Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473302 (CVE-2013-3670) - <media-video/ffmpeg-1.0.7: Multiple Vulnerabilities (CVE-2013-{3670,3671,3672,3673,3674,3675})
Summary: <media-video/ffmpeg-1.0.7: Multiple Vulnerabilities (CVE-2013-{3670,3671,3672...
Status: RESOLVED FIXED
Alias: CVE-2013-3670
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53825/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 464530
Blocks: 473790
  Show dependency tree
 
Reported: 2013-06-14 19:46 UTC by Agostino Sarubbo
Modified: 2013-10-25 19:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-14 19:46:21 UTC
From ${URL} :

Description
Multiple vulnerabilities have been reported in FFmpeg, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially 
compromise an application using the library.

1) An error within the "format_line()" function (libavutil/log.c) can be exploited to dereference a certain pointer.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

2) An error within the "rle_unpack()" function (libavcodec/vmdav.c) can be exploited to cause an out of bounds memory access.

3) An error within the "mm_decode_inter()" function (libavcodec/mmvideo.c) can be exploited to cause an out of bounds memory access.

4) An integer overflow error within the "process_frame_obj()" function (libavcodec/sanm.c) can be exploited to cause an out of bounds memory access.

5) An error within the "cdg_decode_frame()" function (libavcodec/cdgraphics.c) can be exploited to cause an out of bounds memory access.

6) An error within the "gif_decode_frame()" function (libavcodec/gifdec.c) can be exploited to cause an out of bounds memory access.

The vulnerabilities are reported in versions prior to 1.2.1.


Solution
Update to version 1.2.1.

Provided and/or discovered by
The vendor credits Mateusz "j00ru" Jurczyk and Gynvael Coldwind.

Original Advisory
http://ffmpeg.org/security.html


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2013-06-14 20:35:10 UTC
(In reply to Agostino Sarubbo from comment #0)
> From ${URL} :
> 
> Description
> Multiple vulnerabilities have been reported in FFmpeg, which can be
> exploited by malicious people to cause a DoS (Denial of Service) and
> potentially 
> compromise an application using the library.
> 
> 1) An error within the "format_line()" function (libavutil/log.c) can be
> exploited to dereference a certain pointer.

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=52fa7a860318aa871624c7938801492983c24456

> 2) An error within the "rle_unpack()" function (libavcodec/vmdav.c) can be
> exploited to cause an out of bounds memory access.

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=d814b9b51ddd3764e809c1d0f82b770e0bc085fd

> 3) An error within the "mm_decode_inter()" function (libavcodec/mmvideo.c)
> can be exploited to cause an out of bounds memory access.

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cd24fdad470724651f6d5506ef94da92106ac6d3

> 4) An integer overflow error within the "process_frame_obj()" function
> (libavcodec/sanm.c) can be exploited to cause an out of bounds memory access.

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=813b3d11e0286b1d656633cd5717f3f43db5d1ac

> 5) An error within the "cdg_decode_frame()" function
> (libavcodec/cdgraphics.c) can be exploited to cause an out of bounds memory
> access.

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=2c66058737e254756118b7f7be0be7d3bfbb4fe3

> 6) An error within the "gif_decode_frame()" function (libavcodec/gifdec.c)
> can be exploited to cause an out of bounds memory access.

I think this one applies only to 1.2, maybe 1.1.* too.

> The vulnerabilities are reported in versions prior to 1.2.1.
> 
> 
> Solution
> Update to version 1.2.1.

BS :) All the above commit links are in 1.0.7

> @maintainer(s): after the bump, in case we need to stabilize the package,
> please say explicitly if it is ready for the stabilization or not.

it is ready, modulo the blockers of bug #464530
Comment 2 Alexis Ballier gentoo-dev 2013-06-27 19:15:47 UTC
ok, lets go: target is media-video/ffmpeg-1.0.7

please make sure you have stabilized all the blockers of bug #464530 if it applies to you otherwise you'd make your stable users to see build failures.
Comment 3 Alexis Ballier gentoo-dev 2013-06-27 20:12:25 UTC
(In reply to Alexis Ballier from comment #2)

extra libs that might be needed:

media-libs/libbluray-0.3.0-r1
media-libs/fdk-aac-0.1.1
media-sound/twolame-0.3.12
app-accessibility/flite-1.3 (hppa should be fine with 1.2)
media-libs/libiec61883-1.2.0
sys-libs/libraw1394-2.0.8
sys-libs/libavc1394-0.5.4
media-libs/libcaca-0.99_beta17
media-libs/opus-1.0.1
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-29 09:24:10 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-29 09:25:13 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-29 10:15:23 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-06-29 10:28:47 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-06-29 15:37:53 UTC
arm stable
Comment 9 Frank Krömmelbein 2013-06-29 18:36:15 UTC
I would suggest to stablize app-accessibility/flite-1.4-r2, ffmpeg builds with this Version installed on my machine.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-01 16:22:59 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-14 10:42:14 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-21 15:58:42 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-08 09:45:31 UTC
sparc stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 01:27:28 UTC
CVE-2013-3675 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3675):
  The process_frame_obj function in sanm.c in libavcodec in FFmpeg before
  1.2.1 does not validate width and height values, which allows remote
  attackers to cause a denial of service (integer overflow, out-of-bounds
  array access, and application crash) via crafted LucasArts Smush video data.

CVE-2013-3674 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3674):
  The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before
  1.2.1 does not validate the presence of non-header data in a buffer, which
  allows remote attackers to cause a denial of service (out-of-bounds array
  access and application crash) via crafted CD Graphics Video data.

CVE-2013-3673 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3673):
  The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg before
  1.2.1 does not properly manage the disposal methods of frames, which allows
  remote attackers to cause a denial of service (out-of-bounds array access
  and application crash) via crafted GIF data.

CVE-2013-3672 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3672):
  The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg before
  1.2.1 does not validate the relationship between a horizontal coordinate and
  a width value, which allows remote attackers to cause a denial of service
  (out-of-bounds array access and application crash) via crafted American
  Laser Games (ALG) MM Video data.

CVE-2013-3671 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3671):
  The format_line function in log.c in libavutil in FFmpeg before 1.2.1 uses
  inapplicable offset data during a certain category calculation, which allows
  remote attackers to cause a denial of service (invalid pointer dereference
  and application crash) via crafted data that triggers a log message.

CVE-2013-3670 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3670):
  The rle_unpack function in vmdav.c in libavcodec in FFmpeg git 20130328
  through 20130501 does not properly use the bytestream2 API, which allows
  remote attackers to cause a denial of service (out-of-bounds array access
  and application crash) via crafted RLE data.  NOTE: the vendor has listed
  this as an issue fixed in 1.2.1, but the issue is actually in new code that
  was not shipped with the 1.2.1 release or any earlier release.
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-10 13:59:04 UTC
Adding to GLSA draft.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:12:04 UTC
This issue was resolved and addressed in
 GLSA 201310-12 at http://security.gentoo.org/glsa/glsa-201310-12.xml
by GLSA coordinator Sean Amoss (ackle).