Bug 660924 (CVE-2018-10001, CVE-2018-6912, CVE-2018-7557, CVE-2018-7751)

Summary:

<media-video/ffmpeg-3.4.5: Multiple vulnerabilities

Product:

Gentoo Security

Reporter:

GLSAMaker/CVETool Bot <glsamaker>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

flopwiki, media-video, nobrowser

Priority:

Normal

Flags:

stable-bot: sanity-check+

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B3 [glsa+ cve]

Package list:

media-video/ffmpeg-3.4.5 media-plugins/frei0r-plugins-1.6.1 arm

Runtime testing required:

---

Attachments:

Description	Flags
tatt useflags & rdeps testing (ppc64)	none
tatt useflags & rdeps testing (ppc)	none

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-11 16:41:42 UTC

CVE-2018-9841 (https://nvd.nist.gov/vuln/detail/CVE-2018-9841):
  The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out-of-array access)
  or possibly have unspecified other impact via a long filename.

CVE-2018-7751 (https://nvd.nist.gov/vuln/detail/CVE-2018-7751):
  The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (Infinite Loop) via a
  crafted XML file.

CVE-2018-7557 (https://nvd.nist.gov/vuln/detail/CVE-2018-7557):
  The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (Out of array read) via
  an AVI file with crafted dimensions within chroma subsampling data.

CVE-2018-6912 (https://nvd.nist.gov/vuln/detail/CVE-2018-6912):
  The decode_plane function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out of array read) via
  a crafted AVI file.

CVE-2018-10001 (https://nvd.nist.gov/vuln/detail/CVE-2018-10001):
  The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out of array read) via
  an AVI file.


@Maintainers, ebuilds already in three, please call for stabilization when ready.

Comment 1 Haelwenn (lanodan) Monnier 2018-07-19 17:46:25 UTC

Not sure if this is the right place to put it, but here are more vulnerabilities in FFmpeg.

CVE-2018-14394 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14394 )
  libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file.

CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
  libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.

Comment 2 Alexis Ballier gentoo-dev

2019-02-13 15:25:22 UTC

*** Bug 652752 has been marked as a duplicate of this bug. ***

Comment 3 Alexis Ballier gentoo-dev

2019-02-13 15:28:46 UTC

https://ffmpeg.org/security.html

current stable ffmpeg is 3.3.6; this is security-wise equivalent to 3.4.1

so, we are missing:

3.4.5

Fixes following vulnerabilities:

CVE-2018-15822, 44e878d08674a15906badfb921443a44ebf6257d / 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10

3.4.4

Fixes following vulnerabilities:

CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e / fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582

3.4.3

Fixes following vulnerabilities:

CVE-2018-7557,  ae49cc73f265a155e5c4b1715570aab3d9741b4d / 7414d0bda7763f9bd69c26c068e482ab297c1c96
CVE-2018-7751,  3fa6e594a0f2575ddb6b2183961fde42ab5ab37b / a6cba062051f345e8ebfdff34aba071ed73d923f
CVE-2018-10001, 51035698bde9c13da7eedc1f6eb47d190bbc949d / 47b7c68ae54560e2308bdb6be4fb076c73b93081
CVE-2018-12458, bd1fd3ff4b0437153a6c4717f59ce31a7bba8ca0 / e1182fac1afba92a4975917823a5f644bee7e6e8
CVE-2018-13300, 3a04f518ac283194bb13d8aff7d9fa963d551547 / 95556e27e2c1d56d9e18f5db34d6f756f3011148
CVE-2018-13302, 36c779bffe2ceef48a0fa4d7a6691c6895faf9e2 / ed22dc22216f74c75ee7901f82649e1ff725ba50
CVE-2018-14394, 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b / 3a2d21bc5f97aa0161db3ae731fc2732be6108b8

3.4.2

Fixes following vulnerabilities:

CVE-2018-6621, 342f1da13489de6650349fff2206a81442d6c668 / 118e1b0b3370dd1c0da442901b486689efd1654b
CVE-2018-6392, 2980b95fafb39148cfade120eab5c75b46bfffc6 / 3f621455d62e46745453568d915badd5b1e5bcd5

Comment 4 Alexis Ballier gentoo-dev

2019-02-13 15:40:56 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2018-9841 (https://nvd.nist.gov/vuln/detail/CVE-2018-9841):
>   The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (out-of-array access)
>   or possibly have unspecified other impact via a long filename.

Not reported in the upstream page.
Fix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43916494f8cac6ed294309e70de346e309d51058

>=media-video/ffmpeg-3.4.3


> CVE-2018-7751 (https://nvd.nist.gov/vuln/detail/CVE-2018-7751):
>   The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (Infinite Loop) via a
>   crafted XML file.


CVE-2018-7751,  3fa6e594a0f2575ddb6b2183961fde42ab5ab37b / a6cba062051f345e8ebfdff34aba071ed73d923f

>=media-video/ffmpeg-3.4.3


> CVE-2018-7557 (https://nvd.nist.gov/vuln/detail/CVE-2018-7557):
>   The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (Out of array read)
> via
>   an AVI file with crafted dimensions within chroma subsampling data.


CVE-2018-7557,  ae49cc73f265a155e5c4b1715570aab3d9741b4d / 7414d0bda7763f9bd69c26c068e482ab297c1c96

>=media-video/ffmpeg-3.4.3

> CVE-2018-6912 (https://nvd.nist.gov/vuln/detail/CVE-2018-6912):
>   The decode_plane function in libavcodec/utvideodec.c in FFmpeg through
> 3.4.2
>   allows remote attackers to cause a denial of service (out of array read)
> via
>   a crafted AVI file.

Not mentionned in the upstream sec page.
Upstream fix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/76cc0f0f673353cd4746cd3b83838ae335e5d9ed


Offending code was added there: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92b32664cdc064523c60ddba5ed139855e08470c

3.4.5 was released on 2018-11-01. It is the latest stable FFmpeg release from the 3.4 release branch, which was cut from master on 2017-10-11. 

4.0.3 was released on 2018-11-03. It is the latest stable FFmpeg release from the 4.0 release branch, which was cut from master on 2018-04-16. 

So this is only an issue for ffmpeg >= 4, which has never been stable



> CVE-2018-10001 (https://nvd.nist.gov/vuln/detail/CVE-2018-10001):
>   The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (out of array read)
> via
>   an AVI file.

CVE-2018-10001, 51035698bde9c13da7eedc1f6eb47d190bbc949d / 47b7c68ae54560e2308bdb6be4fb076c73b93081

>=media-video/ffmpeg-3.4.3

Comment 5 Alexis Ballier gentoo-dev

2019-02-13 15:42:08 UTC

(In reply to Haelwenn Monnier from comment #1)
> Not sure if this is the right place to put it, but here are more
> vulnerabilities in FFmpeg.

yes

> CVE-2018-14394 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14394 )
>   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> denial of service (application crash caused by a divide-by-zero error) with
> a user crafted Waveform audio file.


CVE-2018-14394, 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b / 3a2d21bc5f97aa0161db3ae731fc2732be6108b8

>=media-video/ffmpeg-3.4.3

> CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
>   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> denial of service (application crash caused by a divide-by-zero error) with
> a user crafted audio file when converting to the MOV audio format.

CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e / fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582

>=media-video/ffmpeg-3.4.3

Comment 6 Alexis Ballier gentoo-dev

2019-02-13 15:43:08 UTC

go for 3.4.5 that also fixes a few more CVEs

Comment 7 Alexis Ballier gentoo-dev

2019-02-13 15:43:41 UTC

(In reply to Alexis Ballier from comment #5)
> > CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
> >   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> > denial of service (application crash caused by a divide-by-zero error) with
> > a user crafted audio file when converting to the MOV audio format.
> 
> CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e /
> fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582
> 
> >=media-video/ffmpeg-3.4.3

This is >=media-video/ffmpeg-3.4.4

Comment 8 Stabilization helper bot gentoo-dev

2019-02-13 16:04:15 UTC

An automated check of this bug failed - repoman reported dependency errors (135 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins']
> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins']
> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: DEPEND: arm(default/linux/arm/17.0) ['media-plugins/frei0r-plugins']

Comment 9 Stabilization helper bot gentoo-dev

2019-02-13 17:04:36 UTC

An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']

Comment 10 Alexis Ballier gentoo-dev

2019-02-13 17:09:35 UTC

@arm team: you should decide what you want to do here -- package.use.stable.mask vs catching up other arches

Comment 11 Mart Raudsepp gentoo-dev

2019-02-14 10:06:28 UTC

arm64 doesn't have a stable ffmpeg..

Comment 12 Stabilization helper bot gentoo-dev

2019-02-14 11:04:46 UTC

An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2019-02-15 15:47:37 UTC

x86 stable

Comment 14 Stabilization helper bot gentoo-dev

2019-02-15 16:05:09 UTC

An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']

Comment 15 Mikle Kolyada (RETIRED) archtester

2019-02-15 18:36:10 UTC

amd64 stable

Comment 16 Stabilization helper bot gentoo-dev

2019-02-15 19:03:22 UTC

An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']

Comment 17 ernsteiswuerfel archtester

2019-03-09 18:29:57 UTC

Created attachment 568336 [details]
tatt useflags & rdeps testing (ppc64)

Looking good on ppc64.

useflags failing: bug #678744
rdeps failing: media-libs/gegl (bug #639986), media-libs/mediastreamer (tests stall four hours)

Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev

2019-03-13 22:24:34 UTC

ppc stable thanks to ernsteiswuerfel!

Comment 19 Stabilization helper bot gentoo-dev

2019-03-13 23:02:11 UTC

An automated check of this bug failed - repoman reported dependency errors (61 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.badindev media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0/armv4) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']

Comment 20 ernsteiswuerfel archtester

2019-03-14 22:39:28 UTC

Created attachment 569136 [details]
tatt useflags & rdeps testing (ppc)

Looking good on ppc.

useflags failing: bug #678744

Comment 21 Stabilization helper bot gentoo-dev

2019-03-16 20:02:25 UTC

An automated check of this bug failed - repoman reported dependency errors (61 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.badindev media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0/armv4) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']

Comment 22 Markus Meier gentoo-dev

2019-03-20 17:03:07 UTC

arm stable

Comment 23 Stabilization helper bot gentoo-dev

2019-03-20 18:00:49 UTC

An automated check of this bug succeeded - the previous repoman errors are now resolved.

Comment 24 Mikle Kolyada (RETIRED) archtester

2019-04-17 12:16:53 UTC

alpha stable

Comment 25 Agostino Sarubbo gentoo-dev

2019-06-04 18:59:24 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 26 GLSAMaker/CVETool Bot gentoo-dev

2020-03-30 15:07:02 UTC

This issue was resolved and addressed in
 GLSA 202003-65 at https://security.gentoo.org/glsa/202003-65
by GLSA coordinator Thomas Deutschmann (whissi).