Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 133520 - {media-video/ffmpeg|media-libs/xine-lib} multiple issues (CVE-200{5-4048|6-2802})
Summary: {media-video/ffmpeg|media-libs/xine-lib} multiple issues (CVE-200{5-4048|6-28...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: http://xinehq.de/index.php/news
Whiteboard: A2 [glsa] jaervosz
Keywords:
: 150265 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-05-16 12:09 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-05-31 10:55 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ffmpeg1.diff (ffmpeg1.diff,6.68 KB, patch)
2006-05-16 12:10 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
ffmpeg2.diff (ffmpeg2.diff,2.09 KB, patch)
2006-05-16 12:11 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
ffmpeg3.diff (ffmpeg3.diff,1.38 KB, patch)
2006-05-16 12:11 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
ffmpeg4.diff (ffmpeg4.diff,6.08 KB, patch)
2006-05-16 12:11 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 12:09:50 UTC
Moritz Muehlenhoff from Debian found several patches in upstream CVS to fix buffer overflows.

Filing as auditing as I'm not sure wether they are actually exploitable.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 12:10:20 UTC
Created attachment 86870 [details, diff]
ffmpeg1.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 12:11:08 UTC
Created attachment 86871 [details, diff]
ffmpeg2.diff
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 12:11:21 UTC
Created attachment 86872 [details, diff]
ffmpeg3.diff
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 12:11:36 UTC
Created attachment 86873 [details, diff]
ffmpeg4.diff
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2006-05-16 12:50:54 UTC
one or two look harmless, but the others look exploitable, reassigning to vulnerabilities.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 13:35:16 UTC
Luca please patch as necessary. Since this is only semi-public, please only mention the bug number in the Changelog.
Comment 7 Luca Barbato gentoo-dev 2006-05-16 14:26:12 UTC
I'm looking at them right now
Comment 8 Luca Barbato gentoo-dev 2006-05-16 15:18:40 UTC
A new snapshot will be provided soon
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 20:52:28 UTC
Thx Luca,

Setting to upstream while waiting for the new snapshot.
Comment 10 Luca Barbato gentoo-dev 2006-05-17 03:05:07 UTC
quick snapshot available, requires full testing, the maketest _should_ fail on ffserver but MUST work on codecs.

Comment 11 solar (RETIRED) gentoo-dev 2006-05-18 16:53:45 UTC
Several other packages repackage ffmpeg code also. Might need to get our mmedia guys to take a closer look at the pkgs they maintain.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-18 23:04:24 UTC
CC'ing Diego for advise as well.

Comment 13 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-05-19 02:42:33 UTC
vlc uses external ffmpeg, but xdtv uses it internal (they won't provide me a way to use it external :|); xine might use both, and if I'm just tired, I can disabled the external ffmpeg and be done with it at this point. Especially since the few issues of conflicts between ffmpeg and xine are now fixed in -r6 (with GCC 3.4 and later).
Comment 14 solar (RETIRED) gentoo-dev 2006-05-20 21:50:42 UTC
Orig posting by Moritz Muehlenhoff.

Hi,
a quick heads-up; in the ffmpeg CVS logs I found changes mentioning several
potential buffer overflows. I haven't had the time to investigate exploitability
in detail yet, though.

This might even affect you if you don't ship ffmpeg in one of your products,
as parts of ffmpeg (libavcodec and libavformat) are embedded in other multimedia
applications (at least xine-lib and mplayer do).

Cheers,
        Moritz
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 11:11:34 UTC
Luca : can we call for stabilization of this last snapshot ?
Comment 16 Luca Barbato gentoo-dev 2006-05-30 12:17:48 UTC
I'd like every arch to test it, probably I'll resnapshot it to push more fixes in (some security related), still there won't be as many changes as those between the current stable and this candidate.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 13:27:23 UTC
Pulling in security arch contacts for pretesting of the 0.4.9_p20060517 snapshot
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2006-05-30 13:36:05 UTC
0.4.9_p20060517 looks good on ppc64. 

the ebuild is masked by -*. should we add ~arch to the ebuild or just bump it to stable when this will get public?
Comment 19 Luca Barbato gentoo-dev 2006-05-30 16:02:54 UTC
I added a new snapshot in portage, please test and make it stable if nothing is wrong.
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2006-05-31 02:55:19 UTC
 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *
*   /usr/portage/media-video/ffmpeg/files/ffmpeg-0.4.9_p20060530-amr-64bit.patch
 *   ( ffmpeg-0.4.9_p20060530-amr-64bit.patch )


ffmpeg-0.4.9_p20060302-amr-64bit.patch applies cleanly.
Comment 21 Luca Barbato gentoo-dev 2006-05-31 03:08:58 UTC
ops, added back.
Comment 22 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-31 07:20:06 UTC
Gave it a ~sparc, seems to work fine.
Comment 23 René Nussbaumer (RETIRED) gentoo-dev 2006-06-01 06:34:41 UTC
Seems to work on hppa
Comment 24 Thomas Cort (RETIRED) gentoo-dev 2006-06-01 13:59:42 UTC
looks good on amd64.
Comment 25 Mark Loeser (RETIRED) gentoo-dev 2006-06-01 20:07:29 UTC
Dies on ~x86.  Stable seems alright, but this one will have to be fixed as well before I keyword it.  I'll try to figure it out, but I'm not terribly good with x86 asm :)

i686-pc-linux-gnu-gcc -Wall -Wno-switch -O2 -march=pentium4m -pipe -ggdb -fomit-frame-pointer -fomit-frame-pointer -DHAVE_AV_CONFIG_H -I.. -I/var/tmp/portage/ffmpeg-0.4.9_p20060530/work/ffmpeg-0.4.9-p20060530-shared/libavutil -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_GNU_SOURCE  -fPIC -DPIC -c -o i386/snowdsp_mmx.o i386/snowdsp_mmx.c
i386/snowdsp_mmx.c: In function 
Comment 26 Mark Loeser (RETIRED) gentoo-dev 2006-06-01 20:07:29 UTC
Dies on ~x86.  Stable seems alright, but this one will have to be fixed as well before I keyword it.  I'll try to figure it out, but I'm not terribly good with x86 asm :)

i686-pc-linux-gnu-gcc -Wall -Wno-switch -O2 -march=pentium4m -pipe -ggdb -fomit-frame-pointer -fomit-frame-pointer -DHAVE_AV_CONFIG_H -I.. -I/var/tmp/portage/ffmpeg-0.4.9_p20060530/work/ffmpeg-0.4.9-p20060530-shared/libavutil -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_GNU_SOURCE  -fPIC -DPIC -c -o i386/snowdsp_mmx.o i386/snowdsp_mmx.c
i386/snowdsp_mmx.c: In function ff_snow_vertical_compose97i_sse2:
i386/snowdsp_mmx.c:461: error: PIC register %ebx clobbered in asm
i386/snowdsp_mmx.c: In function ff_snow_vertical_compose97i_mmx:
i386/snowdsp_mmx.c:568: error: PIC register %ebx clobbered in asm
i386/snowdsp_mmx.c: In function inner_add_yblock_bw_8_obmc_16_mmx:
i386/snowdsp_mmx.c:869: error: PIC register %ebx clobbered in asm
make[1]: *** [i386/snowdsp_mmx.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/ffmpeg-0.4.9_p20060530/work/ffmpeg-0.4.9-p20060530-shared/libavcodec'
make: *** [lib] Error 2

!!! ERROR: media-video/ffmpeg-0.4.9_p20060530 failed.
Comment 27 Luca Barbato gentoo-dev 2006-06-02 03:27:43 UTC
try with -O3, if is working I'll add another check about it...
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-02 14:01:43 UTC
Already ~ppc'ed and also "worksforme"
Comment 29 Mark Loeser (RETIRED) gentoo-dev 2006-06-02 17:42:24 UTC
(In reply to comment #26)
> try with -O3, if is working I'll add another check about it...
> 

-O3 does not help.  I get the same error.  Also seems kind of hackish to depend on an optimization flag to make the inline asm to work.
Comment 30 Markus Rothe (RETIRED) gentoo-dev 2006-06-06 00:15:04 UTC
I do have a serious problem with version 0.4.9_p20060530 on PPC64.

I'm getting an internal error:


/usr/lib/gcc/powerpc64-unknown-linux-gnu/3.4.6/../../../../powerpc64-unknown-linux-gnu/bin/ld: BFD 2.16.1 internal error, aborting at /var/tmp/portage/binutils-2.16.1-r2/work/binutils-2.16.1/bfd/elflink.c line 6536 in elf_link_output_extsym
/usr/lib/gcc/powerpc64-unknown-linux-gnu/3.4.6/../../../../powerpc64-unknown-linux-gnu/bin/ld: Please report this bug.


This is already fixed in binutils versions 2.16.9x.

I just don't know how to handle this. Any advice?
Comment 31 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 09:02:49 UTC
Luca can you help on comment #29?
Comment 32 Luca Barbato gentoo-dev 2006-06-30 10:02:52 UTC
I cannot tell since I don't have access to ppc64 nor I have a crossenv ready, I'd update binutils if the issue is there.
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2006-08-12 05:34:06 UTC
This still misses successful checks from alpha, x86 and ppc64.
Comment 34 Luca Barbato gentoo-dev 2006-08-12 06:14:09 UTC
I marked it ~ppc64 since I eventually managed to test it (and seems working fine)
Comment 35 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-24 11:14:54 UTC
Any news from alpha, x86 and ppc64?
Comment 36 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-03 06:54:43 UTC
Any news from alpha, x86 and ppc64?
Comment 37 Markus Rothe (RETIRED) gentoo-dev 2006-09-03 08:06:18 UTC
sorry, I missed the last 'ping' ...

I don't know what exactly changed, but using binutils-2.16.1-r3 just works. So PPC64 is ready to go!
Comment 38 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 05:59:33 UTC
tsunam, kloeri any news on this one?
Comment 39 Joshua Jackson (RETIRED) gentoo-dev 2006-09-05 11:03:47 UTC
530 emerges fine on x86; and is okie to go with me.
Comment 40 Bryan Østergaard (RETIRED) gentoo-dev 2006-09-05 12:13:39 UTC
530 is fine on Alpha. Sorry about the delay.
Comment 41 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 12:28:03 UTC
This one is ready for GLSA.

Luca is there anything public about this upstream?
Comment 42 Luca Barbato gentoo-dev 2006-09-05 14:04:43 UTC
I think most of the applications using it updated their internal copy and made a note about it long ago.
Comment 43 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 21:13:53 UTC
Luca, do you have an URL or another pointer for an upstream statement?
Comment 44 Luca Barbato gentoo-dev 2006-09-06 04:18:52 UTC
http://www.mplayerhq.hu/design7/
http://xinehq.de/index.php/news

To name two.
Comment 45 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-09-06 04:31:57 UTC
By the way, xine in Gentoo uses external FFmpeg.
Comment 46 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-06 04:38:11 UTC
Thx Luca, that was too obvious :-) Opening bug.

Do we have all three issues fixed with these patches? (CVE-2005-4048, CVE-2006-2802 and "fix for a possible buffer overflow via bad indexes in specially-crafted AVI files")

And does this release fix any issues that was not covered by previous GLSAs?
Comment 47 Luca Barbato gentoo-dev 2006-09-06 04:48:50 UTC
we aren't using patches but rely on fresh snapshot with quite a number of fixes
Comment 48 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-06 05:15:49 UTC
Thx Luca, bug was already too long and I must have forgot my head today.
Comment 49 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-07 05:11:33 UTC
please correct me if i'm wrong :


- xine-lib was not affected by CVE-2005-4048 since it had been patched (1.1.1-r3) in GLSA-200601-06. Upstream corrected it in 1.1.2.

- xine-lib was affected by CVE-2006-2802 (http issue) and it is now corrected. (upstream 1.1.2)

- xine-lib was affected by "a fix for a possible buffer overflow via bad indexes in specially-crafted AVI files." , corrected in upstream 1.1.2

- ffmpeg was affected by possible buffer overflows (according to the 4 patches attached to this bug). Is there any official announcement ? Is it related to the xine issues ?

This requires two different GLSAs, doesn't it ?
Comment 50 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-07 05:22:24 UTC
Actually ffmpeg-0.4.9_p20060530 has not been stabilized anywhere. So i guess this bug should not be in [glsa] status. Reverting to [stable]. Again, correct me if i'm wrong.

All the main arches have already tested it so there should be no problem.

Arches testers, can you make 20060530 as stable if it is still OK please ?
Comment 51 Markus Rothe (RETIRED) gentoo-dev 2006-09-07 06:23:59 UTC
media-libs/xvid-1.1.0-r1 (dependency) and media-video/ffmpeg-0.4.9_p20060530 stable on ppc64.
Comment 52 Gustavo Zacarias (RETIRED) gentoo-dev 2006-09-07 06:56:09 UTC
So we go arch by arch then, sparc stable.
Comment 53 Thomas Cort (RETIRED) gentoo-dev 2006-09-07 07:52:56 UTC
amd64 stable.
Comment 54 Joshua Jackson (RETIRED) gentoo-dev 2006-09-07 10:16:53 UTC
x86 stable.
Comment 55 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-07 23:22:43 UTC
ppc stable
Comment 56 Thomas Cort (RETIRED) gentoo-dev 2006-09-08 13:07:49 UTC
alpha stable.
Comment 57 René Nussbaumer (RETIRED) gentoo-dev 2006-09-08 13:26:03 UTC
stable on hppa
Comment 58 Raúl Porcel (RETIRED) gentoo-dev 2006-09-12 07:40:18 UTC
Close bug? :)
Comment 59 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-12 08:12:46 UTC
We'll close the bug as soon as the GLSA is sent :)
Comment 60 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-12 08:39:28 UTC
Handling possible bundled ffmpeg code in media-tv/xdtv on bug #147335
Comment 61 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-13 20:58:47 UTC
GLSA 200609-08 and GLSA 200609-09
Comment 62 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-06 06:42:17 UTC
*** Bug 150265 has been marked as a duplicate of this bug. ***
Comment 63 Lóránt Farkas 2006-11-13 14:13:07 UTC
Please modfy the 
RDEPEND x264? (=media-libs/x264-svn-20060612)
to 
RDEPEND x264? (>=media-libs/x264-svn-20060612)