608868 – <media-video/ffmpeg-3.2.4: multiple vulnerabilities (CVE-2017-{5024,5025})

Bug 608868 - <media-video/ffmpeg-3.2.4: multiple vulnerabilities (CVE-2017-{5024,5025})

Summary: <media-video/ffmpeg-3.2.4: multiple vulnerabilities (CVE-2017-{5024,5025})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa cve]
Keywords:

Duplicates (1):	603984 (view as bug list)
Depends on:	508226 574786 610546 CVE-2017-11399
Blocks:	ffmpeg-3 575538 CVE-2016-10198, CVE-2016-10199, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848 610810 624180
	Show dependency tree

Reported:	2017-02-10 14:03 UTC by Alexis Ballier
Modified:	2018-07-27 21:21 UTC (History)
CC List:	9 users (show)

See Also:
Package list:	=media-video/ffmpeg-3.2.4 =media-libs/chromaprint-1.4.2 =media-libs/kvazaar-1.0.0 =media-video/nvidia_video_sdk-6.0.1 amd64 x86 =media-libs/libilbc-2.0.2 =media-libs/zimg-2.5 =media-libs/rubberband-1.8.1-r1 =media-libs/libsdl2-2.0.4 =media-libs/openh264-1.5.0 =media-libs/libebur128-1.2.0-r1 =media-libs/vamp-plugin-sdk-2.6-r1 =media-libs/raspberrypi-userland-0_pre20160424 arm =media-libs/ladspa-sdk-1.13-r2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexis Ballier gentoo-dev

2017-02-10 14:03:14 UTC

Per leio's request, needed for new gst-libav.

Comment 1 Alexis Ballier gentoo-dev

2017-02-10 14:04:09 UTC

@games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not having it stable yet. Feel free to bump that to 2.0.5 if you prefer.

Comment 2 Alexis Ballier gentoo-dev

2017-02-10 14:05:13 UTC

@Ian: I've put =media-libs/openh264-1.4.0-r1 in the list for arches not having it stable yet. Feel free to bump that to 1.5.0 if you prefer.

Comment 3 Alexis Ballier gentoo-dev

2017-02-10 14:06:18 UTC

@Amy: I've put =media-libs/libebur128-1.2.0-r1 in the list; please ack/nack;

Comment 4 James Le Cuirot gentoo-dev

2017-02-10 14:08:24 UTC

(In reply to Alexis Ballier from comment #1)
> @games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not
> having it stable yet. Feel free to bump that to 2.0.5 if you prefer.

2.0.5 is blocked by ppc64 suffering from bug #608314. There's a keyword request sparc in bug #508226.

Comment 5 Alexis Ballier gentoo-dev

2017-02-10 14:17:37 UTC

(In reply to James Le Cuirot from comment #4)
> (In reply to Alexis Ballier from comment #1)
> > @games team: I've put =media-libs/libsdl2-2.0.4 in the list for arches not
> > having it stable yet. Feel free to bump that to 2.0.5 if you prefer.
> 
> 2.0.5 is blocked by ppc64 suffering from bug #608314. There's a keyword
> request sparc in bug #508226.

Okey, thanks. So let's keep 2.0.4 then.
Feel free to un-cc you if you want to avoid the emails.

Comment 6 Stabilization helper bot gentoo-dev

2017-02-10 15:05:54 UTC

An automated check of this bug failed - repoman reported dependency errors (161 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-lang/nasm']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-lang/nasm']
> dependency.bad media-libs/openh264/openh264-1.4.0-r1.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-lang/nasm']

Comment 7 Alexis Ballier gentoo-dev

2017-02-10 15:25:46 UTC

(In reply to Alexis Ballier from comment #2)
> @Ian: I've put =media-libs/openh264-1.4.0-r1 in the list for arches not
> having it stable yet. Feel free to bump that to 1.5.0 if you prefer.

We need 1.5.0 for non-x86 arches.

Comment 8 Stabilization helper bot gentoo-dev

2017-02-10 16:04:51 UTC

An automated check of this bug failed - repoman reported dependency errors (83 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/libebur128-1.1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/kvazaar[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', '>=media-libs/libilbc-2[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/zimg[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']

Comment 9 Alexis Ballier gentoo-dev

2017-02-10 16:19:26 UTC

Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is in the list...

Comment 10 Amy Liffey gentoo-dev

2017-02-10 17:22:14 UTC

(In reply to Alexis Ballier from comment #9)
> Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is
> in the list...

But it is not keyworded for alpha.

Comment 11 Alexis Ballier gentoo-dev

2017-02-10 17:23:39 UTC

(In reply to Amy Liffey from comment #10)
> (In reply to Alexis Ballier from comment #9)
> > Seems there is a bug with the stable bot. =media-libs/libebur128-1.2.0-r1 is
> > in the list...
> 
> But it is not keyworded for alpha.

keywordreq is bug #574786

Comment 12 Amy Liffey gentoo-dev

2017-02-10 17:32:24 UTC

*** Bug 603984 has been marked as a duplicate of this bug. ***

Comment 13 Stabilization helper bot gentoo-dev

2017-02-11 08:32:06 UTC

An automated check of this bug failed - repoman reported dependency errors (27 lines truncated): 

> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['media-libs/vamp-plugin-sdk[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]', 'media-libs/ladspa-sdk']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/raspberrypi-userland']
> dependency.bad media-video/ffmpeg/ffmpeg-3.2.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/raspberrypi-userland']

Comment 14 Alexis Ballier gentoo-dev

2017-02-11 10:56:25 UTC

Maintainer:  chithanh@gentoo.org (Chí-Thanh Christopher Nguyễn)
Maintainer:  tupone@gentoo.org (Tupone Alfredo)

=media-libs/raspberrypi-userland-0_pre20160424 arm


Please ack/nack

Comment 15 Stabilization helper bot gentoo-dev

2017-02-11 11:05:10 UTC

An automated check of this bug failed - repoman reported dependency errors (13 lines truncated): 

> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-libs/ladspa-sdk']
> dependency.bad media-libs/rubberband/rubberband-1.8.1-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['media-libs/ladspa-sdk']

Comment 16 Alexis Ballier gentoo-dev

2017-02-11 15:52:46 UTC

3.2.4
Fixes following vulnerabilities:

CVE-2017-5024, ed2572b9c8f885e2a4764d2e34604442a71899a1 / 2d453188c2303da641dafb048dc1806790526dfd
CVE-2017-5025, cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf / fd30e4d57fe5841385f845440688505b88c0f4a9



Note: 2.8.11 also fixes them but we're going for 3.2 stable, so...

Comment 17 Tupone Alfredo gentoo-dev

2017-02-12 14:39:33 UTC

(In reply to Alexis Ballier from comment #14)
> Maintainer:  chithanh@gentoo.org (Chí-Thanh Christopher Nguyễn)
> Maintainer:  tupone@gentoo.org (Tupone Alfredo)
> 
> =media-libs/raspberrypi-userland-0_pre20160424 arm
> 
> 
> Please ack/nack

I tested media-tv/kodi with media-libs/ffmpeg-3.2.4 and media-libs/raspberrypi-userland-9999 (not 0_pre20160424 that is not on my system), and it seems to work. Tough I don't know if the video I played are decoded by ffmpeg

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-13 02:02:52 UTC

(In reply to Alexis Ballier from comment #16)
> 3.2.4
> Fixes following vulnerabilities:
> 
> CVE-2017-5024, ed2572b9c8f885e2a4764d2e34604442a71899a1 /
> 2d453188c2303da641dafb048dc1806790526dfd
> CVE-2017-5025, cf8e004a51b08c6e8ceaeebca85ab84c7ed0b4cf /
> fd30e4d57fe5841385f845440688505b88c0f4a9
> 
> 
> 
> Note: 2.8.11 also fixes them but we're going for 3.2 stable, so...

Assigning bug to security to allow arches proper prioritizing...

Comment 19 Mart Raudsepp gentoo-dev

2017-02-15 10:51:06 UTC

Removing tracker bugs from depends list (moved to blocks list), as we need to proceed security stabilization without these RESOLVED and them being listed as depends results in ATs not working this bug due to unresolved depend bugs.

Comment 20 Agostino Sarubbo gentoo-dev

2017-02-15 15:06:10 UTC

amd64 stable

Comment 21 Agostino Sarubbo gentoo-dev

2017-02-15 15:56:32 UTC

x86 stable

Comment 22 Jeroen Roovers (RETIRED) gentoo-dev

2017-02-18 08:51:30 UTC

Stable for HPPA.

Comment 23 Jeroen Roovers (RETIRED) gentoo-dev

2017-02-22 13:18:37 UTC

Stable for PPC64.

Comment 24 Michael Weber (RETIRED) gentoo-dev

2017-02-22 21:06:44 UTC

ppc stable.

Comment 25 Michael Weber (RETIRED) gentoo-dev

2017-02-23 12:32:41 UTC

arm stable.

Comment 26 Mart Raudsepp gentoo-dev

2017-04-04 06:58:53 UTC

Any reason for bug 610546 still to be a blocker here (or that bug being open still), as this security bug probably doesn't show up with the tooling right now due to that?...

Comment 27 Tobias Klausmann (RETIRED) gentoo-dev

2017-04-05 12:20:25 UTC

=media-libs/libilbc-2.0.2 will not happen on alpha due to lack of architecture support from upstream. Since it's not keyworded yet, that should not be a problem. Working on the rest.

Comment 28 Tobias Klausmann (RETIRED) gentoo-dev

2017-04-05 14:07:57 UTC

Stable on alpha.

Comment 29 Yury German Gentoo Infrastructure

2017-04-26 01:20:14 UTC

Arches, Thank you for your work.
Added to an existing GLSA Request.

Can not wait on sparc.

Comment 30 GLSAMaker/CVETool Bot gentoo-dev

2017-05-09 19:35:24 UTC

This issue was resolved and addressed in
 GLSA 201705-05 at https://security.gentoo.org/glsa/201705-05
by GLSA coordinator Kristian Fiskerstrand (K_F).

Comment 31 Yury German Gentoo Infrastructure

2017-05-18 03:51:28 UTC

Reopening for ia64 and sparc. Please finish stabilization or drop from stable.

Comment 32 Sergei Trofimovich (RETIRED) gentoo-dev

2017-06-10 20:17:55 UTC

ia64 stable

Comment 33 Stabilization helper bot gentoo-dev

2017-06-10 21:04:55 UTC

An automated check of this bug failed - the following atom is unknown:

media-libs/zimg-2.4

Please verify the atom list.

Comment 34 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-11 10:35:45 UTC

Adjusting package list for sparc...

Comment 35 Aaron Bauman (RETIRED) gentoo-dev

2017-09-10 22:15:22 UTC

sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9