Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231831 (CVE-2008-3162) - media-video/ffmpeg <0.4.9_p20070616-r3 libavformat/psxstr.c Stack-based buffer overflow in str_read_packet() (CVE-2008-3162)
Summary: media-video/ffmpeg <0.4.9_p20070616-r3 libavformat/psxstr.c Stack-based buffe...
Status: RESOLVED FIXED
Alias: CVE-2008-3162
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: 231834 231836
  Show dependency tree
 
Reported: 2008-07-15 02:58 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-20 08:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ffmpeg-0.4.9_p20070616-CVE-2008-3162.patch (ffmpeg-0.4.9_p20070616-CVE-2008-3162.patch,2.87 KB, patch)
2008-07-15 03:31 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 02:58:11 UTC
CVE-2008-3162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162):
  Stack-based buffer overflow in the str_read_packet function in
  libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause
  a denial of service (application crash) or execute arbitrary code via a
  crafted STR file that interleaves audio and video sectors.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:31:40 UTC
Created attachment 160414 [details, diff]
ffmpeg-0.4.9_p20070616-CVE-2008-3162.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 04:12:22 UTC
Still to check, haven't gotten these compiled yet:

./blender-2.42a.tar.gz.1154010523.INDEX:File-00815-name: blender-2.42a/extern/ffmpeg/libavformat/psxstr.c
./blender-2.43.tar.gz.1171586190.INDEX:File-00750-name: blender-2.43/extern/ffmpeg/libavformat/psxstr.c
./blender-2.45.tar.gz.1190381171.INDEX:File-02781-name: blender-2.45/extern/ffmpeg/libavformat/psxstr.c



./gephex-0.4.3b.tar.bz2.1118080542.INDEX:File-00619-name: gephex-0.4.3/contrib/ffmpeg/libavformat/psxstr.c

./xdtv-2.4.0.tar.gz.1172098008.INDEX:File-00728-name: xdtv-2.4.0/libavformat/psxstr.c
Comment 3 Alexis Ballier gentoo-dev 2008-07-15 08:53:51 UTC
This is gonna be a pain: we haven't completely migrated stable to swscaler, thus cannot stabilise a new version that easily. The main blocker was vlc, 0.9 is going better but not stable material yet imho.

Moreover, some ebuilds do has_version checks to decide if ffmepg has swscaler or not, so bumping to a -r3 will break those checks :/
Comment 4 Alexis Ballier gentoo-dev 2008-07-15 08:54:49 UTC
(In reply to comment #2)

> ./xdtv-2.4.0.tar.gz.1172098008.INDEX:File-00728-name:
> xdtv-2.4.0/libavformat/psxstr.c


Our ebuild uses external ffmpeg.
Comment 5 Alexis Ballier gentoo-dev 2008-07-15 12:15:35 UTC
Another pita: anything that depends on >=media-video/ffmpeg-0.4.9_p20070616-r1 means they need swscaler, so their deps will have to be adjusted if we choose to do a -r3 wihtout swscaler. If we choose to use swscaler, which will mean pushing way too much ~arch packages in stable, we have to keep it mind that it breaks ABI without a soname bump...

Another option is to use Diego's patch:
http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/2008-June/048109.html
http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/2008-June/048778.html

with all the complications that may arise...
Comment 6 Ben de Groot (RETIRED) gentoo-dev 2008-07-15 13:24:58 UTC
As I suggested in https://bugs.gentoo.org/show_bug.cgi?id=231814#c5 I think we should introduce a swscaler useflag (I'm actually using that already in my ffmpeg svn ebuild in berkano overlay).
Comment 7 Alexis Ballier gentoo-dev 2008-07-15 17:28:03 UTC
(In reply to comment #6)
> As I suggested in https://bugs.gentoo.org/show_bug.cgi?id=231814#c5 I think we
> should introduce a swscaler useflag (I'm actually using that already in my
> ffmpeg svn ebuild in berkano overlay).

As I told you on the other bug, switching swscaler on and off breaks abi without bumping the .so number. You do what you want in your overlay but such breakage is clearly a no go for the tree.


I was thinking about adding a -r3 and bumping the deps of packages needing swscaler to 20080326 (or copy -r2 to r4 and adjust the deps like that). Some packages may not work with 20080326, but as they're in ~arch they must have a fixed version against this ffmpeg version, so these versions can be punted.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 22:36:14 UTC
For feature additions in an -r version, you might want to consider increasing the revision number even more (like -r10 or -r20). Then you can easily revbump the stable, and test the new feature in ~arch without this conflict. If you go through the hassle of this mass-edit, you should consider this.
Comment 9 Alexis Ballier gentoo-dev 2008-07-17 08:13:36 UTC
ok, -r3 is -r0 with the patch; all the reverse deps should be fixed now. (note that vlc 0.8.6i has to go stable on amd64 first).
-r20 is -r2 with the patch.

I suppose that at the time swscaler was introduced in the tree nobody expected it to break like that, therefore we haven't been very careful and now have to pay for the consequences :/ The way to go is to migrate everything in stable to swscaler asap... but I was already telling that one year ago...
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 18:41:28 UTC
Arches, please test and mark stable:
=media-video/ffmpeg-0.4.9_p20070616-r3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-10-04 19:37:35 UTC
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-10-06 07:33:33 UTC
Stable for HPPA.
Comment 13 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-06 18:52:18 UTC
sparc stable
Comment 14 Markus Meier gentoo-dev 2008-10-06 20:15:05 UTC
amd64/x86 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-11 17:17:51 UTC
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2008-10-30 10:51:11 UTC
alpha/arm/ia64 stable
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-31 21:31:15 UTC
GLSA request filed.
Comment 18 Samuli Suominen gentoo-dev 2008-12-12 16:25:14 UTC
for the record, I removed the USE ffmpeg from media-video/gephex because it was causing compilation failures anyway.. silly bundled ffmpeg.. so it's not a prob
for security anymore.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-20 08:30:52 UTC
GLSA 200903-33