Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 115760 - media-video/mplayer,xmovie : flaw in included ffmpeg (CVE-2005-4048)
Summary: media-video/mplayer,xmovie : flaw in included ffmpeg (CVE-2005-4048)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
: 113160 (view as bug list)
Depends on:
Blocks: 115849
  Show dependency tree
Reported: 2005-12-16 04:56 UTC by Thierry Carrez (RETIRED)
Modified: 2006-03-04 10:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

patch proposed to upstream (ffmpeg-0.4.9_p20050906-pal8.patch,707 bytes, patch)
2005-12-16 05:31 UTC, Luca Barbato
no flags Details | Diff
upstream fix (ffmpeg-png-onepixel.patch,3.35 KB, patch)
2005-12-16 05:40 UTC, Luca Barbato
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-12-16 04:56:26 UTC
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, 
which can be exploited by malicious people to cause a DoS (Denial 
of Service) and potentially to compromise a user's system.
The vulnerability is caused due to a boundary error in the 
"avcodec_default_get_buffer()" function of "utils.c" in libavcodec. 
This can be exploited to cause a heap-based buffer overflow when a 
specially-crafted 1x1 ".png" file containing a palette is read.
Xine-lib, xmovie, mplayer, gstreamer-ffmpeg might be built with a private copy
of ffmpeg containing this same code. We should doublecheck them.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-12-16 04:57:19 UTC
media-video herd, this one is for you :/
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-16 05:04:20 UTC
ouch, that's going to be a problem. 
Luca, ffmpeg is your stuff, what you suggest to do? 
xine-lib is going to hurt... a lot.. because of the usual keywording 
Comment 3 Luca Barbato gentoo-dev 2005-12-16 05:24:30 UTC
I guess that yet another snapshot is feasible even if ffmpeg is going to get a
release soon
Comment 4 Luca Barbato gentoo-dev 2005-12-16 05:31:52 UTC
Created attachment 74873 [details, diff]
patch proposed to upstream

Just adding some stuff to keep everything in one place
Comment 5 Hanno Böck gentoo-dev 2005-12-16 05:37:49 UTC
Add vlc, mythtv, probably some others, too. ffmpeg-code is widely used and most 
times bundled. 
Comment 6 Luca Barbato gentoo-dev 2005-12-16 05:40:56 UTC
Created attachment 74874 [details, diff]
upstream fix

That is the upstream fix.

A new ffmpeg snapshot will be on route soon, for xine I'd either force external
ffmpeg or bump to latest, considerations about killing xv on platform in which
it couldn't be tested, thus preventing the bump, are the usual.
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-16 05:42:00 UTC
I'm actually not sure if xine-lib is vulnerable, as it does not use ffmpeg for  
png decoding but libpng instead.  
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-16 05:43:44 UTC
vlc is safe, it uses external ffmpeg (as I'd like to do with xine-lib, too, 
but sigh it's difficult). 
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-16 06:02:08 UTC
Get back what I said about xine-lib, as the problems seems not to be only with  
png. The patch applies fine on xine-lib 1.1.1 sources, so my plan for it would 
xine-lib-1.1.1-r2 that's copied from 1.1.1-r0 (no ffmpeg useflag so no dep on  
external ffmpeg) to be marked stable on all arches but mips (the problem that  
prevented 1.1.0-r6 to go stable on x86 is fixed in 1.1.1 series)  
xine-lib-1.1.1-r3 that's copied from 1.1.1-r1 (ffmpeg useflag for external  
ffmpeg) to remain ~arch for the arches that have 1.1.1-r1 in ~, and that  
should be tested by the other arches 
the old 1.0.x and 1.1.0-rX series would go away, a part mips and ~mips 
versions that would remain until mips is sorted out (I'd propose to remove the 
keywords and make sure that the tree is not broken by that, after use.masking 
xine on mips, as they have no way to do a constant maintenance on it). 
Comment 10 Luca Barbato gentoo-dev 2005-12-16 07:35:33 UTC
New ffmpeg snapshot uploaded, will require some revdep-rebuild probably, please
test it.
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-16 12:22:31 UTC
newer ffmpeg snapshot broke badly on xine-lib, I've committed -r2 and -r3 for it, and masked ffmpeg for testing.
Comment 12 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-17 05:05:10 UTC
Okay, xine-lib ebuilds are in place, ffmpeg is now unmasked, as lu_zero fixed it, vlc as I said uses the external copy linked dynamically so it has nothing to be fixed into.
CCing gstreamer herd as media-video does not maintain gstreamer-ffmpeg and Cardoe for MythTV.
Comment 13 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-12-17 05:10:58 UTC
*** Bug 113160 has been marked as a duplicate of this bug. ***
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-12-17 05:31:43 UTC
Good work !

Splitting the bug into xine-lib+ffmpeg / the others so that we can already call for stable on the ready-ones...

Are our mplayer and xmovie vulnerable ?
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-12-17 05:36:58 UTC
See stable marking for ffmpeg and xine-lib on bug 115849.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-12-17 05:52:25 UTC
Putting back ffmpeg in this bug as it will probably need a backport so as not to break existing stable software requiring it (vlc?).
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 03:01:21 UTC
video herd: what's your position on the packages left (the ones under your herd, not the externally-maintained ones) ? Should we call for testing on ffmpeg ? What about the others (mplayer...) ?
Comment 18 Luca Barbato gentoo-dev 2005-12-20 06:35:18 UTC
I should apply the fix to mplayer since a newer release won't happen before the 25th

ffmpeg should be ok anyway
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 08:10:26 UTC
OK splitting the bug for ffmpeg testing.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 08:18:47 UTC
See ffmpeg stable testing on bug 116181
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 02:44:13 UTC
Luca: let me know about progress on mplayer.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-12-30 04:58:42 UTC
Any ETA for the mplayer snapshot ? I need to know if we should send the xine-lib GLSA now or wait a little.
Comment 23 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-02 13:16:06 UTC
any news here?
Comment 24 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-01-13 06:15:43 UTC
I've masked xmovie for now, until someone else is going to fix it.
I'm sorry but unless it's a threat on my life, I'd rather stay as far as possible from heroines packages.
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 06:21:14 UTC
Cardoe: only the masked 0.19_pre8554 contains the fix, should you :

1- unmask that version so that we call for stable testing on it
2- patch the current stable with the ffmpeg fix and call that the new stable candidate

Note: lu_zero still wanted for mplayer fix and someone from gstreamer for the last package. Come on, we're getting very late on this one.

Comment 26 Luca Barbato gentoo-dev 2006-01-18 07:51:59 UTC
mplayer has a snapshot ebuild with the fix available. I will update it soon, please start testing it.
Comment 27 Joe McCann (RETIRED) gentoo-dev 2006-01-18 12:48:29 UTC
Not sure if zaheerm has much free time, so I patched gst-plugins-ffmpeg. The patched ebuilds are 0.8.7-r1 and 0.10.0-r1
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2006-01-19 01:05:44 UTC
gst-plugins-ffmpeg stable marking splitted to bug 119512
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2006-02-09 10:54:40 UTC
lu_zero: What's the ETA for mplayer-1.0.20060102 unmasking ? If not possible, we need a backport to current stable.

cardoe: we need a decision on comment #25
Comment 30 Luca Barbato gentoo-dev 2006-02-12 08:07:27 UTC
Give me a week to update the snapshot and make arches mark it
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2006-02-12 09:45:32 UTC
Luca: sounds good. You may want to combine the fix for bug 122029 with this.
Comment 32 Doug Goldstein (RETIRED) gentoo-dev 2006-02-16 07:38:46 UTC
New MythTV is already in the tree and it's got this fixed in it.
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 11:17:11 UTC
mythtv stable marking handled on bug 123066
Comment 34 Luca Barbato gentoo-dev 2006-02-17 06:54:30 UTC
updated snapshot available, there are 2 new deps that could be tested and marked for alpha hppa and ia64: musepack and openal.

Please test it, I'll update/fix it if there are problems.
Comment 35 Thierry Carrez (RETIRED) gentoo-dev 2006-02-17 13:38:47 UTC
arches please test latest mplayer snapshot and report success/failure... and mark stable if stable
Comment 36 Gustavo Zacarias (RETIRED) gentoo-dev 2006-02-20 14:51:10 UTC
mplayer-1.0.20060217 sparc stable, seems to work at least as well as the previous stable (if not better).
However i've seen a kinky issue with the sound being b0rked playing some videos when using the old config - went away when nuking the old config dir.
Comment 37 Joshua Jackson (RETIRED) gentoo-dev 2006-02-22 00:06:52 UTC
Stable on x86 (X.X)
Comment 38 Herbie Hopkins (RETIRED) gentoo-dev 2006-02-22 04:15:29 UTC
Stable on amd64.
Comment 39 Markus Rothe (RETIRED) gentoo-dev 2006-02-22 04:43:02 UTC
stable on ppc64
Comment 40 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-22 11:37:49 UTC
ppc stable
Comment 41 Bryan Østergaard (RETIRED) gentoo-dev 2006-02-26 06:31:56 UTC
Stable on alpha.
Comment 42 René Nussbaumer (RETIRED) gentoo-dev 2006-03-03 09:49:03 UTC
Sorry guys for the delay. I did oversee this bug. hppa stable now.
Comment 43 Thierry Carrez (RETIRED) gentoo-dev 2006-03-03 10:11:11 UTC
Ready for GLSA
Comment 44 Thierry Carrez (RETIRED) gentoo-dev 2006-03-04 10:09:08 UTC
GLSA 200603-03