Summary: | <media-video/ffmpeg-3.2.4: multiple vulnerabilities (CVE-2017-{5024,5025}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexis Ballier <aballier> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | amynka, axiator, axs, chithanh, games, kensington, leio, media-video, tupone |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: |
=media-video/ffmpeg-3.2.4
=media-libs/chromaprint-1.4.2
=media-libs/kvazaar-1.0.0
=media-video/nvidia_video_sdk-6.0.1 amd64 x86
=media-libs/libilbc-2.0.2
=media-libs/zimg-2.5
=media-libs/rubberband-1.8.1-r1
=media-libs/libsdl2-2.0.4
=media-libs/openh264-1.5.0
=media-libs/libebur128-1.2.0-r1
=media-libs/vamp-plugin-sdk-2.6-r1
=media-libs/raspberrypi-userland-0_pre20160424 arm
=media-libs/ladspa-sdk-1.13-r2
|
Runtime testing required: | --- |
Bug Depends on: | 508226, 574786, 610546, 627018 | ||
Bug Blocks: | 574788, 575538, 601354, 610810, 624180 |
Description
Alexis Ballier
2017-02-10 14:03:14 UTC
@games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not having it stable yet. Feel free to bump that to 2.0.5 if you prefer. @Ian: I've put =media-libs/openh264-1.4.0-r1 in the list for arches not having it stable yet. Feel free to bump that to 1.5.0 if you prefer. @Amy: I've put =media-libs/libebur128-1.2.0-r1 in the list; please ack/nack; (In reply to Alexis Ballier from comment #1) > @games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not > having it stable yet. Feel free to bump that to 2.0.5 if you prefer. 2.0.5 is blocked by ppc64 suffering from bug #608314. There's a keyword request sparc in bug #508226. (In reply to James Le Cuirot from comment #4) > (In reply to Alexis Ballier from comment #1) > > @games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not > > having it stable yet. Feel free to bump that to 2.0.5 if you prefer. > > 2.0.5 is blocked by ppc64 suffering from bug #608314. There's a keyword > request sparc in bug #508226. Okey, thanks. So let's keep 2.0.4 then. Feel free to un-cc you if you want to avoid the emails. An automated check of this bug failed - repoman reported dependency errors (161 lines truncated):
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-lang/nasm']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-lang/nasm']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-lang/nasm']
(In reply to Alexis Ballier from comment #2) > @Ian: I've put =media-libs/openh264-1.4.0-r1 in the list for arches not > having it stable yet. Feel free to bump that to 1.5.0 if you prefer. We need 1.5.0 for non-x86 arches. An automated check of this bug failed - repoman reported dependency errors (83 lines truncated):
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is in the list... (In reply to Alexis Ballier from comment #9) > Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is > in the list... But it is not keyworded for alpha. (In reply to Amy Liffey from comment #10) > (In reply to Alexis Ballier from comment #9) > > Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is > > in the list... > > But it is not keyworded for alpha. keywordreq is bug #574786 *** Bug 603984 has been marked as a duplicate of this bug. *** An automated check of this bug failed - repoman reported dependency errors (27 lines truncated):
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/raspberrypi-userland']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/raspberrypi-userland']
Maintainer: chithanh@gentoo.org (Chí-Thanh Christopher Nguyễn) Maintainer: tupone@gentoo.org (Tupone Alfredo) =media-libs/raspberrypi-userland-0_pre20160424 arm Please ack/nack An automated check of this bug failed - repoman reported dependency errors (13 lines truncated):
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['media-libs/ladspa-sdk']
3.2.4 Fixes following vulnerabilities: CVE-2017-5024, ed2572b9c8f885e2a4764d2e34604442a71899a1 / 2d453188c2303da641dafb048dc1806790526dfd CVE-2017-5025, cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf / fd30e4d57fe5841385f845440688505b88c0f4a9 Note: 2.8.11 also fixes them but we're going for 3.2 stable, so... (In reply to Alexis Ballier from comment #14) > Maintainer: chithanh@gentoo.org (Chí-Thanh Christopher Nguyễn) > Maintainer: tupone@gentoo.org (Tupone Alfredo) > > =media-libs/raspberrypi-userland-0_pre20160424 arm > > > Please ack/nack I tested media-tv/kodi with media-libs/ffmpeg-3.2.4 and media-libs/raspberrypi-userland-9999 (not 0_pre20160424 that is not on my system), and it seems to work. Tough I don't know if the video I played are decoded by ffmpeg (In reply to Alexis Ballier from comment #16) > 3.2.4 > Fixes following vulnerabilities: > > CVE-2017-5024, ed2572b9c8f885e2a4764d2e34604442a71899a1 / > 2d453188c2303da641dafb048dc1806790526dfd > CVE-2017-5025, cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf / > fd30e4d57fe5841385f845440688505b88c0f4a9 > > > > Note: 2.8.11 also fixes them but we're going for 3.2 stable, so... Assigning bug to security to allow arches proper prioritizing... Removing tracker bugs from depends list (moved to blocks list), as we need to proceed security stabilization without these RESOLVED and them being listed as depends results in ATs not working this bug due to unresolved depend bugs. amd64 stable x86 stable Stable for HPPA. Stable for PPC64. ppc stable. arm stable. Any reason for bug 610546 still to be a blocker here (or that bug being open still), as this security bug probably doesn't show up with the tooling right now due to that?... =media-libs/libilbc-2.0.2 will not happen on alpha due to lack of architecture support from upstream. Since it's not keyworded yet, that should not be a problem. Working on the rest. Stable on alpha. Arches, Thank you for your work. Added to an existing GLSA Request. Can not wait on sparc. This issue was resolved and addressed in GLSA 201705-05 at https://security.gentoo.org/glsa/201705-05 by GLSA coordinator Kristian Fiskerstrand (K_F). Reopening for ia64 and sparc. Please finish stabilization or drop from stable. ia64 stable An automated check of this bug failed - the following atom is unknown: media-libs/zimg-2.4 Please verify the atom list. Adjusting package list for sparc... sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9 |