Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 639698 (CVE-2017-16840)

Summary: <media-video/ffmpeg-{3.3.6, 3.4.1}: Denial of Service vulnerability
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: media-video
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=media-video/ffmpeg-3.3.6
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 630460, 634750, 636736    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-04 01:51:45 UTC
CVE-2017-16840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16840):
  The VC-2 Video Compression encoder in FFmpeg 3.4 allows remote attackers to
  cause a denial of service (out-of-bounds read) because of incorrect buffer
  padding for non-Haar wavelets, related to libavcodec/vc2enc.c and
  libavcodec/vc2enc_dwt.c.
Comment 1 Alexis Ballier gentoo-dev 2017-12-20 16:06:49 UTC
From http://ffmpeg.org/security.html :

3.4.1

Fixes following vulnerabilities: 

CVE-2017-16840, a94cb36ab2ad99d3a1331c9f91831ef593d94f74 / 3228ac730c11eca49d5680d5550128e397061c85
CVE-2017-17081, 6ccf19198b360cfc3fe5cd274948cfde2fe305e0 / 58cf31cee7a456057f337b3102a03206d833d5e8
Comment 2 Alexis Ballier gentoo-dev 2018-01-13 12:33:15 UTC
3.3.6

Fixes following vulnerabilities:

CVE-2017-16840, a7aac19933a91e22d77b0b4dd4ecd61edf52d43f / 3228ac730c11eca49d5680d5550128e397061c85
CVE-2017-17081, 96fe37a3390aaa07a1798d8daa6aa2d622c4870b / 58cf31cee7a456057f337b3102a03206d833d5e8



go ahead and stabilize =media-video/ffmpeg-3.3.6
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-01-13 16:28:33 UTC
arm64 CC'ed as they are working towards a stable profile.  Does not hinder the progress of security bugs, but is done to assist them with their goals only.
Comment 4 Stabilization helper bot gentoo-dev 2018-01-13 18:01:50 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.6.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.6.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 5 Larry the Git Cow gentoo-dev 2018-01-14 16:23:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d5af7a47b0aa18c8bcd0f10eacbea74d29723e

commit 30d5af7a47b0aa18c8bcd0f10eacbea74d29723e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-14 16:21:32 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-14 16:23:02 +0000

    media-video/ffmpeg: x86 stable
    
    Bug: https://bugs.gentoo.org/639698
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 media-video/ffmpeg/ffmpeg-3.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-14 16:24:40 UTC
@ stable-bot: Please re-check due to https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47a79a4a4e61abc74ac45f8c22e38680e843edbe
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-15 19:08:30 UTC
Stable on amd64.
Comment 8 ernsteiswuerfel archtester 2018-01-20 13:44:48 UTC
Fails tests on ppc (see bug 635332).
Comment 9 Markus Meier gentoo-dev 2018-02-05 21:21:33 UTC
arm stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-19 07:43:58 UTC
ia64 stable
Comment 11 ernsteiswuerfel archtester 2018-02-28 09:39:10 UTC
Did some testing on ppc again.

As I learned in bug 635332 tests always fail on Big Endian, which is due to some tests but not the code tested. But this got fixed in ffmpeg-3.4.2. So I just tested the rdeps:

# cat ffmpeg-639698.report 
revdep tests started on Mi 28. Feb 08:49:18 CET 2018

FEATURES= test USE='-libav' succeeded for media-plugins/gst-plugins-libav
USE='ffmpeg -libav' FEATURES=' test' failed for www-plugins/gnash
USE='-libav' FEATURES=' test' failed for media-libs/chromaprint
FEATURES= test USE='ffmpeg -libav' succeeded for media-video/gpac
USE='ffmpeg -libav' FEATURES=' test' failed for media-sound/audacity
USE='-libav' FEATURES=' test' : REQUIRED_USE not satisfied (probably) for media-video/kino
FEATURES= test USE='ffmpeg -libav' succeeded for media-plugins/alsa-plugins
USE='ffmpeg -libav' FEATURES=' test' failed for net-misc/freerdp
FEATURES= test USE='-libav' succeeded for media-video/ffmpegthumbnailer
FEATURES= test USE='ffmpeg -libav' succeeded for media-video/vlc

Not so bad after all, as the failed tests most propably don't fail due to ffmpeg-3.3.6 (see bug #649006, bug #610556, bug #626586, bug #637006).

I guess it's ok for ppc to stabilize ffmpeg-3.3.6 after all.
Comment 12 Matt Turner gentoo-dev 2018-03-12 07:47:33 UTC
ppc/ppc64 stable
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2018-05-19 22:06:22 UTC
hppa is now exp and no longer security supported.

@maintainer(s), please clean the vulnerable ebuilds.
Comment 14 Alexis Ballier gentoo-dev 2018-05-20 08:01:50 UTC
(In reply to Aaron Bauman from comment #13)
> hppa is now exp and no longer security supported.
> 
> @maintainer(s), please clean the vulnerable ebuilds.

alpha is not exp
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-05-20 14:28:42 UTC
(In reply to Alexis Ballier from comment #14)
> (In reply to Aaron Bauman from comment #13)
> > hppa is now exp and no longer security supported.
> > 
> > @maintainer(s), please clean the vulnerable ebuilds.
> 
> alpha is not exp

ugh, no one said it was, but I see my oversight now.

If you could, please mask 3.2.6 on all arches except alpha.  You could then remove the older versions that are vulnerable.
Comment 16 Teika kazura 2019-05-23 22:52:43 UTC
(In reply to Aaron Bauman from comment #15)

> If you could, please mask 3.2.6 on all arches except alpha.  You could then
> remove the older versions that are vulnerable.

+1. PLEASE, mask & remove older versions.

Thanks a lot, Gentoo developers.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2020-03-20 05:15:10 UTC
3.3.6 and 3.4.1 not in tree. 

Thank you all for you work. 
Closing as [noglsa].