Bug 536218 (CVE-2015-2097)

Summary:	<media-video/ffmpeg-2.2.14: Multiple vulnerabilities (CVE-2014-{2097,2098,2263,8541,8542,8543,8544,8545,8546,8547,8548,8549,9316,9317,9318,9319})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	media-video, sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2015-01-10 16:31:41 UTC

CVE-2014-9319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9319):
  The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before
  2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers
  to cause a denial of service (out-of-bounds access) via a crafted .bit file.

CVE-2014-9318 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9318):
  The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x
  through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a
  denial of service (out-of-bounds heap access) and possibly have other
  unspecified impact via a crafted .cine file that triggers the
  avpicture_get_size function to return a negative frame size.

CVE-2014-9317 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9317):
  The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before
  2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers
  to cause a denial of service (out-of-bounds heap access) and possibly have
  other unspecified impact via an IDAT before an IHDR in a PNG file.

CVE-2014-9316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9316):
  The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg before
  2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers
  to cause a denial of service (out-of-bounds heap access) and possibly have
  other unspecified impact via vectors related to LJIF tags in an MJPEG file.

CVE-2014-8549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8549):
  libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the number of
  channels to at most 2, which allows remote attackers to cause a denial of
  service (out-of-bounds access) or possibly have unspecified other impact via
  crafted On2 data.

CVE-2014-8548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8548):
  Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote
  attackers to cause a denial of service (out-of-bounds access) or possibly
  have unspecified other impact via crafted Quicktime Graphics (aka SMC) video
  data.

CVE-2014-8547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8547):
  libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute image
  heights, which allows remote attackers to cause a denial of service
  (out-of-bounds access) or possibly have unspecified other impact via crafted
  GIF data.

CVE-2014-8546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8546):
  Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allows
  remote attackers to cause a denial of service (out-of-bounds access) or
  possibly have unspecified other impact via crafted Cinepak video data.

CVE-2014-8545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8545):
  libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-black
  format without verifying that the bits-per-pixel value is 1, which allows
  remote attackers to cause a denial of service (out-of-bounds access) or
  possibly have unspecified other impact via crafted PNG data.

CVE-2014-8544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8544):
  libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
  bits-per-pixel fields, which allows remote attackers to cause a denial of
  service (out-of-bounds access) or possibly have unspecified other impact via
  crafted TIFF data.

CVE-2014-8543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8543):
  libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all lines of
  HHV Intra blocks during validation of image height, which allows remote
  attackers to cause a denial of service (out-of-bounds access) or possibly
  have unspecified other impact via crafted MM video data.

CVE-2014-8542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8542):
  libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID during
  enforcement of alignment, which allows remote attackers to cause a denial of
  service (out-of-bounds access) or possibly have unspecified other impact via
  crafted JV data.

CVE-2014-8541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8541):
  libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension
  differences, and not bits-per-pixel differences, when determining whether an
  image size has changed, which allows remote attackers to cause a denial of
  service (out-of-bounds access) or possibly have unspecified other impact via
  crafted MJPEG data.

CVE-2014-2263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2263):
  The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer
  (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote
  attackers to have unspecified impact and vectors, which trigger an
  out-of-bounds write.

CVE-2014-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2098):
  libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect
  data-structure size for certain coefficients, which allows remote attackers
  to cause a denial of service (memory corruption) or possibly have
  unspecified other impact via crafted WMA data.

CVE-2014-2097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2097):
  The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4
  does not properly validate a certain bits-per-sample value, which allows
  remote attackers to cause a denial of service (out-of-bounds array access)
  or possibly have unspecified other impact via crafted TAK (aka Tom's
  lossless Audio Kompressor) data.

Comment 1 Agostino Sarubbo gentoo-dev

2015-02-14 18:17:35 UTC

I guess 1.2.11 fixes these CVEs, could we proceed?

Comment 2 Alexis Ballier gentoo-dev

2015-02-14 18:26:46 UTC

(In reply to Agostino Sarubbo from comment #1)
> I guess 1.2.11 fixes these CVEs, could we proceed?

it should, but we're going with 2.2; upstream is dropping maintainance on the 1.2 branch anyway

Comment 3 Yury German Gentoo Infrastructure

2015-07-01 00:32:29 UTC

> it should, but we're going with 2.2; upstream is dropping maintainance on
> the 1.2 branch anyway

So with stabilization of 2.2.14, did you backport the patches, a few CVE's state version 2.2.X to 2.3.X?

Comment 4 Alexis Ballier gentoo-dev

2015-07-01 07:23:54 UTC

(In reply to Yury German from comment #3)
> > it should, but we're going with 2.2; upstream is dropping maintainance on
> > the 1.2 branch anyway
> 
> So with stabilization of 2.2.14, did you backport the patches, a few CVE's
> state version 2.2.X to 2.3.X?

i didnt backport anything; upstream does it: http://ffmpeg.org/security.html

unless i missed something, 2.2.11 already fixes them all

please consider the above upstream link as the only authoritative one, I've seen way too much wrong CVEs and such...

Comment 5 Yury German Gentoo Infrastructure

2015-07-01 12:16:05 UTC

Thank you for replying.

Comment 6 Yury German Gentoo Infrastructure

2015-07-01 12:56:28 UTC

Highest Version of Fixes for CVE's -  2.1.6, 2.2.11, 2.3.6, 2.4.4, 2.5 

2.2.14 is being stabilized, but higher version without bugs is 2.2.15
Setting dependency on: 548006

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2016-03-12 11:21:31 UTC

This issue was resolved and addressed in
 GLSA 201603-06 at https://security.gentoo.org/glsa/201603-06
by GLSA coordinator Kristian Fiskerstrand (K_F).