627018 – (CVE-2017-11399) <media-video/ffmpeg-{3.2.7, 3.3.3}: Integer overflow DoS

Bug 627018 (CVE-2017-11399) - <media-video/ffmpeg-{3.2.7, 3.3.3}: Integer overflow DoS

Summary: <media-video/ffmpeg-{3.2.7, 3.3.3}: Integer overflow DoS

Status:	RESOLVED FIXED

Alias:	CVE-2017-11399

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:	608868 CVE-2017-11665 CVE-2017-11719
	Show dependency tree

Reported:	2017-08-04 01:27 UTC by Andrey Ovcharov
Modified:	2017-10-26 00:57 UTC (History)
CC List:	0 users

See Also:
Package list:	=media-video/ffmpeg-3.3.3 =sci-libs/hdf-4.2.8 amd64 ia64 ppc x86 =sci-libs/netcdf-4.3.2-r1 amd64 ia64 ppc x86
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrey Ovcharov 2017-08-04 01:27:57 UTC

https://nvd.nist.gov/vuln/detail/CVE-2017-11399

"Integer overflow in the ape_decode_frame function in libavcodec/apedec.c in FFmpeg through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access and application crash) or possibly have unspecified other impact via a crafted APE file."

Comment 1 Andrey Ovcharov 2017-08-04 01:33:01 UTC

+ from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable 3.2.5, 3.2.6, 3.3.3 versions

Upstream patch https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0

Comment 2 Alexis Ballier gentoo-dev

2017-08-26 13:44:05 UTC

(In reply to Andrey Ovcharov from comment #1)
> + from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable
> 3.2.5, 3.2.6, 3.3.3 versions
> 
> Upstream patch
> https://github.com/FFmpeg/FFmpeg/commit/
> ba4beaf6149f7241c8bd85fe853318c2f6837ad0

3.3.3 and 3.2.7 are fixed

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-08-26 15:08:13 UTC

(In reply to Alexis Ballier from comment #2)
> (In reply to Andrey Ovcharov from comment #1)
> > + from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable
> > 3.2.5, 3.2.6, 3.3.3 versions
> > 
> > Upstream patch
> > https://github.com/FFmpeg/FFmpeg/commit/
> > ba4beaf6149f7241c8bd85fe853318c2f6837ad0
> 
> 3.3.3 and 3.2.7 are fixed

Thanks, Alexis!  Ready for stable?

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-08-26 15:20:19 UTC

(In reply to Aaron Bauman from comment #3)
> (In reply to Alexis Ballier from comment #2)
> > (In reply to Andrey Ovcharov from comment #1)
> > > + from https://security-tracker.debian.org/tracker/CVE-2017-11399 vulnerable
> > > 3.2.5, 3.2.6, 3.3.3 versions
> > > 
> > > Upstream patch
> > > https://github.com/FFmpeg/FFmpeg/commit/
> > > ba4beaf6149f7241c8bd85fe853318c2f6837ad0
> > 
> > 3.3.3 and 3.2.7 are fixed
> 
> Thanks, Alexis!  Ready for stable?

@Alexis, Saw your comments on the other bugs.  We will only target 3.3.3 as 3.2.7 does not contain fixes from other bugs and CVE reports. 

@arches, please stabilize.

Comment 5 Stabilization helper bot gentoo-dev

2017-08-26 16:03:06 UTC

An automated check of this bug failed - repoman reported dependency errors (9 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['>=sci-libs/netcdf-4.3.2-r1[hdf5]']

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-08-27 14:04:28 UTC

ia64 stable. Had to stable more packages that in package.list:

=sci-libs/hdf-4.2.8
=media-video/ffmpeg-3.3.3 
=sci-libs/netcdf-4.3.2-r1

Comment 7 Stabilization helper bot gentoo-dev

2017-08-27 15:01:20 UTC

An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2017-08-27 20:00:06 UTC

(In reply to Sergei Trofimovich from comment #6)
> ia64 stable. Had to stable more packages that in package.list:
> 
> =sci-libs/hdf-4.2.8
> =media-video/ffmpeg-3.3.3 
> =sci-libs/netcdf-4.3.2-r1

Thanks, Sergei.

Comment 9 Stabilization helper bot gentoo-dev

2017-08-27 20:01:41 UTC

An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: DEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/netcdf-4.3.2-r1[hdf5]', '>=sci-libs/hdf5-1.8.18[hl]']

Comment 10 Stabilization helper bot gentoo-dev

2017-08-27 22:02:48 UTC

An automated check of this bug failed - repoman reported dependency errors (3 lines truncated): 

> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: DEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']

Comment 11 Carl Eugen Hoyos 2017-08-28 08:56:34 UTC

(In reply to Aaron Bauman from comment #4)

> @Alexis, Saw your comments on the other bugs. 

> We will only target 3.3.3 as 3.2.7 does not contain fixes from other bugs and CVE reports. 

(Sorry if I misunderstand)
The only reason that 3.2.7 was released was the reason any FFmpeg point release is made: Security issues like the one reported in this gentoo bug and samples that crash default FFmpeg binaries were reported and fixed.
See:
http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/release/3.2
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=66395ac3

Carl Eugen

Comment 12 Larry the Git Cow gentoo-dev

2017-09-04 13:33:49 UTC

Bug has been referenced in the following commit:
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c47d4c8b0978eeb0cb65306eff53d46ec5bc89c

    commit 9c47d4c8b0978eeb0cb65306eff53d46ec5bc89c
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2017-09-04 13:32:41 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2017-09-04 13:32:59 +0000

    media-video/ffmpeg: amd64 stable
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=627018
    Package-Manager: Portage-2.3.6, Repoman-2.3.3

 media-video/ffmpeg/ffmpeg-3.3.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 13 Stabilization helper bot gentoo-dev

2017-09-04 14:02:32 UTC

An automated check of this bug failed - repoman reported dependency errors (3 lines truncated): 

> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: DEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/hdf/hdf-4.2.8.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['virtual/szip']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']
> dependency.bad media-video/ffmpeg/ffmpeg-3.3.3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins', '>=sci-libs/hdf5-1.8.18[hl]']

Comment 14 Markus Meier gentoo-dev

2017-09-07 19:12:33 UTC

arm stable

Comment 15 Stabilization helper bot gentoo-dev

2017-09-07 20:01:28 UTC

An automated check of this bug failed - repoman reported dependency errors (1 lines truncated): 

> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']
> dependency.bad sci-libs/netcdf/netcdf-4.3.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['sci-libs/hdf5:0=', 'sci-libs/hdf5:0=[hl(+),mpi=,szip=,zlib]']

Comment 16 Yury German Gentoo Infrastructure

2017-09-09 06:17:41 UTC

We should continue stabilization

Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev

2017-09-09 13:05:49 UTC

(In reply to Yury German from comment #16)
> We should continue stabilization

This will require stable-bot flag of "+". Adjusting package list...

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2017-09-11 21:02:17 UTC

x86 stable

Comment 19 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 06:32:52 UTC

ppc stable

Comment 20 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 06:37:07 UTC

ppc64 stable

Comment 21 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-14 14:47:23 UTC

hppa stable

Comment 22 Aaron Bauman (RETIRED) gentoo-dev

2017-10-26 00:57:23 UTC

GLSA Vote: No

Cleanup handled in bug #630460