We are updating ffmpeg 0.6.5 for Mageia 1 already. But 0.6.6 fixed other security issues here: This version addresses a number a number of bugs such as security and compilation issues that have been brought to our attention. Among other fixes, this release features includes security updates for the, DV decoder (CVE-2011-3929 and CVE-2011-3936), VQA Video Decoder (CVE-2012-0947), DPCM codecs (CVE-2011-3951), AAC SBR (CVE-2012-0850), H.264 (CVE-2012-0851), ADPCM (CVE-2012-0852), Shorten (CVE-2012-0858), and the KMVC decoder (CVE-2011-3952). Please note that blender is also updated to fixes security problems shipped with bundled ffmpeg with same code base: DV decoder (CVE-2011-3929 and CVE-2011-3936), nsvdec (CVE-2011-3940), Atrac3 (CVE-2012-0853), mjpegdec (CVE-2011-3947) and the VQA video decoder (CVE-2012-0947), DPCM codecs (CVE-2011-3951), H.264 (CVE-2012-0851), ADPCM (CVE-2012-0852), and the KMVC decoder (CVE-2011-3952).
gstreamer0.10-ffmpeg, mplayer, and avidemux should also be updated if we are updating ffmpeg. See the tracker bug for the previous ffmpeg update (Bug 4146). We should also make separate bugs for QA for these different packages.
CC: (none) => luigiwalser
Also, I don't believe the list of CVEs you listed for blender/ffmpeg 0.5.10 is correct. That looks like the CVE list from ffmpeg 0.5.8.
The upstream changelogs show the following. For ffmpeg 0.5.10, included in the blender update [1]: - dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) - h264: Add check for invalid chroma_format_idc (CVE-2012-0851) - adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) - kmvc: Check palsize (CVE-2011-3952) - several other bugfixes For ffmpeg 0.6.6, which will affect mplayer, gstreamer0.10-ffmpeg, and avidemux also once they are built, we have [2]: - dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936. - vqavideo: return error if image size is not a multiple of block size (CVE-2012-0947) - dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) - aacsbr: prevent out of bounds memcpy() (CVE-2012-0850) - h264: Add check for invalid chroma_format_idc (CVE-2012-0851) - adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) - shorten: check for realloc failure (CVE-2012-0858) - shorten: Use separate pointers for the allocated memory for decoded samples (CVE-2012-0858) - kmvc: Check palsize (CVE-2011-3952) - several other bugfixes Unfortunately the ffmpeg 0.10.4 changelog [3] (which would affect Mageia 2) has no helpful information, so I don't know if we need an update there. [1] - http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=3a66ab0b888799d3f0b48fea868c85f3e6454c05;hb=9eaec5b8f010c805fd8e77216a1ec67eb20b1466 [2] - http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=6f753216f5383eb296802efe1dbd3eea0ed589af;hb=62133b38ed043b57eeecbe7fc8b6f187fd92e5e0 [3] - http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=17ca5c9e3881ffa4fc040bef5f7d2868f9b84836;hb=8c0c0e9eb3341fe42a2a9315cef5af21e94c4855
CC: (none) => doktor5000
CC: (none) => shlomif
Component: RPM Packages => Security
This doesn't seem ready for QA yet?
Indeed, and I didn't know Funda wasn't even CC'd on this :o( I'll assign back to him.
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
When it's ready could you create separate bugs for blender, avidemux etc please
Digging through the git logs, it looks like in the 0.10 branch, previous fixes for CVE-2012-0851 and CVE-2011-3937 were accidentally reverted, and they were put back in 0.10.4. So that means we need to update ffmpeg in Mageia 2 as well. - h264: Add check for invalid chroma_format_idc (CVE-2012-0851) - h263dec: Disallow width/height changing with frame threads (CVE-2011-3937) Do we have any packages in Mageia 2 still building an internal copy of ffmpeg?
Ugh, it looks like avidemux comes with an internal copy of ffmpeg-0.9. The following CVEs have been fixed since, the current 0.9 is 0.9.2. - vqavideodev: Check image dimensions, fixes out of heap array read (CVE-2012-0947) - vorbis: make sure ch is non zero before calling vorbis_residue_decode (CVE-2011-3895) - ogg: Avoid the possibility to read out-of-bounds of a static global array in Vorbis decoding (CVE-2011-3893) - mkv: Fix a bug where a pointer was cached to an array that might later move due to a realloc() (CVE-2011-3893) We should update its internal copy to that if it can't build against system 0.10.
CC: (none) => anssi.hannula
For ffmpeg 0.6.6, here's a more complete CVE list: - nsvdec: Fix use of uninitialized streams, Be more careful with av_malloc(), nsvdec: Propagate errors (CVE-2011-3940) - dv: Fix small stack overread, check stype, Fix null pointer dereference due to ach=0 (CVE-2011-3929 and CVE-2011-3936) - atrac3: Fix crash in tonal component decoding (CVE-2012-0853) - mjpegbdec: Fix overflow in SOS (CVE-2011-3947) - kgv1dec: Increase offsets array size so it is large enough (CVE-2011-3945) - vqavideo: return error if image size is not a multiple of block size (CVE-2012-0947) - dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951) - aacsbr: prevent out of bounds memcpy() (CVE-2012-0850) - h264: Add check for invalid chroma_format_idc (CVE-2012-0851) - adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852) - shorten: check for realloc failure (CVE-2012-0858) - shorten: Use separate pointers for the allocated memory for decoded samples (CVE-2012-0858) - kmvc: Check palsize (CVE-2011-3952) - several other bugfixes
Depends on: (none) => 6483
Depends on: (none) => 6484
Depends on: (none) => 6485
Depends on: (none) => 6486
OK I've converted this into a tracking bug. Here's the current status. Mageia 1: ffmpeg - Bug 6484 mplayer - Bug 6483 blender - Bug 6485 gstreamer0.10-ffmpeg - not fixed avidemux - not fixed (needs fixes from ffmpeg 0.6.6) Mageia 2: ffmpeg - Bug 6486 avidemux - not fixed (needs fixes from ffmpeg 0.9.2)
(In reply to comment #10) > OK I've converted this into a tracking bug. Here's the current status. > setting TRACKER keyword
Keywords: (none) => TRACKERCC: (none) => marja11
Apparently gstreamer0.10-ffmpeg was changed to use external ffmpeg in the previous update (Bug 4152). If so, all that needs fixed is avidemux.
I'm looking through the avidemux 2.5.6 (from Mageia 2/Cauldron) tarball, and I don't see any ffmpeg code. However, I saw this in the avidemux 2.5.6 release announcement [1]: *Updated the FFmpeg libraries (version 0.9) Am I missing something? [1] - http://fixounet.free.fr/avidemux/news.html
Looking at the avidemux from Mageia 1 ChangeLog, it's missing the fixes from ffmpeg 0.6.5 (included in the previous mplayer update in January) as well.
(In reply to comment #13) > I'm looking through the avidemux 2.5.6 (from Mageia 2/Cauldron) tarball, and I > don't see any ffmpeg code. However, I saw this in the avidemux 2.5.6 release > announcement [1]: > *Updated the FFmpeg libraries (version 0.9) > > Am I missing something? > > [1] - http://fixounet.free.fr/avidemux/news.html It's a bundled tarball in avidemux/ADM_libraries (thanks Florian).
Depends on: (none) => 6955
Depends on: (none) => 6956
Final list. Mageia 1: ffmpeg - Bug 6484 mplayer - Bug 6483 blender - Bug 6485 avidemux - Bug 6955 Mageia 2: ffmpeg - Bug 6486 avidemux - Bug 6956
All better now :o)
Status: NEW => RESOLVEDResolution: (none) => FIXED