Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660924 (CVE-2018-10001, CVE-2018-6912, CVE-2018-7557, CVE-2018-7751) - <media-video/ffmpeg-3.4.5: Multiple vulnerabilities
Summary: <media-video/ffmpeg-3.4.5: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2018-10001, CVE-2018-6912, CVE-2018-7557, CVE-2018-7751
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa? cve cleanup]
Keywords:
: CVE-2018-9841 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-07-11 16:41 UTC by GLSAMaker/CVETool Bot
Modified: 2019-06-04 18:59 UTC (History)
3 users (show)

See Also:
Package list:
media-video/ffmpeg-3.4.5 media-plugins/frei0r-plugins-1.6.1 arm
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
tatt useflags & rdeps testing (ppc64) (tatt_results-ppc64.txt,10.05 KB, text/plain)
2019-03-09 18:29 UTC, ernsteiswuerfel
no flags Details
tatt useflags & rdeps testing (ppc) (ffmpeg-660924.report,10.35 KB, text/plain)
2019-03-14 22:39 UTC, ernsteiswuerfel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-11 16:41:42 UTC
CVE-2018-9841 (https://nvd.nist.gov/vuln/detail/CVE-2018-9841):
  The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out-of-array access)
  or possibly have unspecified other impact via a long filename.

CVE-2018-7751 (https://nvd.nist.gov/vuln/detail/CVE-2018-7751):
  The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (Infinite Loop) via a
  crafted XML file.

CVE-2018-7557 (https://nvd.nist.gov/vuln/detail/CVE-2018-7557):
  The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (Out of array read) via
  an AVI file with crafted dimensions within chroma subsampling data.

CVE-2018-6912 (https://nvd.nist.gov/vuln/detail/CVE-2018-6912):
  The decode_plane function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out of array read) via
  a crafted AVI file.

CVE-2018-10001 (https://nvd.nist.gov/vuln/detail/CVE-2018-10001):
  The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
  allows remote attackers to cause a denial of service (out of array read) via
  an AVI file.


@Maintainers, ebuilds already in three, please call for stabilization when ready.
Comment 1 Haelwenn Monnier 2018-07-19 17:46:25 UTC
Not sure if this is the right place to put it, but here are more vulnerabilities in FFmpeg.

CVE-2018-14394 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14394 )
  libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file.

CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
  libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.
Comment 2 Alexis Ballier gentoo-dev 2019-02-13 15:25:22 UTC
*** Bug 652752 has been marked as a duplicate of this bug. ***
Comment 3 Alexis Ballier gentoo-dev 2019-02-13 15:28:46 UTC
https://ffmpeg.org/security.html

current stable ffmpeg is 3.3.6; this is security-wise equivalent to 3.4.1

so, we are missing:

3.4.5

Fixes following vulnerabilities:

CVE-2018-15822, 44e878d08674a15906badfb921443a44ebf6257d / 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10

3.4.4

Fixes following vulnerabilities:

CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e / fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582

3.4.3

Fixes following vulnerabilities:

CVE-2018-7557,  ae49cc73f265a155e5c4b1715570aab3d9741b4d / 7414d0bda7763f9bd69c26c068e482ab297c1c96
CVE-2018-7751,  3fa6e594a0f2575ddb6b2183961fde42ab5ab37b / a6cba062051f345e8ebfdff34aba071ed73d923f
CVE-2018-10001, 51035698bde9c13da7eedc1f6eb47d190bbc949d / 47b7c68ae54560e2308bdb6be4fb076c73b93081
CVE-2018-12458, bd1fd3ff4b0437153a6c4717f59ce31a7bba8ca0 / e1182fac1afba92a4975917823a5f644bee7e6e8
CVE-2018-13300, 3a04f518ac283194bb13d8aff7d9fa963d551547 / 95556e27e2c1d56d9e18f5db34d6f756f3011148
CVE-2018-13302, 36c779bffe2ceef48a0fa4d7a6691c6895faf9e2 / ed22dc22216f74c75ee7901f82649e1ff725ba50
CVE-2018-14394, 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b / 3a2d21bc5f97aa0161db3ae731fc2732be6108b8

3.4.2

Fixes following vulnerabilities:

CVE-2018-6621, 342f1da13489de6650349fff2206a81442d6c668 / 118e1b0b3370dd1c0da442901b486689efd1654b
CVE-2018-6392, 2980b95fafb39148cfade120eab5c75b46bfffc6 / 3f621455d62e46745453568d915badd5b1e5bcd5
Comment 4 Alexis Ballier gentoo-dev 2019-02-13 15:40:56 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2018-9841 (https://nvd.nist.gov/vuln/detail/CVE-2018-9841):
>   The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (out-of-array access)
>   or possibly have unspecified other impact via a long filename.

Not reported in the upstream page.
Fix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43916494f8cac6ed294309e70de346e309d51058

>=media-video/ffmpeg-3.4.3


> CVE-2018-7751 (https://nvd.nist.gov/vuln/detail/CVE-2018-7751):
>   The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (Infinite Loop) via a
>   crafted XML file.


CVE-2018-7751,  3fa6e594a0f2575ddb6b2183961fde42ab5ab37b / a6cba062051f345e8ebfdff34aba071ed73d923f

>=media-video/ffmpeg-3.4.3


> CVE-2018-7557 (https://nvd.nist.gov/vuln/detail/CVE-2018-7557):
>   The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (Out of array read)
> via
>   an AVI file with crafted dimensions within chroma subsampling data.


CVE-2018-7557,  ae49cc73f265a155e5c4b1715570aab3d9741b4d / 7414d0bda7763f9bd69c26c068e482ab297c1c96

>=media-video/ffmpeg-3.4.3

> CVE-2018-6912 (https://nvd.nist.gov/vuln/detail/CVE-2018-6912):
>   The decode_plane function in libavcodec/utvideodec.c in FFmpeg through
> 3.4.2
>   allows remote attackers to cause a denial of service (out of array read)
> via
>   a crafted AVI file.

Not mentionned in the upstream sec page.
Upstream fix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/76cc0f0f673353cd4746cd3b83838ae335e5d9ed


Offending code was added there: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92b32664cdc064523c60ddba5ed139855e08470c

3.4.5 was released on 2018-11-01. It is the latest stable FFmpeg release from the 3.4 release branch, which was cut from master on 2017-10-11. 

4.0.3 was released on 2018-11-03. It is the latest stable FFmpeg release from the 4.0 release branch, which was cut from master on 2018-04-16. 

So this is only an issue for ffmpeg >= 4, which has never been stable



> CVE-2018-10001 (https://nvd.nist.gov/vuln/detail/CVE-2018-10001):
>   The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2
>   allows remote attackers to cause a denial of service (out of array read)
> via
>   an AVI file.

CVE-2018-10001, 51035698bde9c13da7eedc1f6eb47d190bbc949d / 47b7c68ae54560e2308bdb6be4fb076c73b93081

>=media-video/ffmpeg-3.4.3
Comment 5 Alexis Ballier gentoo-dev 2019-02-13 15:42:08 UTC
(In reply to Haelwenn Monnier from comment #1)
> Not sure if this is the right place to put it, but here are more
> vulnerabilities in FFmpeg.

yes

> CVE-2018-14394 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14394 )
>   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> denial of service (application crash caused by a divide-by-zero error) with
> a user crafted Waveform audio file.


CVE-2018-14394, 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b / 3a2d21bc5f97aa0161db3ae731fc2732be6108b8

>=media-video/ffmpeg-3.4.3

> CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
>   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> denial of service (application crash caused by a divide-by-zero error) with
> a user crafted audio file when converting to the MOV audio format.

CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e / fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582

>=media-video/ffmpeg-3.4.3
Comment 6 Alexis Ballier gentoo-dev 2019-02-13 15:43:08 UTC
go for 3.4.5 that also fixes a few more CVEs
Comment 7 Alexis Ballier gentoo-dev 2019-02-13 15:43:41 UTC
(In reply to Alexis Ballier from comment #5)
> > CVE-2018-14395 ( https://nvd.nist.gov/vuln/detail/CVE-2018-14395 )
> >   libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a
> > denial of service (application crash caused by a divide-by-zero error) with
> > a user crafted audio file when converting to the MOV audio format.
> 
> CVE-2018-14395, 2b8d4f6f0186b3ed0b223f665d32c36ed887149e /
> fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582
> 
> >=media-video/ffmpeg-3.4.3

This is >=media-video/ffmpeg-3.4.4
Comment 8 Stabilization helper bot gentoo-dev 2019-02-13 16:04:15 UTC
An automated check of this bug failed - repoman reported dependency errors (135 lines truncated): 

> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins']
> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-plugins/frei0r-plugins']
> dependency.bad media-video/ffmpeg/ffmpeg-3.4.5.ebuild: DEPEND: arm(default/linux/arm/17.0) ['media-plugins/frei0r-plugins']
Comment 9 Stabilization helper bot gentoo-dev 2019-02-13 17:04:36 UTC
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 10 Alexis Ballier gentoo-dev 2019-02-13 17:09:35 UTC
@arm team: you should decide what you want to do here -- package.use.stable.mask vs catching up other arches
Comment 11 Mart Raudsepp gentoo-dev 2019-02-14 10:06:28 UTC
arm64 doesn't have a stable ffmpeg..
Comment 12 Stabilization helper bot gentoo-dev 2019-02-14 11:04:46 UTC
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 13 Thomas Deutschmann gentoo-dev Security 2019-02-15 15:47:37 UTC
x86 stable
Comment 14 Stabilization helper bot gentoo-dev 2019-02-15 16:05:09 UTC
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-15 18:36:10 UTC
amd64 stable
Comment 16 Stabilization helper bot gentoo-dev 2019-02-15 19:03:22 UTC
An automated check of this bug failed - repoman reported dependency errors (129 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 17 ernsteiswuerfel 2019-03-09 18:29:57 UTC
Created attachment 568336 [details]
tatt useflags & rdeps testing (ppc64)

Looking good on ppc64.

useflags failing: bug #678744
rdeps failing: media-libs/gegl (bug #639986), media-libs/mediastreamer (tests stall four hours)
Comment 18 Sergei Trofimovich gentoo-dev 2019-03-13 22:24:34 UTC
ppc stable thanks to ernsteiswuerfel!
Comment 19 Stabilization helper bot gentoo-dev 2019-03-13 23:02:11 UTC
An automated check of this bug failed - repoman reported dependency errors (61 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.badindev media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0/armv4) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 20 ernsteiswuerfel 2019-03-14 22:39:28 UTC
Created attachment 569136 [details]
tatt useflags & rdeps testing (ppc)

Looking good on ppc.

useflags failing: bug #678744
Comment 21 Stabilization helper bot gentoo-dev 2019-03-16 20:02:25 UTC
An automated check of this bug failed - repoman reported dependency errors (61 lines truncated): 

> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.bad media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
> dependency.badindev media-plugins/frei0r-plugins/frei0r-plugins-1.6.1.ebuild: DEPEND: arm(default/linux/arm/17.0/armv4) ['>=media-libs/opencv-2.3.0:=', '>=media-libs/gavl-1.2.0']
Comment 22 Markus Meier gentoo-dev 2019-03-20 17:03:07 UTC
arm stable
Comment 23 Stabilization helper bot gentoo-dev 2019-03-20 18:00:49 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 24 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 12:16:53 UTC
alpha stable
Comment 25 Agostino Sarubbo gentoo-dev 2019-06-04 18:59:24 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.