Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 630460 (CVE-2017-14225)

Summary: <media-video/ffmpeg-3.3.4: NULL pointer dereference in libavutil/pixdesc.c
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: media-video
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14225
Whiteboard: B3 [noglsa cve]
Package list:
=media-video/ffmpeg-3.3.4
 Runtime testing required: ---
Bug Depends on: 639698    
Bug Blocks: 629480, 630148, 632134    

Description D'juan McDonald (domhnall) 2017-09-09 10:55:07 UTC 
from ${URL}:

The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)


Upstream Patch 2/2:
(https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2)

(https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.html)
Comment 1 D'juan McDonald (domhnall) 2017-09-09 11:00:14 UTC 


----------------------------
Daj Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 2 Alexis Ballier gentoo-dev 2017-09-14 07:37:47 UTC 
this should be fixed in 3.3.4
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-09-16 22:37:43 UTC 
@maintainer(s), please let us know when you are ready to stabilize.
Comment 4 Alexis Ballier gentoo-dev 2017-09-19 21:55:41 UTC 
(In reply to Aaron Bauman from comment #3)
> @maintainer(s), please let us know when you are ready to stabilize.

as noted in bug #630148, yes :)
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 23:54:59 UTC 
(In reply to Alexis Ballier from comment #4)
> 
> as noted in bug #630148, yes :)

Great, we will handle stabilization here.

@Maintainers please verify if SLOT 54.56.56 is vulnerable, if that's the case, it's your decision to call sparc to the stabilization request.

@Arches, please test and mark stable.

Gentoo Security Padawan
ChrisADR
Comment 6 Stabilization helper bot gentoo-dev 2017-09-20 00:01:48 UTC 
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
Comment 7 Alexis Ballier gentoo-dev 2017-09-20 10:01:35 UTC 
(In reply to Christopher Díaz from comment #5)
> @Maintainers please verify if SLOT 54.56.56 is vulnerable, if that's the
> case, it's your decision to call sparc to the stabilization request.

if not this bug, that's another one, but I don't expect much on the sparc side
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-20 20:44:56 UTC 
ia64 stable
Comment 9 Stabilization helper bot gentoo-dev 2017-09-20 21:01:35 UTC 
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 10:46:25 UTC 
hppa stable
Comment 11 Stabilization helper bot gentoo-dev 2017-09-24 11:01:37 UTC 
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2017-09-27 10:19:30 UTC 
amd64 stable
Comment 13 Stabilization helper bot gentoo-dev 2017-09-27 11:01:15 UTC 
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-29 23:08:12 UTC 
x86 stable
Comment 15 Stabilization helper bot gentoo-dev 2017-09-30 00:01:11 UTC 
An automated check of this bug failed - repoman reported dependency errors (19 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
Comment 16 Markus Meier gentoo-dev 2017-10-14 06:21:26 UTC 
arm stable
Comment 17 Stabilization helper bot gentoo-dev 2017-10-14 08:01:35 UTC 
An automated check of this bug failed - repoman reported dependency errors (17 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=net-libs/zeromq-4.1.6']
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-10-19 01:27:18 UTC 
alpha is o.

@ppc/ppc64, please proceed.
Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-25 06:37:43 UTC 
ppc/ppc64 stable
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2017-10-26 00:48:21 UTC 
GLSA Vote: No

@maintainers, please clean the vulnerable versions.
Comment 21 Aaron Bauman (RETIRED) gentoo-dev 2018-05-19 22:06:54 UTC 
cleanup will occur in bug #639698

GLSA Vote: No