Bug 8065 - ffmpeg new security issues fixed in 0.10.6
: ffmpeg new security issues fixed in 0.10.6
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
:
: has_procedure mga2-64-OK mga2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-13 13:48 CET by David Walser
Modified: 2012-11-17 17:30 CET (History)
3 users (show)

See Also:
Source RPM: ffmpeg-0.10.3-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-11-13 13:48:19 CET
CVE-2012-2796, CVE-2012-2775, CVE-2012-2772, CVE-2012-2776,
CVE-2012-2779, CVE-2012-2787, CVE-2012-2794, CVE-2012-2800,
CVE-2012-2802, CVE-2012-2801, CVE-2012-2786, CVE-2012-2798,
CVE-2012-2793, CVE-2012-2789, CVE-2012-2788, CVE-2012-2790,
CVE-2012-2777, CVE-2012-2784

according to http://ffmpeg.org/security.html

Some of the same CVEs were fixed in 0.11, with descriptions here:
http://lwn.net/Vulnerabilities/524579/
Comment 1 David Walser 2012-11-13 19:05:04 CET
Built by Funda.  Thanks!

Luckily this time, this is the only package that needs to be updated.

This can now be tested.  We'll need an advisory before release.

Packages built (in core and tainted):
ffmpeg-0.10.6-1.mga2
libavcodec53-0.10.6-1.mga2
libpostproc52-0.10.6-1.mga2
libavformat53-0.10.6-1.mga2
libavutil51-0.10.6-1.mga2
libswscaler2-0.10.6-1.mga2
libavfilter2-0.10.6-1.mga2
libswresample0-0.10.6-1.mga2
libffmpeg-devel-0.10.6-1.mga2
libffmpeg-static-devel-0.10.6-1.mga2

from ffmpeg-0.10.6-1.mga2.src.rpm
Comment 2 claire robinson 2012-11-13 19:43:30 CET
All seem to be 'Unspecified vulnerability' so no PoC's
Comment 3 David Walser 2012-11-14 00:10:09 CET
We can get some short descriptions from the git log, but it'll take some time to dig them out, since they weren't helpfully copy and pasted into the ChangeLog upstream.

http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10
Comment 4 David Walser 2012-11-14 14:31:11 CET
Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

* vc1dec: check that coded slice positions and interlacing match. This
fixes out of array writes (CVE-2012-2796)

* alsdec: fix number of decoded samples in first sub-block in BGMC mode
(CVE-2012-2790)

* cavsdec: check for changing w/h. Our decoder does not support changing
w/h (CVE-2012-2777, CVE-2012-2784)

* indeo4: update AVCodecContext width/height on size change (CVE-2012-2787)

* avidec: use actually read size instead of requested size (CVE-2012-2788)

* wmaprodec: check num_vec_coeffs for validity (CVE-2012-2789)

* lagarith: check count before writing zeros (CVE-2012-2793)

* indeo3: fix out of cell write (CVE-2012-2776)

* indeo5: check tile size in decode_mb_info(). This prevents writing into
a too small array if some parameters changed without the tile being
reallocated (CVE-2012-2794)

* indeo5dec: Make sure we have had a valid gop header. This prevents
decoding happening on a half initialized context (CVE-2012-2779)

* indeo4/5: check empty tile size in decode_mb_info(). This prevents
writing into a too small array if some parameters changed without the
tile being reallocated (CVE-2012-2800)

* dfa: improve boundary checks in decode_dds1() (CVE-2012-2798)

* dfa: check that the caller set width/height properly (CVE-2012-2786)

* avsdec: Set dimensions instead of relying on the demuxer. The decode
function assumes that the video will have those dimensions (CVE-2012-2801)

* ac3dec: ensure get_buffer() gets a buffer for the correct number of
channels (CVE-2012-2802)

* rv34: error out on size changes with frame threading (CVE-2012-2772)

* alsdec: check opt_order. Fixes out of array write in quant_cof. Also
make sure no invalid opt_order stays in the context (CVE-2012-2775)

This updates ffmpeg to version 0.10.6 which contains the security fixes
above as well as other bug fixes.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2784
http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.10.6-1.mga2
libavcodec53-0.10.6-1.mga2
libpostproc52-0.10.6-1.mga2
libavformat53-0.10.6-1.mga2
libavutil51-0.10.6-1.mga2
libswscaler2-0.10.6-1.mga2
libavfilter2-0.10.6-1.mga2
libswresample0-0.10.6-1.mga2
libffmpeg-devel-0.10.6-1.mga2
libffmpeg-static-devel-0.10.6-1.mga2

from ffmpeg-0.10.6-1.mga2.src.rpm
Comment 5 claire robinson 2012-11-16 12:20:07 CET
Some testing ideas here: http://rodrigopolo.com/ffmpeg/cheats.html#FFmpeg_Encoding
Comment 6 claire robinson 2012-11-16 13:58:47 CET
Testing complete x86_64

Converted an mkv to flv, avi & wmv. Then the flv back to mkv.

Most can be converted with just:

$ ffmpeg -i input.mkv output.avi (etc)

wmv needed

$ ffmpeg -i input.mkv -an -scodec copy output.wmv

After installing tainted version converted to mov

All OK
Comment 7 claire robinson 2012-11-16 14:24:52 CET
Testing complete i586

Also noticed it using libx264, libmp3lame with tainted.

Validating

srpm & advisory in comment 4

Could sysadmin please push to core/tainted updates

Thanks!
Comment 8 Thomas Backlund 2012-11-17 17:30:39 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0331

Note You need to log in before you can comment on or make changes to this bug.