CVE-2017-16840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16840): The VC-2 Video Compression encoder in FFmpeg 3.4 allows remote attackers to cause a denial of service (out-of-bounds read) because of incorrect buffer padding for non-Haar wavelets, related to libavcodec/vc2enc.c and libavcodec/vc2enc_dwt.c.
From http://ffmpeg.org/security.html : 3.4.1 Fixes following vulnerabilities: CVE-2017-16840, a94cb36ab2ad99d3a1331c9f91831ef593d94f74 / 3228ac730c11eca49d5680d5550128e397061c85 CVE-2017-17081, 6ccf19198b360cfc3fe5cd274948cfde2fe305e0 / 58cf31cee7a456057f337b3102a03206d833d5e8
3.3.6 Fixes following vulnerabilities: CVE-2017-16840, a7aac19933a91e22d77b0b4dd4ecd61edf52d43f / 3228ac730c11eca49d5680d5550128e397061c85 CVE-2017-17081, 96fe37a3390aaa07a1798d8daa6aa2d622c4870b / 58cf31cee7a456057f337b3102a03206d833d5e8 go ahead and stabilize =media-video/ffmpeg-3.3.6
arm64 CC'ed as they are working towards a stable profile. Does not hinder the progress of security bugs, but is done to assist them with their goals only.
An automated check of this bug failed - repoman reported dependency errors: > dependency.bad media-video/ffmpeg/ffmpeg-3.3.6.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]'] > dependency.bad media-video/ffmpeg/ffmpeg-3.3.6.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d5af7a47b0aa18c8bcd0f10eacbea74d29723e commit 30d5af7a47b0aa18c8bcd0f10eacbea74d29723e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-14 16:21:32 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-14 16:23:02 +0000 media-video/ffmpeg: x86 stable Bug: https://bugs.gentoo.org/639698 Package-Manager: Portage-2.3.19, Repoman-2.3.6 media-video/ffmpeg/ffmpeg-3.3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
@ stable-bot: Please re-check due to https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47a79a4a4e61abc74ac45f8c22e38680e843edbe
Stable on amd64.
Fails tests on ppc (see bug 635332).
arm stable
ia64 stable
Did some testing on ppc again. As I learned in bug 635332 tests always fail on Big Endian, which is due to some tests but not the code tested. But this got fixed in ffmpeg-3.4.2. So I just tested the rdeps: # cat ffmpeg-639698.report revdep tests started on Mi 28. Feb 08:49:18 CET 2018 FEATURES= test USE='-libav' succeeded for media-plugins/gst-plugins-libav USE='ffmpeg -libav' FEATURES=' test' failed for www-plugins/gnash USE='-libav' FEATURES=' test' failed for media-libs/chromaprint FEATURES= test USE='ffmpeg -libav' succeeded for media-video/gpac USE='ffmpeg -libav' FEATURES=' test' failed for media-sound/audacity USE='-libav' FEATURES=' test' : REQUIRED_USE not satisfied (probably) for media-video/kino FEATURES= test USE='ffmpeg -libav' succeeded for media-plugins/alsa-plugins USE='ffmpeg -libav' FEATURES=' test' failed for net-misc/freerdp FEATURES= test USE='-libav' succeeded for media-video/ffmpegthumbnailer FEATURES= test USE='ffmpeg -libav' succeeded for media-video/vlc Not so bad after all, as the failed tests most propably don't fail due to ffmpeg-3.3.6 (see bug #649006, bug #610556, bug #626586, bug #637006). I guess it's ok for ppc to stabilize ffmpeg-3.3.6 after all.
ppc/ppc64 stable
hppa is now exp and no longer security supported. @maintainer(s), please clean the vulnerable ebuilds.
(In reply to Aaron Bauman from comment #13) > hppa is now exp and no longer security supported. > > @maintainer(s), please clean the vulnerable ebuilds. alpha is not exp
(In reply to Alexis Ballier from comment #14) > (In reply to Aaron Bauman from comment #13) > > hppa is now exp and no longer security supported. > > > > @maintainer(s), please clean the vulnerable ebuilds. > > alpha is not exp ugh, no one said it was, but I see my oversight now. If you could, please mask 3.2.6 on all arches except alpha. You could then remove the older versions that are vulnerable.
(In reply to Aaron Bauman from comment #15) > If you could, please mask 3.2.6 on all arches except alpha. You could then > remove the older versions that are vulnerable. +1. PLEASE, mask & remove older versions. Thanks a lot, Gentoo developers.
3.3.6 and 3.4.1 not in tree. Thank you all for you work. Closing as [noglsa].
