795696 – (CVE-2021-33815, CVE-2021-38171, CVE-2021-38291) <media-video/ffmpeg-4.4.1: multiple vulnerabilities (CVE-2021-{33815,38171,38291})

Bug 795696 (CVE-2021-33815, CVE-2021-38171, CVE-2021-38291) - <media-video/ffmpeg-4.4.1: multiple vulnerabilities (CVE-2021-{33815,38171,38291})

Summary: <media-video/ffmpeg-4.4.1: multiple vulnerabilities (CVE-2021-{33815,38171,38...

Status:	IN_PROGRESS

Alias:	CVE-2021-33815, CVE-2021-38171, CVE-2021-38291

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://trac.ffmpeg.org/ticket/9312
Whiteboard:	A3 [glsa? cleanup]
Keywords:

Depends on:	829389
Blocks:
	Show dependency tree

Reported:	2021-06-13 03:53 UTC by Sam James
Modified:	2021-12-20 20:29 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-06-13 03:53:39 UTC

Description:
"dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked."

https://github.com/FFmpeg/FFmpeg/commit/26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:47 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:56 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:54 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:46:01 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 18:01:58 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:10:17 UTC

Package list is empty or all packages have requested keywords.

Comment 7 John Helmert III archtester

2021-08-12 23:38:34 UTC

CVE-2021-38291:

FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.

Unreleased patch: https://github.com/ffmpeg/ffmpeg/commit/e01d306c647b5827102260b885faa223b646d2d1

Comment 8 John Helmert III archtester

2021-08-26 02:02:48 UTC

CVE-2021-38171:

adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

Patch: https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6

Comment 9 Larry the Git Cow gentoo-dev

2021-10-26 04:35:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf

commit 22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-26 04:33:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-26 04:34:11 +0000

    media-video/ffmpeg: add 4.4.1
    
    Not yet verified if all the CVEs are fixed.
    
    Bug: https://bugs.gentoo.org/795696
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/ffmpeg/Manifest            |   1 +
 media-video/ffmpeg/ffmpeg-4.4.1.ebuild | 555 +++++++++++++++++++++++++++++++++
 2 files changed, 556 insertions(+)

Comment 10 John Helmert III archtester

2021-12-20 20:29:30 UTC

Please cleanup.