630460 – (CVE-2017-14225) <media-video/ffmpeg-3.3.4: NULL pointer dereference in libavutil/pixdesc.c

Bug 630460 (CVE-2017-14225) - <media-video/ffmpeg-3.3.4: NULL pointer dereference in libavutil/pixdesc.c

Summary: <media-video/ffmpeg-3.3.4: NULL pointer dereference in libavutil/pixdesc.c

Status:	RESOLVED FIXED

Alias:	CVE-2017-14225

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://web.nvd.nist.gov/view/vuln/de...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	CVE-2017-16840
Blocks:	2017-14054, 2017-14055, 2017-14056, 2017-14057, 2017-14058, 2017-14059 CVE-2017-14169, CVE-2017-14170, CVE-2017-14171 CVE-2017-14767
	Show dependency tree

Reported:	2017-09-09 10:55 UTC by D'juan McDonald (domhnall)
Modified:	2018-05-19 22:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=media-video/ffmpeg-3.3.4
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2017-09-09 10:55:07 UTC

from ${URL}:

The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)


Upstream Patch 2/2:
(https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2)

(https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.html)

Comment 1 D'juan McDonald (domhnall) 2017-09-09 11:00:14 UTC



----------------------------
Daj Uan (jmbailey/mbailey_j)
Gentoo Security Padawan

Comment 2 Alexis Ballier gentoo-dev

2017-09-14 07:37:47 UTC

this should be fixed in 3.3.4

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-09-16 22:37:43 UTC

@maintainer(s), please let us know when you are ready to stabilize.

Comment 4 Alexis Ballier gentoo-dev

2017-09-19 21:55:41 UTC

(In reply to Aaron Bauman from comment #3)
> @maintainer(s), please let us know when you are ready to stabilize.

as noted in bug #630148, yes :)

Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-19 23:54:59 UTC

(In reply to Alexis Ballier from comment #4)
> 
> as noted in bug #630148, yes :)

Great, we will handle stabilization here.

@Maintainers please verify if SLOT 54.56.56 is vulnerable, if that's the case, it's your decision to call sparc to the stabilization request.

@Arches, please test and mark stable.

Gentoo Security Padawan
ChrisADR

Comment 6 Stabilization helper bot gentoo-dev

2017-09-20 00:01:48 UTC

An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']

Comment 7 Alexis Ballier gentoo-dev

2017-09-20 10:01:35 UTC

(In reply to Christopher Díaz from comment #5)
> @Maintainers please verify if SLOT 54.56.56 is vulnerable, if that's the
> case, it's your decision to call sparc to the stabilization request.

if not this bug, that's another one, but I don't expect much on the sparc side

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-20 20:44:56 UTC

ia64 stable

Comment 9 Stabilization helper bot gentoo-dev

2017-09-20 21:01:35 UTC

An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-24 10:46:25 UTC

hppa stable

Comment 11 Stabilization helper bot gentoo-dev

2017-09-24 11:01:37 UTC

An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']

Comment 12 Manuel Rüger (RETIRED) gentoo-dev

2017-09-27 10:19:30 UTC

amd64 stable

Comment 13 Stabilization helper bot gentoo-dev

2017-09-27 11:01:15 UTC

An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']

Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev

2017-09-29 23:08:12 UTC

x86 stable

Comment 15 Stabilization helper bot gentoo-dev

2017-09-30 00:01:11 UTC

An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']

Comment 16 Markus Meier gentoo-dev

2017-10-14 06:21:26 UTC

arm stable

Comment 17 Stabilization helper bot gentoo-dev

2017-10-14 08:01:35 UTC

An automated check of this bug failed - repoman reported dependency errors (17 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2017-10-19 01:27:18 UTC

alpha is o.

@ppc/ppc64, please proceed.

Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-25 06:37:43 UTC

ppc/ppc64 stable

Comment 20 Aaron Bauman (RETIRED) gentoo-dev

2017-10-26 00:48:21 UTC

GLSA Vote: No

@maintainers, please clean the vulnerable versions.

Comment 21 Aaron Bauman (RETIRED) gentoo-dev

2018-05-19 22:06:54 UTC

cleanup will occur in bug #639698

GLSA Vote: No