Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 411369

Summary: <media-video/ffmpeg-0.10.2 : Multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/48770/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 401069    

Description Agostino Sarubbo gentoo-dev 2012-04-09 18:06:15 UTC 
From secunia advisory at $URL:

Description
Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to compromise an application using the library.

1) A format string error exists within the "srt_to_ass()" function (libavcodec/srtdec.c) when parsing certain parameters.

2) An integer overflow error exists within the "dirac_unpack_block_motion_data()" function (libavcodec/diracdec.c) when handling certain motion data.

3) An integer overflow error exists within the "sws_init_context()" function (libswscale/utils.c) when decoding certain scale data.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 0.10.1.


Solution
Update to version 0.10.1 or later.
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-09 18:06:57 UTC 
@aballier, is 0.10.2 ready to go to stable?
Comment 2 Alexis Ballier gentoo-dev 2012-04-09 18:31:48 UTC 
(In reply to comment #1)
> @aballier, is 0.10.2 ready to go to stable?

i'd say yes, the api/abi should be similar, however, to be on the safe side, a tinderbox run would be better

you can revert http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/media-video/ffmpeg/ffmpeg-0.10.2.ebuild?r1=1.2&r2=1.3 if you wish, but then people may hit bug #405083
Comment 3 Agostino Sarubbo gentoo-dev 2012-04-09 19:32:18 UTC 
Arches, please test and mark stable:                                                                                                                                                
=media-video/ffmpeg-0.10.2                                                                                                                                                          
Target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-04-10 08:14:19 UTC 
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-10 14:12:04 UTC 
(In reply to comment #3)
> Arches, please test and mark stable:                                        
> 
> =media-video/ffmpeg-0.10.2                                                  

How about virtual/ffmpeg-0.10.2?
Comment 6 Alexis Ballier gentoo-dev 2012-04-10 14:16:39 UTC 
(In reply to comment #5)
> (In reply to comment #3)
> > Arches, please test and mark stable:                                        
> > 
> > =media-video/ffmpeg-0.10.2                                                  
> 
> How about virtual/ffmpeg-0.10.2?

only when it'll be needed, otherwise updating world will force libav users to go back to ffmpeg.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-11 14:21:45 UTC 
(In reply to comment #6)
> > How about virtual/ffmpeg-0.10.2?
> 
> only when it'll be needed, otherwise updating world will force libav users
> to go back to ffmpeg.

OK, removing amd64 again.

Stable for HPPA.
Comment 8 Andreas Schürch gentoo-dev 2012-04-12 12:23:12 UTC 
Finally, x86 stable! Thanks all!!
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-04-15 18:18:38 UTC 
alpha/arm/ia64/sparc stable
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2012-05-13 19:21:51 UTC 
ppc/ppc64 done
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-13 23:07:37 UTC 
Thanks, everyone. Added to existing GLSA request.
Comment 12 Alexis Ballier gentoo-dev 2013-08-14 21:16:20 UTC 
nothing left to do for media-video@
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:48 UTC 
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).