Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627018 (CVE-2017-11399) - <media-video/ffmpeg-{3.2.7, 3.3.3}: Integer overflow DoS
Summary: <media-video/ffmpeg-{3.2.7, 3.3.3}: Integer overflow DoS
Status: RESOLVED FIXED
Alias: CVE-2017-11399
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 608868 CVE-2017-11665 CVE-2017-11719
  Show dependency tree
 
Reported: 2017-08-04 01:27 UTC by Andrey Ovcharov
Modified: 2017-10-26 00:57 UTC (History)
0 users

See Also:
Package list:
=media-video/ffmpeg-3.3.3 =sci-libs/hdf-4.2.8 amd64 ia64 ppc x86 =sci-libs/netcdf-4.3.2-r1 amd64 ia64 ppc x86
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Ovcharov 2017-08-04 01:27:57 UTC
https://nvd.nist.gov/vuln/detail/CVE-2017-11399

"Integer overflow in the ape_decode_frame function in libavcodec/apedec.c in FFmpeg through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access and application crash) or possibly have unspecified other impact via a crafted APE file."
Comment 1 Andrey Ovcharov 2017-08-04 01:33:01 UTC
+ from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable 3.2.5, 3.2.6, 3.3.3 versions

Upstream patch https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0
Comment 2 Alexis Ballier gentoo-dev 2017-08-26 13:44:05 UTC
(In reply to Andrey Ovcharov from comment #1)
> + from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable
> 3.2.5, 3.2.6, 3.3.3 versions
> 
> Upstream patch
> https://github.com/FFmpeg/FFmpeg/commit/
> ba4beaf6149f7241c8bd85fe853318c2f6837ad0

3.3.3 and 3.2.7 are fixed
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-26 15:08:13 UTC
(In reply to Alexis Ballier from comment #2)
> (In reply to Andrey Ovcharov from comment #1)
> > + from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable
> > 3.2.5, 3.2.6, 3.3.3 versions
> > 
> > Upstream patch
> > https://github.com/FFmpeg/FFmpeg/commit/
> > ba4beaf6149f7241c8bd85fe853318c2f6837ad0
> 
> 3.3.3 and 3.2.7 are fixed

Thanks, Alexis!  Ready for stable?
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-26 15:20:19 UTC
(In reply to Aaron Bauman from comment #3)
> (In reply to Alexis Ballier from comment #2)
> > (In reply to Andrey Ovcharov from comment #1)
> > > + from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable
> > > 3.2.5, 3.2.6, 3.3.3 versions
> > > 
> > > Upstream patch
> > > https://github.com/FFmpeg/FFmpeg/commit/
> > > ba4beaf6149f7241c8bd85fe853318c2f6837ad0
> > 
> > 3.3.3 and 3.2.7 are fixed
> 
> Thanks, Alexis!  Ready for stable?

@Alexis, Saw your comments on the other bugs.  We will only target 3.3.3 as 3.2.7 does not contain fixes from other bugs and CVE reports. 

@arches, please stabilize.
Comment 5 Stabilization helper bot gentoo-dev 2017-08-26 16:03:06 UTC
An automated check of this bug failed - repoman reported dependency errors (9 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]']
Comment 6 Sergei Trofimovich gentoo-dev 2017-08-27 14:04:28 UTC
ia64 stable. Had to stable more packages that in package.list:

=sci-libs/hdf-4.2.8
=media-video/ffmpeg-3.3.3 
=sci-libs/netcdf-4.3.2-r1
Comment 7 Stabilization helper bot gentoo-dev 2017-08-27 15:01:20 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-27 20:00:06 UTC
(In reply to Sergei Trofimovich from comment #6)
> ia64 stable. Had to stable more packages that in package.list:
> 
> =sci-libs/hdf-4.2.8
> =media-video/ffmpeg-3.3.3 
> =sci-libs/netcdf-4.3.2-r1

Thanks, Sergei.
Comment 9 Stabilization helper bot gentoo-dev 2017-08-27 20:01:41 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: DEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 10 Stabilization helper bot gentoo-dev 2017-08-27 22:02:48 UTC
An automated check of this bug failed - repoman reported dependency errors (3 lines truncated): 

> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: DEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 11 Carl Eugen Hoyos 2017-08-28 08:56:34 UTC
(In reply to Aaron Bauman from comment #4)

> @Alexis, Saw your comments on the other bugs. 

> We will only target 3.3.3 as 3.2.7 does not contain fixes from other bugs and CVE reports. 

(Sorry if I misunderstand)
The only reason that 3.2.7 was released was the reason any FFmpeg point release is made: Security issues like the one reported in this gentoo bug and samples that crash default FFmpeg binaries were reported and fixed.
See:
http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/release/3.2
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=66395ac3

Carl Eugen
Comment 12 Larry the Git Cow gentoo-dev 2017-09-04 13:33:49 UTC
Bug has been referenced in the following commit:
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c47d4c8b0978eeb0cb65306eff53d46ec5bc89c

    commit 9c47d4c8b0978eeb0cb65306eff53d46ec5bc89c
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2017-09-04 13:32:41 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2017-09-04 13:32:59 +0000

    media-video/ffmpeg: amd64 stable
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=627018
    Package-Manager: Portage-2.3.6, Repoman-2.3.3

 media-video/ffmpeg/ffmpeg-3.3.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 Stabilization helper bot gentoo-dev 2017-09-04 14:02:32 UTC
An automated check of this bug failed - repoman reported dependency errors (3 lines truncated): 

> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: DEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']
Comment 14 Markus Meier gentoo-dev 2017-09-07 19:12:33 UTC
arm stable
Comment 15 Stabilization helper bot gentoo-dev 2017-09-07 20:01:28 UTC
An automated check of this bug failed - repoman reported dependency errors (1 lines truncated): 

> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-09 06:17:41 UTC
We should continue stabilization
Comment 17 Thomas Deutschmann gentoo-dev Security 2017-09-09 13:05:49 UTC
(In reply to Yury German from comment #16)
> We should continue stabilization

This will require stable-bot flag of "+". Adjusting package list...
Comment 18 Thomas Deutschmann gentoo-dev Security 2017-09-11 21:02:17 UTC
x86 stable
Comment 19 Sergei Trofimovich gentoo-dev 2017-09-30 06:32:52 UTC
ppc stable
Comment 20 Sergei Trofimovich gentoo-dev 2017-09-30 06:37:07 UTC
ppc64 stable
Comment 21 Sergei Trofimovich gentoo-dev 2017-10-14 14:47:23 UTC
hppa stable
Comment 22 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-26 00:57:23 UTC
GLSA Vote: No

Cleanup handled in bug #630460