From $url: The libavcodec library, an open source video encoding/decoding library part of the FFmpeg project, suffers from an arbitrary offset dereference vulnerability. The vulnerability affects the flic file format parser, insufficient restrictions on a writable buffer can be exploited to execute arbitrary code via the heap memory. A specific flic file can be crafted to trigger the vulnerability. The MPlayer multimedia player is also affected as it statically includes libavcodec, the flic codec can be disabled in codecs.conf configuration file in order to workaround the issue. The upstream fix is at: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=16c592155f117ccd7b86006c45aacc692a81c23b
Arches, please test and mark stable: =media-video/ffmpeg-0.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Already stabled : "alpha amd64 x86" Missing keywords: "arm hppa ia64 ppc ppc64 sparc"
O_o where do you see it's fixed in 0.6?
(In reply to comment #2) > O_o > where do you see it's fixed in 0.6? > My mistake, this is fixed in upstream's r25223. Reverting to [upstream/ebuild]. Thanks for the heads up, Alexis.
should be fixed by the new snapshot; Diego, could you please make a tinderbox run before we ask for stabilisation ?
Yikes, give me the weekend for that I guess :)
I think now we have a full release from upstream, see http://www.ffmpeg.org/releases/ffmpeg-0.6.1.release
(In reply to comment #6) > I think now we have a full release from upstream, see > http://www.ffmpeg.org/releases/ffmpeg-0.6.1.release > you might want to compare this with the ChangeLog installed by the current ~arch ffmpeg. 0.6.1 is mainly 0.6 with a couple of bugfixes.
The upstream changelog specifically lists this issue as fixed in 0.6.1. "Bugfixes -------- - fix autodetection of E-AC-3 substream samples - performance fix for seekable HTTP - add missing VP80 fourcc code for the VP8 codec - small documentation fixes - fix several potentially exploitable issues in the FLIC decoder (addresses CVE-2010-3429)" This was fixed in r25223, and we have two snapshots in the tree that appear more recent. @media-video, any reason we shouldn't stabilize =media-video/ffmpeg-0.6_p25423 to get this security fix? Thank you.
(In reply to comment #8) > > @media-video, any reason we shouldn't stabilize =media-video/ffmpeg-0.6_p25423 > to get this security fix? Thank you. > (In reply to comment #4) > should be fixed by the new snapshot; > Diego, could you please make a tinderbox run before we ask for stabilisation ? > This was supposed to be read: it is ok for me as long as it is working fine for everyone... now the new snapshot comes with its improvements, 0.6_p25767 and is the one that should be stabilised.
Created attachment 256268 [details] build.log I get a build failure with USE=pic Portage 2.1.9.24 (default/linux/x86/10.0/desktop, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-gentoo-r3 i686) ================================================================= System uname: Linux-2.6.36-gentoo-r3-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.14 Timestamp of tree: Fri, 03 Dec 2010 10:30:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11-r1 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4, 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -msse3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/lib/fax /usr/share/X11/xkb /usr/share/config /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb /var/spool/fax/etc /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif extensions fam fat fbcon fbcondecor fdftk ffmpeg fontconfig foomaticdb fortran ftp gb gcj gdbm gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea libnotify libotf lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule mysql ncurses networking nforce2 nls noaudio nocardbus novideo nowebdav nptl nptlonly nss nvidia objc objc++ objc-gc ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl plotutils pmu png policykit ppds pppd prediction preview-latex print publishers python qt-static qt3support qt4 readline reports run-as-root samba sdk sdl secure-delete semantic-desktop session slang smp spell sse ssl startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" PHP_TARGETS="php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
CVE-2010-3429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3429): flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an "arbitrary offset dereference vulnerability."
Fixed software stabilized in bug 365273. Added to existing GLSA request.
nothing left to do for media-video@
This issue was resolved and addressed in GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml by GLSA coordinator Sean Amoss (ackle).
