Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 365273 - <media-video/ffmpeg-0.7_rc1: Multiple vulnerabilities
Summary: <media-video/ffmpeg-0.7_rc1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://ffmpeg.org/releases/ffmpeg-0.6...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 367437 367501
Blocks:
  Show dependency tree
 
Reported: 2011-04-29 03:57 UTC by Tim Sammut (RETIRED)
Modified: 2013-10-25 19:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-04-29 03:57:17 UTC
From the changelog at $URL:

version 0.6.3:
- AMV: Fix possibly exploitable crash.
- Fix apparently exploitable race condition.

A little additional information is available at:
http://archives.neohapsis.com/archives/bugtraq/2011-04/0258.html
Comment 1 Alexis Ballier gentoo-dev 2011-04-29 15:11:00 UTC
0.7_rc1 has that fix and you should also check libav
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-05-10 04:53:15 UTC
(In reply to comment #1)
> 0.7_rc1 has that fix and you should also check libav

Is there a fixed version of ffmpeg that is a suitable target for stabilization?

@video, can anyone comment on libav impact? Thanks!
Comment 3 Alexis Ballier gentoo-dev 2011-05-10 15:17:42 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > 0.7_rc1 has that fix and you should also check libav
> 
> Is there a fixed version of ffmpeg that is a suitable target for stabilization?

Since this version uses the old api/abi, this is a good target for stabilisation (after a tinderbox run) imho
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-05-15 11:02:59 UTC
I will run the tinderbox check on behalf of QA. Is 0.7_rc1 the correct ffmpeg target?
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-05-17 14:15:57 UTC
I am done with testing. I found 2 packages which fail to work against this version of ffmpeg
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-05-18 01:46:21 UTC
(In reply to comment #5)
> I am done with testing. I found 2 packages which fail to work against this
> version of ffmpeg

Thanks for doing this, Markos.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-10 09:46:23 UTC
B2-rated vulnerabilities are expected to be fixed within 10 days. We can't wait a month if one package fails to build (and another B2-rated vulnerability is blocked on this, bug #370481). Can we proceed with the stabilization?
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-15 19:06:44 UTC
Blockers should be fixed, let's do the stabilization. Arches, here's your list:

=media-video/ffmpeg-0.7_rc1
=virtual/ffmpeg-0.6.90
=media-libs/FusionSound-1.1.1-r1

They should all be stabilized together and the last one is needed to fix a compatibility issue in current stable version (it wouldn't compile with new ffmpeg).
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2011-06-16 05:23:47 UTC
(In reply to comment #8)
> Blockers should be fixed, let's do the stabilization. Arches, here's your list:
> 
> =media-video/ffmpeg-0.7_rc1
> =virtual/ffmpeg-0.6.90
> =media-libs/FusionSound-1.1.1-r1
> 
> They should all be stabilized together and the last one is needed to fix a
> compatibility issue in current stable version (it wouldn't compile with new
> ffmpeg).

What about USE="encode aac" which requires media-libs/vo-aacenc ?
Is this safe?
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2011-06-16 10:34:44 UTC
amd64:

This will be interesting.


Now by rights ought try all use flags. For now, test phase fails.  I have added the already filed bug for test failure which already has a build log.  If you want mine, just say "the word". For now, use=test fails, 

A couple of use flags require

=media-libs/vo-amrwbenc-0.1.0 ~amd64
>=media-libs/libvpx-0.9.6 ~amd64
Comment 11 Ian Delaney (RETIRED) gentoo-dev 2011-06-16 13:00:25 UTC
Tested FusionSound-1.1.1 with use=ffmpeg, failed.
The build log looks just like the one in fixed 367437, not filing again.
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2011-06-16 21:39:52 UTC
(In reply to comment #10)
> Now by rights ought try all use flags. For now, test phase fails.  I have added
> the already filed bug for test failure which already has a build log.  If you
> want mine, just say "the word". For now, use=test fails, 

Please always figure out if the failures are regressions over the current stable.  If not, then it's not a blocker, especially with security related stables.

> =media-libs/vo-amrwbenc-0.1.0 ~amd64
> >=media-libs/libvpx-0.9.6 ~amd64

Good, thanks for catching these too.

The list for now would be 

=media-video/ffmpeg-0.7_rc1
=virtual/ffmpeg-0.6.90
=media-libs/FusionSound-1.1.1-r1
=media-libs/vo-aacenc-0.1.1
=media-libs/vo-amrwbenc-0.1.0 
=media-libs/libvpx-0.9.6 

Any comments?
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-16 22:59:55 UTC
Stable for HPPA.
Comment 14 Agostino Sarubbo gentoo-dev 2011-06-17 15:36:34 UTC
(In reply to comment #12)
> =media-video/ffmpeg-0.7_rc1
> =virtual/ffmpeg-0.6.90
> =media-libs/FusionSound-1.1.1-r1
> =media-libs/vo-aacenc-0.1.1
> =media-libs/vo-amrwbenc-0.1.0 
> =media-libs/libvpx-0.9.6 

As per Thomas list, ok on amd64.
Comment 15 Tobias Klausmann (RETIRED) gentoo-dev 2011-06-21 14:01:03 UTC
Stable on alpha.
Comment 16 Andreas Schürch gentoo-dev 2011-06-22 11:23:00 UTC
=media-libs/vo-amrwbenc-0.1.0 isn't keyworded on x86, but =media-libs/vo-amrwbenc-0.1.1 looks pretty good! ;-)

The only thing i encountered besides amrwbenc is that media-libs/libvpx's  USE=sse2 should depend on USE=mmx, as it failes otherwise:

variance_sse2.c:(.text+0xe4f): undefined reference to `vp8_vp7_bilinear_filters_mmx'                                                                                    
variance_sse2.c:(.text+0xe7d): undefined reference to `vp8_filter_block2d_bil4x4_var_mmx'                                                                               
vp8/encoder/x86/variance_sse2.c.o: In function `vp8_variance4x4_wmt':                                                                                                   
variance_sse2.c:(.text+0xf8c): undefined reference to `vp8_get4x4var_mmx'                                                                                               
vp8/common/x86/subpixel_sse2.asm.o: In function `no symbol':                                                                                                            
vp8/common/x86/subpixel_sse2.asm:(.text+0x76f): undefined reference to `vp8_bilinear_filters_mmx'                                                                       
/usr/lib/gcc/i686-pc-linux-gnu/4.4.5/../../../../i686-pc-linux-gnu/bin/ld: vp8/common/x86/subpixel_sse2.asm.o: relocation R_386_GOTOFF against undefined symbol `vp8_bilinear_filters_mmx' can not be used when making a shared object                                                                                                            
/usr/lib/gcc/i686-pc-linux-gnu/4.4.5/../../../../i686-pc-linux-gnu/bin/ld: final link failed: Bad value                                                                  
collect2: ld returned 1 exit status                                                                                                                                      
make[1]: *** [libvpx.so.0.9.6] Error 1                                                                                                                                   
make: *** [.DEFAULT] Error 2                                                                                                                                             
emake failed
Comment 17 Alexis Ballier gentoo-dev 2011-06-22 14:48:44 UTC
(In reply to comment #16)
> =media-libs/vo-amrwbenc-0.1.0 isn't keyworded on x86, but
> =media-libs/vo-amrwbenc-0.1.1 looks pretty good! ;-)
> 
> The only thing i encountered besides amrwbenc is that media-libs/libvpx's 
> USE=sse2 should depend on USE=mmx, as it failes otherwise:

is eapi4 allowed in stable now ?
Comment 18 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-22 14:59:14 UTC
(In reply to comment #17)
> is eapi4 allowed in stable now ?

Yes, an EAPI-4 capable portage has been stabilized few months ago in bug #358009
Comment 19 Alexis Ballier gentoo-dev 2011-06-22 15:22:23 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > is eapi4 allowed in stable now ?
> 
> Yes, an EAPI-4 capable portage has been stabilized few months ago in bug
> #358009

thanks; then it should be fixed now
Comment 20 Ian Delaney (RETIRED) gentoo-dev 2011-06-22 18:49:51 UTC
Thomas;

(In reply to comment #9)
> Please always figure out if the failures are regressions over the current
> stable.  If not, then it's not a blocker, especially with security related
> stables.
> 
> > =media-libs/vo-amrwbenc-0.1.0 ~amd64
> > >=media-libs/libvpx-0.9.6 ~amd64
> 
> Any comments?

Thomas,

As I said, "The build log looks just like the one in fixed 367437:, that;s the one filed by Markos.  Rather than a regression, it looks as if the bug supposedly fixed (367437) is still flawed.
Comment 21 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-23 14:45:33 UTC
x86 stable:

=media-libs/libvpx-0.9.6
=media-libs/vo-aacenc-0.1.1
=media-libs/vo-amrwbenc-0.1.1
=x11-libs/xvba-video-0.7.8
=x11-libs/libva-0.32.0_p2
=media-video/ffmpeg-0.7_rc1
=virtual/ffmpeg-0.6.90
=media-libs/FusionSound-1.1.1-r1
Comment 22 Brent Baude (RETIRED) gentoo-dev 2011-06-26 14:59:33 UTC
ok ppc should be good now
Comment 23 Christoph Mende (RETIRED) gentoo-dev 2011-06-29 14:58:03 UTC
amd64 stable
Comment 24 Mark Loeser (RETIRED) gentoo-dev 2011-07-06 21:11:02 UTC
ppc64 done.  Masked some USE flags so I didn't have to direct to stable anything.
Comment 25 Markus Meier gentoo-dev 2011-07-10 10:51:52 UTC
arm stable
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2011-07-10 17:35:32 UTC
ia64/sparc stable
Comment 27 Tim Sammut (RETIRED) gentoo-dev 2011-07-10 23:53:47 UTC
Thanks, everyone. GLSA request filed.
Comment 28 Alexis Ballier gentoo-dev 2013-08-14 21:13:38 UTC
nothing left to do for media-video@
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:10 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).