Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 378801 (CVE-2011-3362) - <media-video/ffmpeg-0.7.3: "decode_residual_block()" Signedness Error Vulnerability (CVE-2011-3362)
Summary: <media-video/ffmpeg-0.7.3: "decode_residual_block()" Signedness Error Vulnera...
Status: RESOLVED FIXED
Alias: CVE-2011-3362
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ocert.org/advisories/ocer...
Whiteboard: B2 [glsa]
Keywords:
: 376921 379719 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-08-11 16:37 UTC by Agostino Sarubbo
Modified: 2013-10-25 19:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-11 16:37:55 UTC
More info at $URL

Libav is also affected, but haven't stable keyword atm.
Comment 1 Alexis Ballier gentoo-dev 2011-08-11 17:09:24 UTC
go for 0.7.3 that I just added
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 04:37:33 UTC
Arches, please test and mark stable:
=media-video/ffmpeg-0.7.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-18 09:23:03 UTC
*** Bug 376921 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2011-08-18 09:29:25 UTC
tested also: 
media-libs/x264-0.0.20110426

both ok on amd64
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-08-18 10:18:08 UTC
+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> x264-0.0.20110426.ebuild:
+  Marked stable on AMD64 as a dependency of media-video/ffmpeg based on arch
+  testing by Agostino "ago" Sarubbo in security bug #378801.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> ffmpeg-0.7.3.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+  security bug #378801.
Comment 6 Andrius Štikonas 2011-08-18 12:10:47 UTC
Since x264-0.0.20110426 is stabilized please don't forget to stabilize media-video/x264-encoder-0.0.20110426.
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2011-08-18 12:20:32 UTC
(In reply to comment #6)
> Since x264-0.0.20110426 is stabilized please don't forget to stabilize
> media-video/x264-encoder-0.0.20110426.

The dependency tree does not require this. Keep in mind that this is a security stabling, which happens on the fast track and should be minimally invasive. Please file a separate bug.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-18 16:06:53 UTC
ppc/ppc64 stable
Comment 9 Alexis Ballier gentoo-dev 2011-08-18 18:16:56 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Since x264-0.0.20110426 is stabilized please don't forget to stabilize
> > media-video/x264-encoder-0.0.20110426.
> 
> The dependency tree does not require this. Keep in mind that this is a security
> stabling, which happens on the fast track and should be minimally invasive.
> Please file a separate bug.

it does require it because by not doing it you're making ffmpeg and x264-encoder uninstallable at the same time in the stable tree...
Comment 10 Agostino Sarubbo gentoo-dev 2011-08-19 13:42:30 UTC
@x86

Works for me with following USE. Not tried more combination, Just installed on
my laptop and works.

[ebuild   R   ~] media-video/ffmpeg-0.7.3  USE="3dnow 3dnowext X aac alsa bzip2 custom-cflags encode hardcoded-tables jpeg2k mmx mmxext mp3 pic ssse3 threads x264 zlib"
Comment 11 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 15:52:08 UTC
x86 stable. Thanks
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 15:53:30 UTC
(In reply to comment #9)
> it does require it because by not doing it you're making ffmpeg and
> x264-encoder uninstallable at the same time in the stable tree...

P.S. I did include the following packages

=media-video/ffmpeg-0.7.3
=media-libs/x264-0.0.20110426
=media-video/x264-encoder-0.0.20110426
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 16:28:06 UTC
Am I understanding correctly that these packages all need to be stabilized at the same time?

=media-video/ffmpeg-0.7.3
=media-libs/x264-0.0.20110426
=media-video/x264-encoder-0.0.20110426
Comment 14 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 16:40:26 UTC
(In reply to comment #13)
> Am I understanding correctly that these packages all need to be stabilized at
> the same time?
> 
> =media-video/ffmpeg-0.7.3
> =media-libs/x264-0.0.20110426
> =media-video/x264-encoder-0.0.20110426

=media-libs/x264-0.0.20110426 is a dependency of ffmpeg. 
The consequence of not stabilizing =media-video/x264-encoder-0.0.20110426 is that users installing it will probably have their package manager downgrade ffmpeg and x264 to the insecure versions.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 17:00:02 UTC
(In reply to comment #14)
> =media-libs/x264-0.0.20110426 is a dependency of ffmpeg. 
> The consequence of not stabilizing =media-video/x264-encoder-0.0.20110426 is
> that users installing it will probably have their package manager downgrade
> ffmpeg and x264 to the insecure versions.

Ok, thanks, Thomas.

Arches, the complete list of targets is:

=media-video/ffmpeg-0.7.3
=media-libs/x264-0.0.20110426
=media-video/x264-encoder-0.0.20110426

Readding amd64, ppc and ppc64. Please also stabilize =media-video/x264-encoder-0.0.20110426. Thanks.
Comment 16 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-19 17:03:33 UTC
  19 Aug 2011; Kacper Kowalik <xarthisius@gentoo.org>
  x264-encoder-0.0.20110426.ebuild:
  ppc/ppc64 stable wrt #378801
Comment 17 Markos Chandras (RETIRED) gentoo-dev 2011-08-19 18:06:53 UTC
amd64 done
Comment 18 Andrius Štikonas 2011-08-19 18:37:38 UTC
*** Bug 379719 has been marked as a duplicate of this bug. ***
Comment 19 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-21 16:33:47 UTC
Stable for HPPA.
Comment 20 Markus Meier gentoo-dev 2011-08-24 18:35:15 UTC
arm stable
Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2011-08-27 18:43:17 UTC
alpha/ia64/sparc stable
Comment 22 Agostino Sarubbo gentoo-dev 2011-08-27 19:07:23 UTC
thanks all, adding glsa request.
Comment 23 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 02:04:49 UTC
Thanks, everyone.

(In reply to comment #22)
> thanks all, adding glsa request.

Thanks a lot for helping with these bugs. Please let the security team change from [stable] to [glsa]. We have to add the GLSA request into another tool. Once you are officially part of the security team you will have access to that tool too. Thanks!

GLSA request added in GLSAmaker.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:49:49 UTC
CVE-2011-3362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3362):
  Integer signedness error in the decode_residual_block function in cavsdec.c
  in libavcodec in FFmpeg before 0.7.3 and 0.8.x before 0.8.2, and libav
  through 0.7.1, allows remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code via a
  crafted Chinese AVS video (aka CAVS) file.
Comment 25 Alexis Ballier gentoo-dev 2013-08-14 21:13:48 UTC
nothing left to do for media-video@
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:11:14 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).