719940 – (CVE-2019-13312, CVE-2020-12284) <media-video/ffmpeg-4.2.3: Multiple vulnerabilities (CVE-2019-13312, CVE-2020-12284)

Bug 719940 (CVE-2019-13312, CVE-2020-12284) - <media-video/ffmpeg-4.2.3: Multiple vulnerabilities (CVE-2019-13312, CVE-2020-12284)

Summary: <media-video/ffmpeg-4.2.3: Multiple vulnerabilities (CVE-2019-13312, CVE-2020...

Status:	RESOLVED FIXED

Alias:	CVE-2019-13312, CVE-2020-12284

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/FFmpeg/FFmpeg/comm...
Whiteboard:	B3 [glsa+ cve]
Keywords:	CC-ARCHES, PullRequest

Depends on:	CVE-2020-13904, CVE-2020-14212
Blocks:
	Show dependency tree

Reported:	2020-04-28 15:05 UTC by Sam James
Modified:	2020-07-28 19:43 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2019-13390, CVE-2019-17539, CVE-2019-17542 https://github.com/gentoo/gentoo/pull/15927 https://github.com/gentoo/gentoo/pull/16793
Package list:	=media-video/ffmpeg-4.2.3
Runtime testing required:	---

Flags:	nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-28 15:05:40 UTC

Description:
"cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a heap-based buffer overflow during JPEG_MARKER_SOS handling because of a missing length check."

Patch: https://github.com/FFmpeg/FFmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726
Disclosure bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19734

Comment 1 Sam James archtester

2020-04-28 15:06:12 UTC

@maintainer(s), please apply the supplied patch.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2020-04-28 15:08:09 UTC

CVE-2020-12284 (https://nvd.nist.gov/vuln/detail/CVE-2020-12284):
  cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a
  heap-based buffer overflow during JPEG_MARKER_SOS handling because of a
  missing length check.

Comment 3 Sam James archtester

2020-05-23 03:20:38 UTC

A collection of other flaws found by oss-fuzz were fixed in 4.2.3.

@maintainer(s): fixed in 4.2.3. Please bump.

Comment 4 Larry the Git Cow gentoo-dev

2020-05-23 20:06:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf1dc0a317be65d039d8b9ff171571b6c721840

commit fbf1dc0a317be65d039d8b9ff171571b6c721840
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-05-22 15:03:03 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-23 20:05:21 +0000

    media-video/ffmpeg: Security bump to 4.2.3
    
    Bug: https://bugs.gentoo.org/719940
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-video/ffmpeg/Manifest            |   1 +
 media-video/ffmpeg/ffmpeg-4.2.3.ebuild | 551 +++++++++++++++++++++++++++++++++
 2 files changed, 552 insertions(+)

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2020-05-25 09:42:44 UTC

ppc/ppc64 stable

Comment 6 Mikle Kolyada (RETIRED) archtester

2020-05-25 12:11:30 UTC

amd64 stable

Comment 7 Rolf Eike Beer archtester

2020-05-30 08:51:05 UTC

sparc stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-06-03 18:42:44 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-06-04 06:36:40 UTC

x86 stable

Comment 10 Sam James archtester

2020-06-08 16:52:37 UTC

arm64 stable

----
@maintainer(s), please cleanup

Comment 11 Larry the Git Cow gentoo-dev

2020-07-27 16:40:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aad0c4b02393043056f044fa39114bc1aa595ae

commit 5aad0c4b02393043056f044fa39114bc1aa595ae
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-23 21:06:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 16:40:18 +0000

    media-video/ffmpeg: security cleanup (drop <4.2.4)
    
    Bug: https://bugs.gentoo.org/711144
    Bug: https://bugs.gentoo.org/718012
    Bug: https://bugs.gentoo.org/719940
    Bug: https://bugs.gentoo.org/727450
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/ffmpeg/Manifest                        |   2 -
 media-video/ffmpeg/ffmpeg-3.4.6-r1.ebuild          | 490 ------------------
 media-video/ffmpeg/ffmpeg-4.2.3.ebuild             | 556 ---------------------
 media-video/ffmpeg/files/chromium.patch            |  36 --
 ...mpeg-3.4.6-fix-building-against-fdk-aac-2.patch |  74 ---
 media-video/ffmpeg/metadata.xml                    |   1 -
 6 files changed, 1159 deletions(-)

Comment 12 NATTkA bot gentoo-dev

2020-07-27 16:45:07 UTC

Unable to check for sanity:

> no match for package: =media-video/ffmpeg-4.2.3

Comment 13 Sam James archtester

2020-07-27 16:49:59 UTC

GLSA vote: yes, with bug 718012.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2020-07-28 19:43:11 UTC

This issue was resolved and addressed in
 GLSA 202007-58 at https://security.gentoo.org/glsa/202007-58
by GLSA coordinator Sam James (sam_c).