Bug 6486 - ffmpeg new security issues fixed in 0.10.4 [mga2]
: ffmpeg new security issues fixed in 0.10.4 [mga2]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: mga2-64-OK, mga2-32-OK
: validated_update
: 2317
: 6427
  Show dependency treegraph
 
Reported: 2012-06-17 01:01 CEST by David Walser
Modified: 2012-07-09 23:45 CEST (History)
6 users (show)

See Also:
Source RPM: ffmpeg-0.10.3-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-06-17 01:01:30 CEST
ffmpeg 0.10.4 was released on June 9th, fixing two security issues.

It was committed to SVN by Funda Wang, and I submitted it to the build system.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* h263dec: Disallow width/height changing with frame threads
           (CVE-2011-3937)

These issues had been fixed in previous ffmpeg releases, but the fixes
were accidentally reverted before 0.10.3.  This updates ffmpeg to
0.10.4 which fixes this issues again and fixes other bugs as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.10.4-1.mga2
libavcodec53-0.10.4-1.mga2
libpostproc52-0.10.4-1.mga2
libavformat53-0.10.4-1.mga2
libavutil51-0.10.4-1.mga2
libswscaler2-0.10.4-1.mga2
libavfilter2-0.10.4-1.mga2
libswresample0-0.10.4-1.mga2
libffmpeg-devel-0.10.4-1.mga2
libffmpeg-static-devel-0.10.4-1.mga2

from ffmpeg-0.10.4-1.mga2.src.rpm
Comment 1 claire robinson 2012-06-19 13:24:05 CEST
No PoC's
Comment 2 Simon Putt 2012-06-19 14:33:27 CEST
Been working ok for the little transcoding jobs I've been doing (mostly phone movies to mp4)
Comment 3 Zoltan Balaton 2012-06-25 23:58:15 CEST
Found a test file for CVE-2012-0851 here:
http://ffmpeg.org/trac/ffmpeg/ticket/758
pointed to by this message:
http://www.openwall.com/lists/oss-security/2012/02/14/4

My 0.10.3-1 version ffmpeg on mga2 x86_64 did not crash but gave a lot of error messages to this file. I can't test the update though because I'm using a locally compiled ffmpeg package which is slightly different (to remove some dependencies I don't like).
Comment 4 William Murphy 2012-07-01 18:02:46 CEST
Testing on Mageia 2 i586 and x86_64 from both core and tainted repos.

Had the same results as Zoltan for the CVE-2012-0851 test case. 

Tested for Mageia 1 as well and posted details for both in bug 6484, comment 7

Testing for ffmpeg-0.10.4-1.mga2.src.rpm complete.

-------------------------------------------------------------------------------
Update validated.
Thanks.

Advisory:
=========
Updated ffmpeg packages fix security vulnerabilities:

* h264: Add check for invalid chroma_format_idc (CVE-2012-0851)

* h263dec: Disallow width/height changing with frame threads
           (CVE-2011-3937)

These issues had been fixed in previous ffmpeg releases, but the fixes
were accidentally reverted before 0.10.3.  This updates ffmpeg to
0.10.4 which fixes this issues again and fixes other bugs as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0851
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.10.4-1.mga2
libavcodec53-0.10.4-1.mga2
libpostproc52-0.10.4-1.mga2
libavformat53-0.10.4-1.mga2
libavutil51-0.10.4-1.mga2
libswscaler2-0.10.4-1.mga2
libavfilter2-0.10.4-1.mga2
libswresample0-0.10.4-1.mga2
libffmpeg-devel-0.10.4-1.mga2
libffmpeg-static-devel-0.10.4-1.mga2

from ffmpeg-0.10.4-1.mga2.src.rpm

-------------------------------------------------------------------------------

Could sysadmin please push from {core,tainted}/updates_testing to
{core,tainted}/updates.

SRPMS:
ffmpeg-0.10.4-1.mga2.src.rpm
Comment 5 Thomas Backlund 2012-07-09 17:15:21 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0143
Comment 6 claire robinson 2012-07-09 18:23:13 CEST
Sorry Thomas, this is affected by bug 2317 on updates from core/release to tainted updates.

./depcheck lib64avcodec53 "Core Release" "Tainted Updates Testing"
----------------------------------------
Running checks for "lib64avcodec53" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is lib64avcodec53-0.10.3-1.mga2
Latest version found in "Tainted Updates Testing" is lib64avcodec53-0.10.4-1.mga2.tainted
----------------------------------------
The following packages will require linking:

lib64lame0-3.99.5-1.mga2.tainted (Tainted Release)
lib64opencore-amr0-0.1.2-3.mga1 (Tainted Release)
lib64vo-aacenc0-0.1.1-2.mga2.tainted (Tainted Release)
lib64vo-amrwbenc0-0.1.1-3.mga2.tainted (Tainted Release)
lib64x264_120-0.120-0.20120306.stable.1.mga2.tainted (Tainted Release)
lib64xvid4-1.3.1-2.mga1 (Tainted Release)
----------------------------------------
Done.

These were spotted early on with mga1 so were never an issue once linked, we have to be aware of them now at this stage of mga2.
Comment 7 Thomas Backlund 2012-07-09 18:36:19 CEST
Linking done
Comment 8 claire robinson 2012-07-09 19:47:06 CEST
Some more Thomas, the devel's. I've been through all the rpm's now so this *hopefully* should be all of them. It's still quite a manual process.

Sorry you are being inconvenienced too :(

./depcheck lib64ffmpeg-devel "Core Release" "Tainted Updates Testing"
----------------------------------------
Running checks for "lib64ffmpeg-devel" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is lib64ffmpeg-devel-0.10.3-1.mga2
Latest version found in "Tainted Updates Testing" is lib64ffmpeg-devel-0.10.4-1.mga2.tainted
----------------------------------------
The following packages will require linking:

lib64lame-devel-3.99.5-1.mga2.tainted (Tainted Release)
lib64opencore-amr-devel-0.1.2-3.mga1 (Tainted Release)
lib64vo-aacenc-devel-0.1.1-2.mga2.tainted (Tainted Release)
lib64vo-amrwbenc-devel-0.1.1-3.mga2.tainted (Tainted Release)
lib64x264-devel-0.120-0.20120306.stable.1.mga2.tainted (Tainted Release)
lib64xvid-devel-1.3.1-2.mga1 (Tainted Release)
----------------------------------------
Done.
Comment 9 Thomas Backlund 2012-07-09 23:45:23 CEST
devel packages linked

Note You need to log in before you can comment on or make changes to this bug.