115760 2005-12-16 04:56 0000 media-video/mplayer,xmovie : flaw in included ffmpeg (CVE-2005-4048) 2006-03-04 10:09:08 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558 A2 [glsa] P2 major --- 115849 1 koon@gentoo.org security@gentoo.org joem@gentoo.org media-video@gentoo.org s.kilvington@eris.qinetiq.com koon@gentoo.org 2005-12-16 04:56:26 0000 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. The vulnerability is caused due to a boundary error in the "avcodec_default_get_buffer()" function of "utils.c" in libavcodec. This can be exploited to cause a heap-based buffer overflow when a specially-crafted 1x1 ".png" file containing a palette is read. Xine-lib, xmovie, mplayer, gstreamer-ffmpeg might be built with a private copy of ffmpeg containing this same code. We should doublecheck them. koon@gentoo.org 2005-12-16 04:57:19 0000 media-video herd, this one is for you :/ flameeyes@gentoo.org 2005-12-16 05:04:20 0000 ouch, that's going to be a problem. Luca, ffmpeg is your stuff, what you suggest to do? xine-lib is going to hurt... a lot.. because of the usual keywording problems.. lu_zero@gentoo.org 2005-12-16 05:24:30 0000 I guess that yet another snapshot is feasible even if ffmpeg is going to get a release soon lu_zero@gentoo.org 2005-12-16 05:31:52 0000 Created an attachment (id=74873) patch proposed to upstream Just adding some stuff to keep everything in one place hanno@gentoo.org 2005-12-16 05:37:49 0000 Add vlc, mythtv, probably some others, too. ffmpeg-code is widely used and most times bundled. lu_zero@gentoo.org 2005-12-16 05:40:56 0000 Created an attachment (id=74874) upstream fix That is the upstream fix. A new ffmpeg snapshot will be on route soon, for xine I'd either force external ffmpeg or bump to latest, considerations about killing xv on platform in which it couldn't be tested, thus preventing the bump, are the usual. flameeyes@gentoo.org 2005-12-16 05:42:00 0000 I'm actually not sure if xine-lib is vulnerable, as it does not use ffmpeg for png decoding but libpng instead. flameeyes@gentoo.org 2005-12-16 05:43:44 0000 vlc is safe, it uses external ffmpeg (as I'd like to do with xine-lib, too, but sigh it's difficult). flameeyes@gentoo.org 2005-12-16 06:02:08 0000 Get back what I said about xine-lib, as the problems seems not to be only with png. The patch applies fine on xine-lib 1.1.1 sources, so my plan for it would be: xine-lib-1.1.1-r2 that's copied from 1.1.1-r0 (no ffmpeg useflag so no dep on external ffmpeg) to be marked stable on all arches but mips (the problem that prevented 1.1.0-r6 to go stable on x86 is fixed in 1.1.1 series) xine-lib-1.1.1-r3 that's copied from 1.1.1-r1 (ffmpeg useflag for external ffmpeg) to remain ~arch for the arches that have 1.1.1-r1 in ~, and that should be tested by the other arches the old 1.0.x and 1.1.0-rX series would go away, a part mips and ~mips versions that would remain until mips is sorted out (I'd propose to remove the keywords and make sure that the tree is not broken by that, after use.masking xine on mips, as they have no way to do a constant maintenance on it). lu_zero@gentoo.org 2005-12-16 07:35:33 0000 New ffmpeg snapshot uploaded, will require some revdep-rebuild probably, please test it. flameeyes@gentoo.org 2005-12-16 12:22:31 0000 newer ffmpeg snapshot broke badly on xine-lib, I've committed -r2 and -r3 for it, and masked ffmpeg for testing. flameeyes@gentoo.org 2005-12-17 05:05:10 0000 Okay, xine-lib ebuilds are in place, ffmpeg is now unmasked, as lu_zero fixed it, vlc as I said uses the external copy linked dynamically so it has nothing to be fixed into. CCing gstreamer herd as media-video does not maintain gstreamer-ffmpeg and Cardoe for MythTV. flameeyes@gentoo.org 2005-12-17 05:10:58 0000 *** Bug 113160 has been marked as a duplicate of this bug. *** koon@gentoo.org 2005-12-17 05:31:43 0000 Good work ! Splitting the bug into xine-lib+ffmpeg / the others so that we can already call for stable on the ready-ones... Are our mplayer and xmovie vulnerable ? koon@gentoo.org 2005-12-17 05:36:58 0000 See stable marking for ffmpeg and xine-lib on bug 115849. koon@gentoo.org 2005-12-17 05:52:25 0000 Putting back ffmpeg in this bug as it will probably need a backport so as not to break existing stable software requiring it (vlc?). koon@gentoo.org 2005-12-20 03:01:21 0000 video herd: what's your position on the packages left (the ones under your herd, not the externally-maintained ones) ? Should we call for testing on ffmpeg ? What about the others (mplayer...) ? lu_zero@gentoo.org 2005-12-20 06:35:18 0000 I should apply the fix to mplayer since a newer release won't happen before the 25th ffmpeg should be ok anyway koon@gentoo.org 2005-12-20 08:10:26 0000 OK splitting the bug for ffmpeg testing. koon@gentoo.org 2005-12-20 08:18:47 0000 See ffmpeg stable testing on bug 116181 koon@gentoo.org 2005-12-23 02:44:13 0000 Luca: let me know about progress on mplayer. koon@gentoo.org 2005-12-30 04:58:42 0000 Any ETA for the mplayer snapshot ? I need to know if we should send the xine-lib GLSA now or wait a little. dercorny@gentoo.org 2006-01-02 13:16:06 0000 any news here? flameeyes@gentoo.org 2006-01-13 06:15:43 0000 I've masked xmovie for now, until someone else is going to fix it. I'm sorry but unless it's a threat on my life, I'd rather stay as far as possible from heroines packages. koon@gentoo.org 2006-01-18 06:21:14 0000 Cardoe: only the masked 0.19_pre8554 contains the fix, should you : 1- unmask that version so that we call for stable testing on it 2- patch the current stable with the ffmpeg fix and call that the new stable candidate Note: lu_zero still wanted for mplayer fix and someone from gstreamer for the last package. Come on, we're getting very late on this one. lu_zero@gentoo.org 2006-01-18 07:51:59 0000 mplayer has a snapshot ebuild with the fix available. I will update it soon, please start testing it. joem@gentoo.org 2006-01-18 12:48:29 0000 Not sure if zaheerm has much free time, so I patched gst-plugins-ffmpeg. The patched ebuilds are 0.8.7-r1 and 0.10.0-r1 koon@gentoo.org 2006-01-19 01:05:44 0000 gst-plugins-ffmpeg stable marking splitted to bug 119512 koon@gentoo.org 2006-02-09 10:54:40 0000 lu_zero: What's the ETA for mplayer-1.0.20060102 unmasking ? If not possible, we need a backport to current stable. cardoe: we need a decision on comment #25 lu_zero@gentoo.org 2006-02-12 08:07:27 0000 Give me a week to update the snapshot and make arches mark it koon@gentoo.org 2006-02-12 09:45:32 0000 Luca: sounds good. You may want to combine the fix for bug 122029 with this. cardoe@gentoo.org 2006-02-16 07:38:46 0000 New MythTV is already in the tree and it's got this fixed in it. koon@gentoo.org 2006-02-16 11:17:11 0000 mythtv stable marking handled on bug 123066 lu_zero@gentoo.org 2006-02-17 06:54:30 0000 updated snapshot available, there are 2 new deps that could be tested and marked for alpha hppa and ia64: musepack and openal. Please test it, I'll update/fix it if there are problems. koon@gentoo.org 2006-02-17 13:38:47 0000 arches please test latest mplayer snapshot and report success/failure... and mark stable if stable gustavoz@gentoo.org 2006-02-20 14:51:10 0000 mplayer-1.0.20060217 sparc stable, seems to work at least as well as the previous stable (if not better). However i've seen a kinky issue with the sound being b0rked playing some videos when using the old config - went away when nuking the old config dir. tsunam@gentoo.org 2006-02-22 00:06:52 0000 Stable on x86 (X.X) herbs@gentoo.org 2006-02-22 04:15:29 0000 Stable on amd64. corsair@gentoo.org 2006-02-22 04:43:02 0000 stable on ppc64 dertobi123@gentoo.org 2006-02-22 11:37:49 0000 ppc stable kloeri@gentoo.org 2006-02-26 06:31:56 0000 Stable on alpha. killerfox@gentoo.org 2006-03-03 09:49:03 0000 Sorry guys for the delay. I did oversee this bug. hppa stable now. koon@gentoo.org 2006-03-03 10:11:11 0000 Ready for GLSA koon@gentoo.org 2006-03-04 10:09:08 0000 GLSA 200603-03 74873 2005-12-16 05:31 0000 patch proposed to upstream ffmpeg-0.4.9_p20050906-pal8.patch text/plain LS0tIGxpYmF2Y29kZWMvdXRpbHMuYy5vcmlnCTIwMDUtMTEtMTcgMTU6MTM6NTcuMDAwMDAwMDAw ICswMDAwCisrKyBsaWJhdmNvZGVjL3V0aWxzLmMJMjAwNS0xMS0xNyAxNToxNDo1MS4wMDAwMDAw MDAgKzAwMDAKQEAgLTMyNSw2ICszMjUsMTUgQEAKICAgICAgICAgICAgIGNvbnN0IGludCBoX3No aWZ0PSBpPT0wID8gMCA6IGhfY2hyb21hX3NoaWZ0OwogICAgICAgICAgICAgY29uc3QgaW50IHZf c2hpZnQ9IGk9PTAgPyAwIDogdl9jaHJvbWFfc2hpZnQ7CiAKKwkgICAgaWYocy0+cGl4X2ZtdCA9 PSBQSVhfRk1UX1BBTDggJiYgaSA9PSAxKQorCSAgICB7CisJICAgICAgICBidWYtPmJhc2VbaV0g PSBhdl9tYWxsb2MoMjU2ICogNCk7CisJICAgICAgICBpZihidWYtPmJhc2VbaV0gPT0gTlVMTCkK KwkgICAgICAgICAgICByZXR1cm4gLTE7CisJICAgICAgICBidWYtPmRhdGFbaV0gPSBidWYtPmJh c2VbaV07CisJICAgICAgICBjb250aW51ZTsKKwkgICAgfQorCiAgICAgICAgICAgICAvL0ZJWE1F IG5leHQgZW5zdXJlcyB0aGF0IGxpbmVzaXplPSAyXnggdXZsaW5lc2l6ZSwgdGhhdHMgbmVlZGVk IGJlY2F1c2Ugc29tZSBNQyBjb2RlIGFzc3VtZXMgaXQKICAgICAgICAgICAgIGJ1Zi0+bGluZXNp emVbaV09IEFMSUdOKHBpeGVsX3NpemUqdz4+aF9zaGlmdCwgU1RSSURFX0FMSUdOPDwoaF9jaHJv bWFfc2hpZnQtaF9zaGlmdCkpOyAKIAo= 74874 2005-12-16 05:40 0000 upstream fix ffmpeg-png-onepixel.patch text/plain SW5kZXg6IGxpYmF2Y29kZWMvdXRpbHMuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3Zzcm9vdC9m Zm1wZWcvZmZtcGVnL2xpYmF2Y29kZWMvdXRpbHMuYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS4x NjEKcmV0cmlldmluZyByZXZpc2lvbiAxLjE2MgpkaWZmIC11IC1yMS4xNjEgLXIxLjE2MgotLS0g bGliYXZjb2RlYy91dGlscy5jCTIgTm92IDIwMDUgMDk6MTg6MzIgLTAwMDAJMS4xNjEKKysrIGxp YmF2Y29kZWMvdXRpbHMuYwkyIERlYyAyMDA1IDAwOjEyOjM3IC0wMDAwCTEuMTYyCkBAIC0yOTIs MjcgKzI5MiwxMCBAQAogICAgICAgICBidWYtPmxhc3RfcGljX251bT0gKnBpY3R1cmVfbnVtYmVy OwogICAgIH1lbHNlewogICAgICAgICBpbnQgaF9jaHJvbWFfc2hpZnQsIHZfY2hyb21hX3NoaWZ0 OwotICAgICAgICBpbnQgcGl4ZWxfc2l6ZTsKLSAgICAgICAgCisgICAgICAgIGludCBwaXhlbF9z aXplLCBzaXplWzNdOworICAgICAgICBBVlBpY3R1cmUgcGljdHVyZTsKKwogICAgICAgICBhdmNv ZGVjX2dldF9jaHJvbWFfc3ViX3NhbXBsZShzLT5waXhfZm10LCAmaF9jaHJvbWFfc2hpZnQsICZ2 X2Nocm9tYV9zaGlmdCk7Ci0gICAgICAgIAotICAgICAgICBzd2l0Y2gocy0+cGl4X2ZtdCl7Ci0g ICAgICAgIGNhc2UgUElYX0ZNVF9SR0I1NTU6Ci0gICAgICAgIGNhc2UgUElYX0ZNVF9SR0I1NjU6 Ci0gICAgICAgIGNhc2UgUElYX0ZNVF9ZVVY0MjI6Ci0gICAgICAgIGNhc2UgUElYX0ZNVF9VWVZZ NDIyOgotICAgICAgICAgICAgcGl4ZWxfc2l6ZT0yOwotICAgICAgICAgICAgYnJlYWs7Ci0gICAg ICAgIGNhc2UgUElYX0ZNVF9SR0IyNDoKLSAgICAgICAgY2FzZSBQSVhfRk1UX0JHUjI0OgotICAg ICAgICAgICAgcGl4ZWxfc2l6ZT0zOwotICAgICAgICAgICAgYnJlYWs7Ci0gICAgICAgIGNhc2Ug UElYX0ZNVF9SR0JBMzI6Ci0gICAgICAgICAgICBwaXhlbF9zaXplPTQ7Ci0gICAgICAgICAgICBi cmVhazsKLSAgICAgICAgZGVmYXVsdDoKLSAgICAgICAgICAgIHBpeGVsX3NpemU9MTsKLSAgICAg ICAgfQogCiAgICAgICAgIGF2Y29kZWNfYWxpZ25fZGltZW5zaW9ucyhzLCAmdywgJmgpOwogICAg ICAgICAgICAgCkBAIC0zMjAsMjEgKzMwMywzOSBAQAogICAgICAgICAgICAgdys9IEVER0VfV0lE VEgqMjsKICAgICAgICAgICAgIGgrPSBFREdFX1dJRFRIKjI7CiAgICAgICAgIH0KLSAgICAgICAg CisgICAgICAgIGF2cGljdHVyZV9maWxsKCZwaWN0dXJlLCBOVUxMLCBzLT5waXhfZm10LCB3LCBo KTsKKyAgICAgICAgcGl4ZWxfc2l6ZT0gcGljdHVyZS5saW5lc2l6ZVswXSo4IC8gdzsKKy8vYXZf bG9nKE5VTEwsIEFWX0xPR19FUlJPUiwgIiVkICVkICVkICVkXG4iLCAoaW50KXBpY3R1cmUuZGF0 YVsxXSwgdywgaCwgcy0+cGl4X2ZtdCk7CisgICAgICAgIGFzc2VydChwaXhlbF9zaXplPj0xKTsK KyAgICAgICAgICAgIC8vRklYTUUgbmV4dCBlbnN1cmVzIHRoYXQgbGluZXNpemU9IDJeeCB1dmxp bmVzaXplLCB0aGF0cyBuZWVkZWQgYmVjYXVzZSBzb21lIE1DIGNvZGUgYXNzdW1lcyBpdAorICAg ICAgICBpZihwaXhlbF9zaXplID09IDMqOCkKKyAgICAgICAgICAgIHc9IEFMSUdOKHcsIFNUUklE RV9BTElHTjw8aF9jaHJvbWFfc2hpZnQpOworICAgICAgICBlbHNlCisgICAgICAgICAgICB3PSBB TElHTihwaXhlbF9zaXplKncsIFNUUklERV9BTElHTjw8KGhfY2hyb21hX3NoaWZ0KzMpKSAvIHBp eGVsX3NpemU7CisgICAgICAgIHNpemVbMV0gPSBhdnBpY3R1cmVfZmlsbCgmcGljdHVyZSwgTlVM TCwgcy0+cGl4X2ZtdCwgdywgaCk7CisgICAgICAgIHNpemVbMF0gPSBwaWN0dXJlLmxpbmVzaXpl WzBdICogaDsKKyAgICAgICAgc2l6ZVsxXSAtPSBzaXplWzBdOworICAgICAgICBpZihwaWN0dXJl LmRhdGFbMl0pCisgICAgICAgICAgICBzaXplWzFdPSBzaXplWzJdPSBzaXplWzFdLzI7CisgICAg ICAgIGVsc2UKKyAgICAgICAgICAgIHNpemVbMl09IDA7CisKICAgICAgICAgYnVmLT5sYXN0X3Bp Y19udW09IC0yNTYqMjU2KjI1Nio2NDsKKyAgICAgICAgbWVtc2V0KGJ1Zi0+YmFzZSwgMCwgc2l6 ZW9mKGJ1Zi0+YmFzZSkpOworICAgICAgICBtZW1zZXQoYnVmLT5kYXRhLCAwLCBzaXplb2YoYnVm LT5kYXRhKSk7CiAKLSAgICAgICAgZm9yKGk9MDsgaTwzOyBpKyspeworICAgICAgICBmb3IoaT0w OyBpPDMgJiYgc2l6ZVtpXTsgaSsrKXsKICAgICAgICAgICAgIGNvbnN0IGludCBoX3NoaWZ0PSBp PT0wID8gMCA6IGhfY2hyb21hX3NoaWZ0OwogICAgICAgICAgICAgY29uc3QgaW50IHZfc2hpZnQ9 IGk9PTAgPyAwIDogdl9jaHJvbWFfc2hpZnQ7CiAKLSAgICAgICAgICAgIC8vRklYTUUgbmV4dCBl bnN1cmVzIHRoYXQgbGluZXNpemU9IDJeeCB1dmxpbmVzaXplLCB0aGF0cyBuZWVkZWQgYmVjYXVz ZSBzb21lIE1DIGNvZGUgYXNzdW1lcyBpdAotICAgICAgICAgICAgYnVmLT5saW5lc2l6ZVtpXT0g QUxJR04ocGl4ZWxfc2l6ZSp3Pj5oX3NoaWZ0LCBTVFJJREVfQUxJR048PChoX2Nocm9tYV9zaGlm dC1oX3NoaWZ0KSk7IAorICAgICAgICAgICAgYnVmLT5saW5lc2l6ZVtpXT0gcGljdHVyZS5saW5l c2l6ZVtpXTsKIAotICAgICAgICAgICAgYnVmLT5iYXNlW2ldPSBhdl9tYWxsb2MoKGJ1Zi0+bGlu ZXNpemVbaV0qaD4+dl9zaGlmdCkrMTYpOyAvL0ZJWE1FIDE2CisgICAgICAgICAgICBidWYtPmJh c2VbaV09IGF2X21hbGxvYyhzaXplW2ldKzE2KTsgLy9GSVhNRSAxNgogICAgICAgICAgICAgaWYo YnVmLT5iYXNlW2ldPT1OVUxMKSByZXR1cm4gLTE7Ci0gICAgICAgICAgICBtZW1zZXQoYnVmLT5i YXNlW2ldLCAxMjgsIGJ1Zi0+bGluZXNpemVbaV0qaD4+dl9zaGlmdCk7Ci0gICAgICAgIAotICAg ICAgICAgICAgaWYocy0+ZmxhZ3MmQ09ERUNfRkxBR19FTVVfRURHRSkKKyAgICAgICAgICAgIG1l bXNldChidWYtPmJhc2VbaV0sIDEyOCwgc2l6ZVtpXSk7CisKKyAgICAgICAgICAgIC8vIG5vIGVk Z2UgaWYgRURFRyBFTVUgb3Igbm90IHBsYW5hciBZVVYsIHdlIGNoZWNrIGZvciBQQUw4IHJlZHVu ZGFudGx5IHRvIHByb3RlY3QgYWdhaW5zdCBhIGV4cGxvaXRhYmxlIGJ1ZyByZWdyZXNzaW9uIC4u LgorICAgICAgICAgICAgaWYoKHMtPmZsYWdzJkNPREVDX0ZMQUdfRU1VX0VER0UpIHx8IChzLT5w aXhfZm10ID09IFBJWF9GTVRfUEFMOCkgfHwgIXNpemVbMl0pIAogICAgICAgICAgICAgICAgIGJ1 Zi0+ZGF0YVtpXSA9IGJ1Zi0+YmFzZVtpXTsKICAgICAgICAgICAgIGVsc2UKICAgICAgICAgICAg ICAgICBidWYtPmRhdGFbaV0gPSBidWYtPmJhc2VbaV0gKyBBTElHTigoYnVmLT5saW5lc2l6ZVtp XSpFREdFX1dJRFRIPj52X3NoaWZ0KSArIChFREdFX1dJRFRIPj5oX3NoaWZ0KSwgU1RSSURFX0FM SUdOKTsK