Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660924 (CVE-2018-10001, CVE-2018-6912, CVE-2018-7557, CVE-2018-7751) - <media-video/ffmpeg-3.4.5: Multiple vulnerabilities
Summary: <media-video/ffmpeg-3.4.5: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-10001, CVE-2018-6912, CVE-2018-7557, CVE-2018-7751
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
: CVE-2018-9841 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-07-11 16:41 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-30 15:07 UTC (History)
3 users (show)

See Also:
Package list:
media-video/ffmpeg-3.4.5 media-plugins/frei0r-plugins-1.6.1 arm
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
tatt useflags & rdeps testing (ppc64) (tatt_results-ppc64.txt,10.05 KB, text/plain)
2019-03-09 18:29 UTC, ernsteiswuerfel 		no flags Details
tatt useflags & rdeps testing (ppc) (ffmpeg-660924.report,10.35 KB, text/plain)
2019-03-14 22:39 UTC, ernsteiswuerfel 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-11 16:41:42 UTC 
CVE-2018-9841 (https://nvd.nist.gov/vuln/detail/CVE-2018-9841):
  The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out-of-array access)
  or possibly have unspecified other impact via a long filename.

CVE-2018-7751 (https://nvd.nist.gov/vuln/detail/CVE-2018-7751):
  The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (Infinite Loop) via a
  crafted XML file.

CVE-2018-7557 (https://nvd.nist.gov/vuln/detail/CVE-2018-7557):
  The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (Out of array read) via
  an AVI file with crafted dimensions within chroma subsampling data.

CVE-2018-6912 (https://nvd.nist.gov/vuln/detail/CVE-2018-6912):
  The decode_plane function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out of array read) via
  a crafted AVI file.

CVE-2018-10001 (https://nvd.nist.gov/vuln/detail/CVE-2018-10001):
  The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out of array read) via
  an AVI file.


@Maintainers, ebuilds already in three, please call for stabilization when ready.
Comment 1 Haelwenn (lanodan) Monnier 2018-07-19 17:46:25 UTC 
Not sure if this is the right place to put it, but here are more vulnerabilities in FFmpeg.

CVE-2018-14394 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14394 )
  libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file.

CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
  libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.
Comment 2 Alexis Ballier gentoo-dev 2019-02-13 15:25:22 UTC 
*** Bug 652752 has been marked as a duplicate of this bug. ***
Comment 3 Alexis Ballier gentoo-dev 2019-02-13 15:28:46 UTC 
https://ffmpeg.org/security.html

current stable ffmpeg is 3.3.6; this is security-wise equivalent to 3.4.1

so, we are missing:

3.4.5

Fixes following vulnerabilities:

CVE-2018-15822, 44e878d08674a15906badfb921443a44ebf6257d / 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10

3.4.4

Fixes following vulnerabilities:

CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e / fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582

3.4.3

Fixes following vulnerabilities:

CVE-2018-7557,  ae49cc73f265a155e5c4b1715570aab3d9741b4d / 7414d0bda7763f9bd69c26c068e482ab297c1c96
CVE-2018-7751,  3fa6e594a0f2575ddb6b2183961fde42ab5ab37b / a6cba062051f345e8ebfdff34aba071ed73d923f
CVE-2018-10001, 51035698bde9c13da7eedc1f6eb47d190bbc949d / 47b7c68ae54560e2308bdb6be4fb076c73b93081
CVE-2018-12458, bd1fd3ff4b0437153a6c4717f59ce31a7bba8ca0 / e1182fac1afba92a4975917823a5f644bee7e6e8
CVE-2018-13300, 3a04f518ac283194bb13d8aff7d9fa963d551547 / 95556e27e2c1d56d9e18f5db34d6f756f3011148
CVE-2018-13302, 36c779bffe2ceef48a0fa4d7a6691c6895faf9e2 / ed22dc22216f74c75ee7901f82649e1ff725ba50
CVE-2018-14394, 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b / 3a2d21bc5f97aa0161db3ae731fc2732be6108b8

3.4.2

Fixes following vulnerabilities:

CVE-2018-6621, 342f1da13489de6650349fff2206a81442d6c668 / 118e1b0b3370dd1c0da442901b486689efd1654b
CVE-2018-6392, 2980b95fafb39148cfade120eab5c75b46bfffc6 / 3f621455d62e46745453568d915badd5b1e5bcd5
Comment 4 Alexis Ballier gentoo-dev 2019-02-13 15:40:56 UTC 
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2018-9841 (https://nvd.nist.gov/vuln/detail/CVE-2018-9841):
>   The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (out-of-array access)
>   or possibly have unspecified other impact via a long filename.

Not reported in the upstream page.
Fix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43916494f8cac6ed294309e70de346e309d51058

>=media-video/ffmpeg-3.4.3


> CVE-2018-7751 (https://nvd.nist.gov/vuln/detail/CVE-2018-7751):
>   The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (Infinite Loop) via a
>   crafted XML file.


CVE-2018-7751,  3fa6e594a0f2575ddb6b2183961fde42ab5ab37b / a6cba062051f345e8ebfdff34aba071ed73d923f

>=media-video/ffmpeg-3.4.3


> CVE-2018-7557 (https://nvd.nist.gov/vuln/detail/CVE-2018-7557):
>   The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (Out of array read)
> via
>   an AVI file with crafted dimensions within chroma subsampling data.


CVE-2018-7557,  ae49cc73f265a155e5c4b1715570aab3d9741b4d / 7414d0bda7763f9bd69c26c068e482ab297c1c96

>=media-video/ffmpeg-3.4.3

> CVE-2018-6912 (https://nvd.nist.gov/vuln/detail/CVE-2018-6912):
>   The decode_plane function in libavcodec/utvideodec.c in FFmpeg through
> 3.4.2
>   allows remote attackers to cause a denial of service (out of array read)
> via
>   a crafted AVI file.

Not mentionned in the upstream sec page.
Upstream fix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/76cc0f0f673353cd4746cd3b83838ae335e5d9ed


Offending code was added there: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92b32664cdc064523c60ddba5ed139855e08470c

3.4.5 was released on 2018-11-01. It is the latest stable FFmpeg release from the 3.4 release branch, which was cut from master on 2017-10-11. 

4.0.3 was released on 2018-11-03. It is the latest stable FFmpeg release from the 4.0 release branch, which was cut from master on 2018-04-16. 

So this is only an issue for ffmpeg >= 4, which has never been stable



> CVE-2018-10001 (https://nvd.nist.gov/vuln/detail/CVE-2018-10001):
>   The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (out of array read)
> via
>   an AVI file.

CVE-2018-10001, 51035698bde9c13da7eedc1f6eb47d190bbc949d / 47b7c68ae54560e2308bdb6be4fb076c73b93081

>=media-video/ffmpeg-3.4.3
Comment 5 Alexis Ballier gentoo-dev 2019-02-13 15:42:08 UTC 
(In reply to Haelwenn Monnier from comment #1)
> Not sure if this is the right place to put it, but here are more
> vulnerabilities in FFmpeg.

yes

> CVE-2018-14394 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14394 )
>   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> denial of service (application crash caused by a divide-by-zero error) with
> a user crafted Waveform audio file.


CVE-2018-14394, 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b / 3a2d21bc5f97aa0161db3ae731fc2732be6108b8

>=media-video/ffmpeg-3.4.3

> CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
>   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> denial of service (application crash caused by a divide-by-zero error) with
> a user crafted audio file when converting to the MOV audio format.

CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e / fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582

>=media-video/ffmpeg-3.4.3
Comment 6 Alexis Ballier gentoo-dev 2019-02-13 15:43:08 UTC 
go for 3.4.5 that also fixes a few more CVEs
Comment 7 Alexis Ballier gentoo-dev 2019-02-13 15:43:41 UTC 
(In reply to Alexis Ballier from comment #5)
> > CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
> >   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> > denial of service (application crash caused by a divide-by-zero error) with
> > a user crafted audio file when converting to the MOV audio format.
> 
> CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e /
> fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582
> 
> >=media-video/ffmpeg-3.4.3

This is >=media-video/ffmpeg-3.4.4
Comment 8 Stabilization helper bot gentoo-dev 2019-02-13 16:04:15 UTC 
An automated check of this bug failed - repoman reported dependency errors (135 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins']
> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins']
> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: DEPEND: arm(default/linux/arm/17.0) ['media-plugins/frei0r-plugins']
Comment 9 Stabilization helper bot gentoo-dev 2019-02-13 17:04:36 UTC 
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 10 Alexis Ballier gentoo-dev 2019-02-13 17:09:35 UTC 
@arm team: you should decide what you want to do here -- package.use.stable.mask vs catching up other arches
Comment 11 Mart Raudsepp gentoo-dev 2019-02-14 10:06:28 UTC 
arm64 doesn't have a stable ffmpeg..
Comment 12 Stabilization helper bot gentoo-dev 2019-02-14 11:04:46 UTC 
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-15 15:47:37 UTC 
x86 stable
Comment 14 Stabilization helper bot gentoo-dev 2019-02-15 16:05:09 UTC 
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-15 18:36:10 UTC 
amd64 stable
Comment 16 Stabilization helper bot gentoo-dev 2019-02-15 19:03:22 UTC 
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 17 ernsteiswuerfel archtester 2019-03-09 18:29:57 UTC 
Created attachment 568336 [details]
tatt useflags & rdeps testing (ppc64)

Looking good on ppc64.

useflags failing: bug #678744
rdeps failing: media-libs/gegl (bug #639986), media-libs/mediastreamer (tests stall four hours)
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2019-03-13 22:24:34 UTC 
ppc stable thanks to ernsteiswuerfel!
Comment 19 Stabilization helper bot gentoo-dev 2019-03-13 23:02:11 UTC 
An automated check of this bug failed - repoman reported dependency errors (61 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.badindev media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0/armv4) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 20 ernsteiswuerfel archtester 2019-03-14 22:39:28 UTC 
Created attachment 569136 [details]
tatt useflags & rdeps testing (ppc)

Looking good on ppc.

useflags failing: bug #678744
Comment 21 Stabilization helper bot gentoo-dev 2019-03-16 20:02:25 UTC 
An automated check of this bug failed - repoman reported dependency errors (61 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.badindev media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0/armv4) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 22 Markus Meier gentoo-dev 2019-03-20 17:03:07 UTC 
arm stable
Comment 23 Stabilization helper bot gentoo-dev 2019-03-20 18:00:49 UTC 
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 24 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 12:16:53 UTC 
alpha stable
Comment 25 Agostino Sarubbo gentoo-dev 2019-06-04 18:59:24 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2020-03-30 15:07:02 UTC 
This issue was resolved and addressed in
 GLSA 202003-65 at https://security.gentoo.org/glsa/202003-65
by GLSA coordinator Thomas Deutschmann (whissi).