Bug 4146 - ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 affect other packages
Summary: ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 af...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL: http://ffmpeg.org/
Whiteboard:
Keywords:
Depends on: 4147 4152 4153 4154 4157
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-16 05:29 CET by David Walser
Modified: 2012-03-21 20:58 CET (History)
1 user (show)

See Also:
Source RPM: ffmpeg-0.6.4-0.1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-01-16 05:29:20 CET 
On January 12, ffmpeg issued version 0.6.5 to fix these security issues.  We should update to it for Mageia 1.  mplayer and blender are also likely affected by these (internal ffmpeg) and would need to be updated as well.

In Cauldron, ffmpeg and mplayer are not affected, but blender may be if its internal ffmpeg hasn't been updated recently.
Comment 1 Florian Hubold 2012-01-16 15:23:26 CET 
You forgot gstreamer0.10-ffmpeg and avidemux, all of these carry bundled copies of ffmpeg. Additionally i've stumbled about this: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54

Here's a short summary for that advisory:

* CVE-2011-3504: denial of service and possible code execution via
  malformed Matroska file

* CVE-2011-4351: denial of service and possible code execution via
  malformed file containing QDM2 stream

* CVE-2011-4352: denial of service and possible code execution via
  malformed file containing VP3 stream
 
* CVE-2011-4353: denial of service and possible code execution via
  malformed file containing VP5 or VP6 streams

* CVE-2011-4364: denial of service and possible code execution via
  malformed VMD file

* CVE-2011-4579: denial of service and possible code execution via
  malformed file containing svq1 stream

So the following packages should be checked and updated, also if the last mplayer update applies to them as well ( http://svnweb.mageia.org/packages?view=revision&revision=194375 )

- avidemux
- blender
- gstreamer0.10-ffmpeg
- ffmpeg
- mplayer

CC: (none) => doktor5000

Comment 2 David Walser 2012-01-16 15:52:21 CET 
OK Funda Wang has built an update for ffmpeg 0.6.5 and made Bug 4147 for it.

doktor5000 is building an update for this and previous missed updates for avidemux due to internal ffmpeg.  He'll post a bug for that shortly.

Let's use this bug to track the updates for all affected packages.

Summary: ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 => ffmpeg new security issues CVE-2011-3892, CVE-2011-3893, and CVE-2011-3895 affect other packages

David Walser 2012-01-16 15:53:07 CET

Depends on: (none) => 4147

David Walser 2012-01-16 16:05:21 CET

Depends on: 4147 => 4152

David Walser 2012-01-16 16:05:38 CET

Depends on: (none) => 4147

Comment 3 David Walser 2012-01-16 16:06:30 CET 
gstreamer0.10-ffmpeg is Bug 4152
Comment 4 David Walser 2012-01-16 16:12:13 CET 
Blender is Bug 4153

Depends on: (none) => 4153

Comment 5 David Walser 2012-01-16 16:15:26 CET 
mplayer is Bug 4154

Depends on: (none) => 4154

Comment 6 Manuel Hiebel 2012-01-16 16:52:35 CET 
(In reply to comment #5)
> mplayer is Bug 4154

(you can see that easily with https://bugs.mageia.org/showdependencytree.cgi?id=4146&hide_resolved=1 so no need to add comment)
David Walser 2012-01-16 17:03:22 CET

Depends on: (none) => 4157

Comment 7 David Walser 2012-03-21 20:58:50 CET 
All better now :o)

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.