Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608868 - <media-video/ffmpeg-3.2.4: multiple vulnerabilities (CVE-2017-{5024,5025})
Summary: <media-video/ffmpeg-3.2.4: multiple vulnerabilities (CVE-2017-{5024,5025})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
: 603984 (view as bug list)
Depends on: 508226 574786 610546 CVE-2017-11399
Blocks: ffmpeg-3 575538 CVE-2016-10198, CVE-2016-10199, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848 610810 624180
  Show dependency tree
 
Reported: 2017-02-10 14:03 UTC by Alexis Ballier
Modified: 2018-07-27 21:21 UTC (History)
9 users (show)

See Also:
Package list:
=media-video/ffmpeg-3.2.4 =media-libs/chromaprint-1.4.2 =media-libs/kvazaar-1.0.0 =media-video/nvidia_video_sdk-6.0.1 amd64 x86 =media-libs/libilbc-2.0.2 =media-libs/zimg-2.5 =media-libs/rubberband-1.8.1-r1 =media-libs/libsdl2-2.0.4 =media-libs/openh264-1.5.0 =media-libs/libebur128-1.2.0-r1 =media-libs/vamp-plugin-sdk-2.6-r1 =media-libs/raspberrypi-userland-0_pre20160424 arm =media-libs/ladspa-sdk-1.13-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis Ballier gentoo-dev 2017-02-10 14:03:14 UTC
Per leio's request, needed for new gst-libav.
Comment 1 Alexis Ballier gentoo-dev 2017-02-10 14:04:09 UTC
@games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not having it stable yet. Feel free to bump that to 2.0.5 if you prefer.
Comment 2 Alexis Ballier gentoo-dev 2017-02-10 14:05:13 UTC
@Ian: I've put =media-libs/openh264-1.4.0-r1 in the list for arches not having it stable yet. Feel free to bump that to 1.5.0 if you prefer.
Comment 3 Alexis Ballier gentoo-dev 2017-02-10 14:06:18 UTC
@Amy: I've put =media-libs/libebur128-1.2.0-r1 in the list; please ack/nack;
Comment 4 James Le Cuirot gentoo-dev 2017-02-10 14:08:24 UTC
(In reply to Alexis Ballier from comment #1)
> @games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not
> having it stable yet. Feel free to bump that to 2.0.5 if you prefer.

2.0.5 is blocked by ppc64 suffering from bug #608314. There's a keyword request sparc in bug #508226.
Comment 5 Alexis Ballier gentoo-dev 2017-02-10 14:17:37 UTC
(In reply to James Le Cuirot from comment #4)
> (In reply to Alexis Ballier from comment #1)
> > @games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not
> > having it stable yet. Feel free to bump that to 2.0.5 if you prefer.
> 
> 2.0.5 is blocked by ppc64 suffering from bug #608314. There's a keyword
> request sparc in bug #508226.

Okey, thanks. So let's keep 2.0.4 then.
Feel free to un-cc you if you want to avoid the emails.
Comment 6 Stabilization helper bot gentoo-dev 2017-02-10 15:05:54 UTC
An automated check of this bug failed - repoman reported dependency errors (161 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-lang/nasm']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-lang/nasm']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-lang/nasm']
Comment 7 Alexis Ballier gentoo-dev 2017-02-10 15:25:46 UTC
(In reply to Alexis Ballier from comment #2)
> @Ian: I've put =media-libs/openh264-1.4.0-r1 in the list for arches not
> having it stable yet. Feel free to bump that to 1.5.0 if you prefer.

We need 1.5.0 for non-x86 arches.
Comment 8 Stabilization helper bot gentoo-dev 2017-02-10 16:04:51 UTC
An automated check of this bug failed - repoman reported dependency errors (83 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 9 Alexis Ballier gentoo-dev 2017-02-10 16:19:26 UTC
Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is in the list...
Comment 10 Amy Liffey gentoo-dev 2017-02-10 17:22:14 UTC
(In reply to Alexis Ballier from comment #9)
> Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is
> in the list...

But it is not keyworded for alpha.
Comment 11 Alexis Ballier gentoo-dev 2017-02-10 17:23:39 UTC
(In reply to Amy Liffey from comment #10)
> (In reply to Alexis Ballier from comment #9)
> > Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is
> > in the list...
> 
> But it is not keyworded for alpha.

keywordreq is bug #574786
Comment 12 Amy Liffey gentoo-dev 2017-02-10 17:32:24 UTC
*** Bug 603984 has been marked as a duplicate of this bug. ***
Comment 13 Stabilization helper bot gentoo-dev 2017-02-11 08:32:06 UTC
An automated check of this bug failed - repoman reported dependency errors (27 lines truncated): 

> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/raspberrypi-userland']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/raspberrypi-userland']
Comment 14 Alexis Ballier gentoo-dev 2017-02-11 10:56:25 UTC
Maintainer:  chithanh@gentoo.org (Chí-Thanh Christopher Nguyễn)
Maintainer:  tupone@gentoo.org (Tupone Alfredo)

=media-libs/raspberrypi-userland-0_pre20160424 arm


Please ack/nack
Comment 15 Stabilization helper bot gentoo-dev 2017-02-11 11:05:10 UTC
An automated check of this bug failed - repoman reported dependency errors (13 lines truncated): 

> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['media-libs/ladspa-sdk']
Comment 16 Alexis Ballier gentoo-dev 2017-02-11 15:52:46 UTC
3.2.4
Fixes following vulnerabilities:

CVE-2017-5024, ed2572b9c8f885e2a4764d2e34604442a71899a1 / 2d453188c2303da641dafb048dc1806790526dfd
CVE-2017-5025, cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf / fd30e4d57fe5841385f845440688505b88c0f4a9



Note: 2.8.11 also fixes them but we're going for 3.2 stable, so...
Comment 17 Tupone Alfredo gentoo-dev 2017-02-12 14:39:33 UTC
(In reply to Alexis Ballier from comment #14)
> Maintainer:  chithanh@gentoo.org (Chí-Thanh Christopher Nguyễn)
> Maintainer:  tupone@gentoo.org (Tupone Alfredo)
> 
> =media-libs/raspberrypi-userland-0_pre20160424 arm
> 
> 
> Please ack/nack

I tested media-tv/kodi with media-libs/ffmpeg-3.2.4 and media-libs/raspberrypi-userland-9999 (not 0_pre20160424 that is not on my system), and it seems to work. Tough I don't know if the video I played are decoded by ffmpeg
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 02:02:52 UTC
(In reply to Alexis Ballier from comment #16)
> 3.2.4
> Fixes following vulnerabilities:
> 
> CVE-2017-5024, ed2572b9c8f885e2a4764d2e34604442a71899a1 /
> 2d453188c2303da641dafb048dc1806790526dfd
> CVE-2017-5025, cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf /
> fd30e4d57fe5841385f845440688505b88c0f4a9
> 
> 
> 
> Note: 2.8.11 also fixes them but we're going for 3.2 stable, so...

Assigning bug to security to allow arches proper prioritizing...
Comment 19 Mart Raudsepp gentoo-dev 2017-02-15 10:51:06 UTC
Removing tracker bugs from depends list (moved to blocks list), as we need to proceed security stabilization without these RESOLVED and them being listed as depends results in ATs not working this bug due to unresolved depend bugs.
Comment 20 Agostino Sarubbo gentoo-dev 2017-02-15 15:06:10 UTC
amd64 stable
Comment 21 Agostino Sarubbo gentoo-dev 2017-02-15 15:56:32 UTC
x86 stable
Comment 22 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-18 08:51:30 UTC
Stable for HPPA.
Comment 23 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-22 13:18:37 UTC
Stable for PPC64.
Comment 24 Michael Weber (RETIRED) gentoo-dev 2017-02-22 21:06:44 UTC
ppc stable.
Comment 25 Michael Weber (RETIRED) gentoo-dev 2017-02-23 12:32:41 UTC
arm stable.
Comment 26 Mart Raudsepp gentoo-dev 2017-04-04 06:58:53 UTC
Any reason for bug 610546 still to be a blocker here (or that bug being open still), as this security bug probably doesn't show up with the tooling right now due to that?...
Comment 27 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 12:20:25 UTC
=media-libs/libilbc-2.0.2 will not happen on alpha due to lack of architecture support from upstream. Since it's not keyworded yet, that should not be a problem. Working on the rest.
Comment 28 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 14:07:57 UTC
Stable on alpha.
Comment 29 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 01:20:14 UTC
Arches, Thank you for your work.
Added to an existing GLSA Request.

Can not wait on sparc.
Comment 30 GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 19:35:24 UTC
This issue was resolved and addressed in
 GLSA 201705-05 at https://security.gentoo.org/glsa/201705-05
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 31 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 03:51:28 UTC
Reopening for ia64 and sparc. Please finish stabilization or drop from stable.
Comment 32 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-10 20:17:55 UTC
ia64 stable
Comment 33 Stabilization helper bot gentoo-dev 2017-06-10 21:04:55 UTC
An automated check of this bug failed - the following atom is unknown:

media-libs/zimg-2.4

Please verify the atom list.
Comment 34 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-11 10:35:45 UTC
Adjusting package list for sparc...
Comment 35 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:15:22 UTC
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9