Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596760 (CVE-2016-7122, CVE-2016-7450, CVE-2016-7502, CVE-2016-7555, CVE-2016-7562, CVE-2016-7785, CVE-2016-7905) - <media-video/ffmpeg-{2.8.10,3.1.4}: multiple vulnerabilities
Summary: <media-video/ffmpeg-{2.8.10,3.1.4}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-7122, CVE-2016-7450, CVE-2016-7502, CVE-2016-7555, CVE-2016-7562, CVE-2016-7785, CVE-2016-7905
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-10 10:37 UTC by Agostino Sarubbo
Modified: 2017-01-29 16:27 UTC (History)
1 user (show)

See Also:
Package list:
=media-video/ffmpeg-2.8.10
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-10 10:37:25 UTC
From ${URL} :

CVE-2016-7562

ff_draw_pc_font in ffmpeg before 3.1.4 uses incorrect font_height value ,which allows remote attackers to cause ffmpeg service a out-of-bounds array write fault
when it uses 'ansi' to decode a AVI file which has a crafted 'strf' struct.

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804



CVE-2016-7122

avi_read_nikon in ffmpeg before 3.1.4 is vulnerable to infinite loop when it decode an AVI file which has a crafted 'nctg' struct.

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ed38046c5c2e3b310980be32287179895c83e0d8




CVE-2016-7450

i2f in ffmpeg before 3.1.4 uses incorrect re_signal value ,which results in an out-of-bounds array read .

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ac8ac46641adef208485baebc3734463bf0bd266




CVE-2016-7502

cavs_idct8_add_c in ffmpeg before 3.1.4 uses incorrect block value ,which results in an out-of-bounds array read .

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9d738e6968757d4e70c8e07e0b720ac0004accc4




CVE-2016-7555

avi_read_header in ffmpeg before 3.1.4 is vulnerable to a memory leakage issue when it decodes an AVI file which has a crafted 'strh' struct.

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8834e080c20d3d23c3ffe779371359f9b9b835ec


CVE-2016-7785

avi_read_seek in ffmpeg before 3.1.4 uses incorrect scale value , which allows remote attackers to cause a assert fault of service via an AVI file which has a craft 'strh' struct.

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c8c5f66b42edc37474baa5cb51460cbf6f33075b




CVE-2016-7905

read_gab2_sub in ffmpeg before 3.1.4 is vulnerable to a null-point-exception when it decodes an AVI file which has a crafted 'gab2' struct.

fixs:https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/622ccbd8ab894e3ac6cdf607e3d4f39e406786e9


Reported by LianYihan in Qihoo 360 Gear Team.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-12-17 10:57:31 UTC
From http://ffmpeg.org/security.html:

FFmpeg 2.8
2.8.9
Fixes following vulnerabilities:

CVE-2016-7502, 69b00a7fb6faa1b19b5687a5762ff4f94d5ff9aa / 0e318f110bcd6bb8e7de9127f2747272e60f48d7
CVE-2016-7785, a772613100514842008271c8d0e5d63a6979f9bf / 14bac7e00d72eac687612d9b125e585011a56d4f
CVE-2016-7905, 239f75d6c3dfbe4def80a12913d5737dd5a5bbcc / 2679ad4773aa356e7c3da5c68bc81f02a194617f
CVE-2016-7562, ab737ab31d4f126ed5a13a6a0498824141925108 / 69449da436169e7facaa6d1f3bcbc41cf6ce275

2.8.8
Fixes following vulnerabilities:

CVE-2016-6164, 054db631200c9940bc72e4dec2cb3c75e613abaf / 8a3221cc67a516dfc1700bdae3566ec52c7ee823
CVE-2016-6881, e965fedf7e94b7e50cd11be00fa729ee8faeb21b / a453bbb68f3eec202673728988bba3bc76071761
CVE-2016-7122, 8ddeae57ae727966ac7588cf34ff56558fe3ffd1 / e4e4a9cad7f21593d4bcb1f2404ea0d373c36c43
CVE-2016-7450, f8dcc9e7189709c68829b0fa7a98941fdf916d68 / a5af1240fce845f645440364c1335e0f8e44ee6c



What's left:
CVE-2016-6164/CVE-2016-6881: Fixed upstream but I can't find them in your report.
CVE-2016-7555: Only mention of it upstream is in 3.0+, my bet would be 2.8 is unaffected.
Comment 2 Alexis Ballier gentoo-dev 2016-12-17 11:07:08 UTC
(In reply to Alexis Ballier from comment #1)
> CVE-2016-7555: Only mention of it upstream is in 3.0+, my bet would be 2.8
> is unaffected.

Yep, 2.8 is unaffected:
CVE-2016-7555, fb7617df4eb13659fa20cb535888c10eac0fdb77 / b98dafe04564d5fe3e5bf5073d871dd93a4a62de


The fields freed by this commit are either already freed in 2.8.10 current code or fields that were not present in 2.8.



So we can proceed to stabilizing ffmpeg-2.8.10 I think.
Comment 3 Thomas Deutschmann gentoo-dev 2017-01-09 00:31:29 UTC
@ Arches,

please test and mark stable: =media-video/ffmpeg-2.8.10
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-10 14:56:19 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-10 15:23:38 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-11 10:48:37 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2017-01-13 16:53:57 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-15 16:00:10 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-15 20:28:35 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-15 22:20:55 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-17 14:36:39 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:04 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 16:27:46 UTC
This issue was resolved and addressed in
 GLSA 201701-71 at https://security.gentoo.org/glsa/201701-71
by GLSA coordinator Thomas Deutschmann (whissi).