Bug 8881 - ffmpeg new security issues fixed upstream in 0.10.7
: ffmpeg new security issues fixed upstream in 0.10.7
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/534672/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-29 02:02 CET by David Walser
Modified: 2013-05-09 12:30 CEST (History)
3 users (show)

See Also:
Source RPM: ffmpeg-0.10.6-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-01-29 02:02:39 CET
Ubuntu has issued an advisory today (January 28):
http://www.ubuntu.com/usn/usn-1705-1/

It includes the following CVEs, which have been fixed in upstream git [1], since our last update to 0.10.6:
CVE-2012-5144
CVE-2012-2783
CVE-2012-2797
CVE-2012-2803
CVE-2012-2804
CVE-2012-2783
CVE-2012-2791

The other CVEs it lists were fixed in our update to 0.10.6.

I don't know if they plan to issue a 0.10.7 release upstream, or if we will have to pull git or patch it and issue an update.

[1] - http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10
Comment 1 David Walser 2013-05-02 23:54:43 CEST
ffmpeg 0.10.7 has been released on April 10.

Additional CVEs they've fixed since I posted this bug:
CVE-2012-2882
CVE-2013-0894
CVE-2013-2277
CVE-2013-2495
Comment 2 David Walser 2013-05-03 00:30:17 CEST
Updated packages uploaded for Mageia 2.

Note to QA: previous ffmpeg update was Bug 8065.

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

ivi_common: check that scan pattern is set before using it (CVE-2012-2791).

vp56: release frames on error (CVE-2012-2783).

mpeg12: do not decode extradata more than once (CVE-2012-2803).

mp3: properly forward mp_decode_frame errors (CVE-2012-2797).

vp6: properly fail on unsupported feature (CVE-2012-2783).

aacdec: Fix an off-by-one overwrite when switching to LTP profile from
MAIN (CVE-2012-5144).

indeo3: ensure that decoded cell data is in 7-bit range as presumed by
decoder; when freeing buffers, set pointers referencing them to NULL as
well; initialise pixel planes on allocation (CVE-2012-2804).

oggdec: make sure the private parse data is cleaned up (CVE-2012-2882).

vorbisdec: Error on bark_map_size equal to 0 (CVE-2013-0894).

h264: check for luma and chroma bit depth being equal (CVE-2013-2277).

iff: validate CMAP palette size (CVE-2013-2495).

This updates ffmpeg to version 0.10.7 which contains the security fixes
above as well as other bug fixes.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2495
http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/heads/release/0.10
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-0.10.7-1.mga2
libavcodec53-0.10.7-1.mga2
libpostproc52-0.10.7-1.mga2
libavformat53-0.10.7-1.mga2
libavutil51-0.10.7-1.mga2
libswscaler2-0.10.7-1.mga2
libavfilter2-0.10.7-1.mga2
libswresample0-0.10.7-1.mga2
libffmpeg-devel-0.10.7-1.mga2
libffmpeg-static-devel-0.10.7-1.mga2

from ffmpeg-0.10.7-1.mga2.src.rpm
Comment 4 claire robinson 2013-05-07 11:06:57 CEST
Also there are 2 srpm's 

ffmpeg-0.10.7-1.mga2.src.rpm
ffmpeg-0.10.7-1.mga2.tainted.src.rpm
Comment 5 claire robinson 2013-05-07 11:16:21 CEST
Testing complete mga2 64
Comment 6 claire robinson 2013-05-07 11:34:56 CEST
Testing complete mga2 32

Validating

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 7 Thomas Backlund 2013-05-09 12:30:44 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0136

Note You need to log in before you can comment on or make changes to this bug.