Before someone asks, this is just a list of the fixed security issues, the update is currently undergoing review.

Status: NEW => ASSIGNED

There is now avidemux-2.5.4-5.1.mga1 in core/updates_testing and tainted/updates_testing to validate
-------------------------------------------------------


Suggested advisory:
-------------------

please see comment#1, didn't want to duplicate this here.

CC: (none) => doktor5000
Assignee: doktor5000 => qa-bugs

Thats a long list!

No public POC's that I can find.

Sure, as it has not gotten a(In reply to comment #3)
> Thats a long list!

Sure, as it hasn't gotten any of the former ffmpeg updates, and there were additional security fixes from Ubuntu. For the first part of the list, this is the same as former ffmpeg updates like in https://bugs.mageia.org/show_bug.cgi?id=3000 or https://bugs.mageia.org/show_bug.cgi?id=3001

For POCs, i've found only two, the first is already linked in the advisory:

CVE-2011-1196
http://code.google.com/p/chromium/issues/detail?id=71788

CVE-2011-0480
http://code.google.com/p/chromium/issues/detail?id=68115

Do the chrome ones really apply to the avidemux ffmpeg Florian?

The first uses html to repeatedly reload an ogg file which doesn't really apply even though the vulnerability is in ffmpeg. The second is webm which I don't think avidemux supports.

testing x86_64

(In reply to comment #5)
> Do the chrome ones really apply to the avidemux ffmpeg Florian?

Sure, the question is if they're applicable that easy. For the first one, only the ogg file is relevant AFAICS, as avidemux can't make use of .html files.

For the second, no it does not, but better be safe than sorry.

Hi ,

There appears to have a problem with the version in the Core_Updates_Testing media ,they are the same:

Version for the srpm in Core_Updates_Testing is avidemux-2.5.4-5.1.mga1.src.rpm
of 24/07/2011.

Version for the srpm in Core_Updates is avidemux-2.5.4-5.1.mga1.src.rpm of 17/01/2012.

Florian Hubold ,Can you look at this please ?

Thank you in advance.

CC: (none) => geiger.david68210

Sorry that was an oversight of mine, and the buildsystem didn't catch the error. Please wait for avidemux-2.5.4-5.2.mga1 to appear on mirrors, it's currently building.

That explains the problems I was having updating, well spotted David!

Core version is available now.

x86_64

I'm having trouble opening ogg videos with the core version.

 Ogg file detected..

 First packet : not a header 80?

What .ogg file are you trying to open? ogg vorbis (audio) or maybe ogg theora (video)?

I've tried with http://ftp.mandrivauser.de/video/video_ltag07.ogg which consists of an xvid video, and an ogg vorbis audio track. Opens just fine, only index has to be recalculated.

Relevant output in terminal:

  Ogg file detected..
Stream Type : video
Sub    Type : 44495658
header size : 56
Time unit   : 400000
sample unit : 1
Default len : 1
Buffer size : 33976
Bits per sam: 24
subtype :XVID 
Taking that track as audio track 1
Stream Type : vorbis
Sub    Type : 20000
header size : -16777091
Time unit   : 18374688627172048895
sample unit : 7398752255
Default len : 1
Buffer size : 33976
Bits per sam: 24
Channels        : 720
Blockalign      : 0
Avgbytespersec  : 576
subtype : 

 First packet : not a header 3?

But f.ex. http://upload.wikimedia.org/wikipedia/commons/a/a9/Tromboon-sample.ogg (license: GFDL) which is only an ogg vorbis audio track, doesn't open, in terminal one can see:

 Ogg file detected..
Taking that track as audio track 1
Stream Type : vorbis
Sub    Type : 44020000
header size : 172
Time unit   : 2147533979648
sample unit : 7381975040
Default len : 0
Buffer size : 0
Bits per sam: 32416
Channels        : 32607
Blockalign      : 0
Avgbytespersec  : 4182862592
subtype :

 First packet : not a header 3?

In avidemux i see two error dialogs:

"Attempt to open /home/doktor5000/Tromboon-sample.ogg failed!"
and 
"Could not open the file"

Same problem with the latter file with older avidemux-qt-2.5.4-5.1.mga1.tainted so this is no regression, avidemux update candidate works just fine.

For reference, i'd still like to know which file you tested this against, Claire.

Testing complete on i586 for the srpm
avidemux-2.5.4-5.2.mga1.src.rpm

I used avidemux_qt4 to convert a video from flv to mpeg-4,
using a filter to reverse the video.

CC: (none) => davidwhodgins

It was big buck bunny Florian

480p stereo ogg theora video from here

http://www.bigbuckbunny.org/index.php/download/

I tried using avidemux2_qt4 and avidemux2_gtk. It gives an error message about being unable to open it and in terminal window shows..

 Ogg file detected..

 First packet : not a header 80?

(In reply to comment #15)
> It was big buck bunny Florian
> 
> 480p stereo ogg theora video from here
> 
> http://www.bigbuckbunny.org/index.php/download/
> 


Same problem with that file with older avidemux-qt-2.5.4-5.1.mga1.tainted, so this is no regression, so this should not block validation. But i'll look into this seperately.

I've done some googling Florian and it seems this might be down to the way ffmpeg handles ogg theora files so there is maybe nothing we can do about it.

Avidemux uses ffmpeg for ogg theora and according to the website supports ogm and not ogg. There is a note about it on the output formats page http://avidemux.org/admWiki/doku.php?id=general:output_formats

Reading further it seems ogg is the container created by xiph.org to contain only their own codecs whereas ogm as a container can contain other codecs such as xvid etc, more like an avi with 4cc codes. The file headers are different and incompatible so ogg as it stands is simply not supported.

http://www.avidemux.org/smf/index.php?topic=4166.0

Tainted version of 5.2 hasn't been pushed to testing yet Florian, it is still at 5.1.

Ping.  The tainted update is on in Testing yet.  At least not on i586.

Sorry, tried to get it submitted, but no luck before. It's currently in the build system, should be available next time your favorite mirrors sync.

Thanks Florian :)

Testing complete on i586 for the srpms
avidemux-2.5.4-5.2.mga1.src.rpm
avidemux-2.5.4-5.2.mga1.tainted.src.rpm

Tested tainted converting to xvid avi and avc mp4 with mp3 audio.

Testing complete x86_64


advisory:
-------------------
This update addresses the folloving CVEs:

- CVE-2011-1196
 (denial of service and possible code execution via malformed OGG file)
  http://code.google.com/p/chromium/issues/detail?id=71788

- CVE-2011-3362
  (arbitrary code execution via malformed CAVS file)
  http://www.ocert.org/advisories/ocert-2011-002.html

- CVE-2011-1931
  (denial of service and possible code execution via malformed AMV file)
  http://seclists.org/bugtraq/2011/Apr/257

- CVE-2011-2161
  (denial of service via malformed APE file)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161

- CVE-2011-0480
  (denial of service and possible code execution via crafted WebM file)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0480

- CVE-2011-0723
  (denial of service and possible code execution via crafted VC1 file)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0723

- CVE-2010-3429
  (arbitrary offset dereference vulnerability in flic video codec)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429

- CVE-2010-4704
  (denial of service via crafted .ogg file)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704

- CVE-2009-4636
  (denial of service via a crafted .aac file that triggers an infinite loop)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4636

- CVE-2011-0722
  (denial of service (heap memory corruption and application crash) or possibly
  execute arbitrary code via a malformed RealMedia file)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0722

- CVE-2011-3504
  (arbitrary code execution via a crafted Matroska file)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3504

- CVE-2011-4351
  (buffer overflow via error within the QDM2 decoder)
  http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4351.html

- CVE-2011-4352
  (buffer overflow within the "vp3_dequant()" function)
  http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4352.html

- CVE-2011-4353
  (out-of-bounds reads via errors within the "av_image_fill_pointers()",
  the "vp5_parse_coeff()", and the "vp6_parse_coeff()" functions)
  http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4353.html

- CVE-2011-4364
  (denial of service or arbitrary code execution via a malformed VMD
  file)
  http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4364.html

- CVE-2011-4579
  (memory corruption via an error within the "svq1_decode_frame()" function)
  http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4579.html

Other fixes in this release:

- fix unchecked return values of function "svq3_get_ue_golomb()" that may cause
a crash, patch from upstream, rediffed for our ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=patch;h=979bea13003ef489d95d2538ac2fb1c26c6f103b

- several additional vulnerabilites originally discovered by Google
Chrome developers were also fixed with this advisory:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/35_mov_bad_timings.patch?revision=25101&view=markup&pathrev=28635
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/31_mp3_outlen.patch?revision=25031&view=markup&pathrev=28635
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/41_vorbis_zero_samplerate.patch?revision=25230&view=markup&pathrev=28635
-----------------------

SRPMS:
avidemux-2.5.4-5.2.mga1.src.rpm
avidemux-2.5.4-5.2.mga1.tainted.src.rpm

Could sysadmin please push to updates.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED