Bug 6484 - ffmpeg new security issues fixed in 0.6.6 [mga1]
: ffmpeg new security issues fixed in 0.6.6 [mga1]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: mga1-64-OK, mga1-32-OK
: validated_update
:
: 6427
  Show dependency treegraph
 
Reported: 2012-06-17 00:25 CEST by David Walser
Modified: 2012-07-09 17:02 CEST (History)
5 users (show)

See Also:
Source RPM: ffmpeg-0.6.5-0.1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-06-17 00:25:58 CEST
ffmpeg 0.6.6 was released on June 9th, fixing several security issues.

An updated package was uploaded by Funda Wang.

Advisory:
========================

Updated mplayer packages fix security vulnerabilities:

* nsvdec: Fix use of uninitialized streams, Be more careful with
          av_malloc(), nsvdec: Propagate errors (CVE-2011-3940)

* dv: Fix small stack overread, check stype, Fix null pointer
      dereference due to ach=0 (CVE-2011-3929 and CVE-2011-3936)

* atrac3: Fix crash in tonal component decoding (CVE-2012-0853)

* mjpegbdec: Fix overflow in SOS (CVE-2011-3947)

* kgv1dec: Increase offsets array size so it is large enough
           (CVE-2011-3945)

* vqavideo: return error if image size is not a multiple of block size
            (CVE-2012-0947)

* dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)

* aacsbr: prevent out of bounds memcpy() (CVE-2012-0850)

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)

* shorten: Use separate pointers for the allocated memory for decoded
           samples, check for realloc failure (CVE-2012-0858)

* kmvc: Check palsize (CVE-2011-3952)

* several other bugs were fixed as well, see the ChangeLog

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0947
http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=6f753216f5383eb296802efe1dbd3eea0ed589af;hb=62133b38ed043b57eeecbe7fc8b6f187fd92e5e0
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.6.6-0.1.mga1
libavformats52-0.6.6-0.1.mga1
libavutil50-0.6.6-0.1.mga1
libffmpeg-devel-0.6.6-0.1.mga1
libffmpeg-static-devel-0.6.6-0.1.mga1
libffmpeg52-0.6.6-0.1.mga1
libpostproc51-0.6.6-0.1.mga1
libswscaler0-0.6.6-0.1.mga1

from ffmpeg-0.6.6-0.1.mga1.src.rpm
Comment 1 David Walser 2012-06-17 00:30:42 CEST
Whoops, fixing the advisory.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

* nsvdec: Fix use of uninitialized streams, Be more careful with
          av_malloc(), nsvdec: Propagate errors (CVE-2011-3940)

* dv: Fix small stack overread, check stype, Fix null pointer
      dereference due to ach=0 (CVE-2011-3929 and CVE-2011-3936)

* atrac3: Fix crash in tonal component decoding (CVE-2012-0853)

* mjpegbdec: Fix overflow in SOS (CVE-2011-3947)

* kgv1dec: Increase offsets array size so it is large enough
           (CVE-2011-3945)

* vqavideo: return error if image size is not a multiple of block size
            (CVE-2012-0947)

* dpcm: ignore extra unpaired bytes in stereo streams (CVE-2011-3951)

* aacsbr: prevent out of bounds memcpy() (CVE-2012-0850)

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* adpcm: ADPCM Electronic Arts has always two channels (CVE-2012-0852)

* shorten: Use separate pointers for the allocated memory for decoded
           samples, check for realloc failure (CVE-2012-0858)

* kmvc: Check palsize (CVE-2011-3952)

* several other bugs were fixed as well, see the ChangeLog

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0852
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0858
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0947
http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=6f753216f5383eb296802efe1dbd3eea0ed589af;hb=62133b38ed043b57eeecbe7fc8b6f187fd92e5e0
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.6.6-0.1.mga1
libavformats52-0.6.6-0.1.mga1
libavutil50-0.6.6-0.1.mga1
libffmpeg-devel-0.6.6-0.1.mga1
libffmpeg-static-devel-0.6.6-0.1.mga1
libffmpeg52-0.6.6-0.1.mga1
libpostproc51-0.6.6-0.1.mga1
libswscaler0-0.6.6-0.1.mga1

from ffmpeg-0.6.6-0.1.mga1.src.rpm
Comment 2 Dave Hodgins 2012-06-28 23:30:07 CEST
Testing Mageia 1 i586 now.
Comment 3 Dave Hodgins 2012-06-29 02:53:35 CEST
In Mageia 2, the following command works
ffmpeg -t 10 -f video4linux2 -s 160x120 -r 25 -i /dev/video0 -f alsa -i default -f mpeg webcam.mpeg

In Mageia 1, it fails with ...
[video4linux2 @ 0x8d60440]Cannot find a proper format for codec_id 0, pix_fmt -1.
/dev/video0: Input/output error

This is not a regression, but I have no idea why it's failing in Mageia 1.
Comment 4 Dave Hodgins 2012-06-29 03:44:59 CEST
I've also noticed that on Mageia 1, the man pages are missing.
Again, not a regression.
Comment 5 Dave Hodgins 2012-06-29 05:34:58 CEST
After running "cp /usr/share/doc/ffmpeg/ffserver.conf /etc"
ffserver fails with ...
bind(port 8090): Invalid argument

It works on Mageia 2.  I'll check  later to see if this is a regression.
Comment 6 claire robinson 2012-06-29 14:42:20 CEST
testing x86_64 mga1
Comment 7 William Murphy 2012-07-01 02:21:28 CEST
Testing on Mageia 1 i586 and x86_64 from both core and tainted repos.

Moving ffserver.conf to /etc as-is and running ffserver has the same results as Dave's in both i586 and x86_64. Worked correctly in Mageia 2 i586 and x86_64, but failed for both archs in Mageia 1 with:
bind(port 8090): Invalid argument

But testing ffmpeg with the webcam had the opposite results from what Dave had. In Mageia 1, this worked correctly:
ffmpeg -t 10 -f video4linux2 -s 160x120 -r 25 -i /dev/video0 -f alsa -i default
-f mpeg webcam.mpeg

But in Mageia 2 it failed with:
[video4linux2,v4l2 @ 0x17480a0] ioctl set time per frame(1/25) failed.

On both archs, installed and tested from core repo first, then tainted. The only difference was formats not supported in the core repos (like mkv) were converted correctly using the tainted repos.
Comment 8 William Murphy 2012-07-01 17:40:11 CEST
Only found a couple of PoC test cases and neither caused the described errors before or after updates. 

Tested using a variety of input media (avi, mp4, mov, mkv, flv, vqa), converting to variety of other formats using codecs from the advisory, when possible, with very few problems.

Not all combinations of formats and codecs were checked.

Testing for ffmpeg-0.6.6-0.1.mga1.src.rpm complete.

---------------------------------------------------------------------------------
Update validated.
Thanks.

Advisory:
=========
Advisory from comment 1 by David Walser

Could sysadmin please push from {core,tainted}/updates_testing to {core,tainted}/updates.

SRPMS:
ffmpeg-0.6.6-0.1.mga1.src.rpm
Comment 9 Thomas Backlund 2012-07-09 17:02:58 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0142

Note You need to log in before you can comment on or make changes to this bug.