflow.

 2) An integer overflow error within the "vp3_dequant()" function (libavcodec/vp3.c) can be exploited to cause a buffer overflow.

 3) Errors within the "av_image_fill_pointers()", the "vp5_parse_coeff()", and the "vp6_parse_coeff()" functions can be exploited to trigger out-of-bounds reads.

As stated on http://ffmpeg.org/download.html, the 0.6.3 that we currently
have in Mageia 1 is no longer being maintained.  We should update to 0.7.8,
which is compatible with the 0.6 ABI and API.

CVEs have not been assigned.

We have both Core and Tainted versions of ffmpeg.
Comment 1 Manuel Hiebel 2011-11-23 23:31:27 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

Keywords: (none) => Triaged
CC: (none) => fundawang, thomas

Comment 2 Manuel Hiebel 2011-11-23 23:33:50 CET 
In fact it's more the committers.

Keywords: Triaged => (none)

Comment 3 Thomas Spuhler 2011-11-24 05:19:53 CET 
I believe this has been done yesterday. Let's close it as fixed

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 Funda Wang 2011-11-24 09:08:38 CET 
(In reply to comment #3)
> I believe this has been done yesterday. Let's close it as fixed
Really? I've submitted it three hours ago.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 5 Thomas Backlund 2011-11-24 13:45:58 CET 
NAK on this update in this way for Mageia 1.

It breaks/disables x264 support.

That's not allowed!

It must be properly fixed.

CC: (none) => tmb

Comment 6 Funda Wang 2011-11-24 13:50:29 CET 
(In reply to comment #5)
> NAK on this update in this way for Mageia 1.
> 
> It breaks/disables x264 support.
> 
> That's not allowed!
> 
> It must be properly fixed.
Then somebody please remove ffmpeg 0.7.8 from core/updates_testing and tainted/updates_testing.
Comment 7 Funda Wang 2011-11-24 13:52:32 CET 
And, we will rely on current maintainer "nobody" to take care of this bug.
Comment 8 D Morgan 2011-11-24 16:36:36 CET 
no funda you do an amazing work continue this way :)

tmb, you know how to fix this ?

CC: (none) => dmorganec

Comment 10 Philippe Didier 2011-11-24 18:15:06 CET 
(In reply to comment #7)
> And, we will rely on current maintainer "nobody" to take care of this bug.

Don't be angry ... please !!!!!!!
I know how much work you do for nobody's packages.
I just pointed a little problem about the dilemma to which you found an
answer that may be discussed and that may push someone to help you for
the job (I am not skilled enough to help  : can only tilt... sometimes
wrongly !)

Post Scriptum
I apologize for this comment coming so late : I sent it by mistake on dev mailing list... and have just seen it was in the wrong place

Best regards to Funda

CC: (none) => philippedidier

Florian Hubold 2011-11-30 21:39:25 CET

CC: (none) => anssi.hannula, doktor5000

Comment 11 Funda Wang 2011-12-10 01:33:13 CET 
(In reply to comment #6)
> (In reply to comment #5)
> > NAK on this update in this way for Mageia 1.
> > 
> > It breaks/disables x264 support.
> > 
> > That's not allowed!
> > 
> > It must be properly fixed.
> Then somebody please remove ffmpeg 0.7.8 from core/updates_testing and
> tainted/updates_testing.
ping?
Funda Wang 2011-12-10 01:33:51 CET

Blocks: (none) => 3670

Comment 12 Thomas Backlund 2011-12-10 17:28:29 CET 
ffmpeg 0.7.8 got removed ~1 week ago from */updates_testing
Comment 13 Funda Wang 2011-12-10 19:07:08 CET 
(In reply to comment #12)
> ffmpeg 0.7.8 got removed ~1 week ago from */updates_testing
Nope. they are only got removed from tainted/updates_testing
Comment 14 Thomas Backlund 2011-12-11 01:06:42 CET 
actually I removed from both, but only *ffmpeg*

now the rest is also cleaned.
Comment 15 Funda Wang 2011-12-11 04:10:57 CET 
Somebody interested in rediffing patches, please take this bug. Thanks.

CC: fundawang => (none)

Manuel Hiebel 2011-12-25 21:02:29 CET

Version: Cauldron => 1

Comment 17 D Morgan 2012-01-02 01:06:14 CET 
i am on it
Comment 18 D Morgan 2012-01-02 01:20:38 CET 
done and pushed in the BS

Status: REOPENED => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 19 Anssi Hannula 2012-01-02 01:25:58 CET 
Build failed, I guess you are on it.

Also, in the future don't use 0.1.mga1, but just 1.mga1:

https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29
Thomas Backlund 2012-01-02 01:26:58 CET

Summary: ffmpeg security update to version 0.7.8 => ffmpeg security update to version 0.6.4

Comment 20 Thomas Spuhler 2012-01-02 02:15:24 CET 
Thanks, D Morgan
Comment 21 claire robinson 2012-01-03 15:31:58 CET 
Is this ready for QA?
Comment 22 D Morgan 2012-01-04 00:05:17 CET 
(In reply to comment #19)
> Build failed, I guess you are on it.
> 
> Also, in the future don't use 0.1.mga1, but just 1.mga1:
> 
> https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29

oh tks i forgot this policy  tks
Comment 23 D Morgan 2012-01-04 00:06:09 CET 
(In reply to comment #21)
> Is this ready for QA?

sorry, yes this is ready for QA
Comment 24 David Walser 2012-01-04 00:27:03 CET 
I used it to convert an old WMV video to a WAV audio file on i586.  Sounds good.

CC: (none) => luigiwalser

Comment 25 David GEIGER 2012-01-04 09:36:27 CET 
Tested complete the srpm ffmpeg-0.6.4-0.1.mga1.tainted.src.rpm on Mageia release 1 (Official) for x86_64 ,for me it's good ,Seems to work well.

I used it to convert an .wmv video file to a .avi video file 
and also an .avi video file to a .flv video file.

CC: (none) => geiger.david68210

Comment 26 Thomas Backlund 2012-01-04 09:57:23 CET 
Have you tested the ones in tainted too ?

and that x264 is not broken ?
Comment 27 David GEIGER 2012-01-04 10:04:17 CET 
(In reply to comment #26)
> Have you tested the ones in tainted too ?
Yes I have tested this ones in tainted but not in core.

> and that x264 is not broken ?
How I could test the x264 ?
Comment 28 Florian Hubold 2012-01-04 10:13:00 CET 
x264 never got updated, why should it break?
Comment 29 Thomas Backlund 2012-01-04 10:50:26 CET 
Considering that it somewhat fragile, which the earlier intended 0.7.8 update showed, I thought it could be wise test.

but its up to QA to decide...
Comment 30 claire robinson 2012-01-04 11:19:34 CET 
Testing i586 for x264 with ffmpeg tainted using settings from here :-

http://rodrigopolo.com/ffmpeg/cheats.html#X264_Presets

Tested OK using HQ firstpass - we don't currently have libfaac so audio can't be encoded with it.
Comment 31 claire robinson 2012-01-04 11:31:19 CET 
Tested x86_64 in the same way.


Please push the srpm's 

ffmpeg-0.6.4-0.1.mga1.src.rpm
ffmpeg-0.6.4-0.1.mga1.tainted.src.rpm

See original post for advisory.
claire robinson 2012-01-04 11:33:45 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 32 Thomas Backlund 2012-01-04 15:11:03 CET 
Update pushed.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.