several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160

Debian Bug report logs - #628448
several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160

Date: Sun, 29 May 2011 13:23:17 +1000

Package: libav
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for libav.

CVE-2011-2162[0]:
| Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
| used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
| 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
| Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
| related to issues "originally discovered by Google Chrome developers."

CVE-2011-2161[1]:
| The ape_read_header function in ape.c in libavformat in FFmpeg before
| 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
| products, allows remote attackers to cause a denial of service
| (application crash) via an APE (aka Monkey's Audio) file that contains
| a header but no frames.

CVE-2011-2160[2]:
| The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
| MPlayer and other products, does not properly restrict read
| operations, which allows remote attackers to have an unspecified
| impact via a crafted VC-1 file, a related issue to CVE-2011-0723.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Cheers,
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2162
    http://security-tracker.debian.org/tracker/CVE-2011-2162
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2161
    http://security-tracker.debian.org/tracker/CVE-2011-2161
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2160
    http://security-tracker.debian.org/tracker/CVE-2011-2160


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3hvCAACgkQ62zWxYk/rQd1aACfZBs5SZcStYwaRi/5LB5zttpL
VPEAn2gZK2qTTba9yMf2XwQKsBrqKGMr
=2kvn
-----END PGP SIGNATURE-----

Message #10 received at 628448-done@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Steffen Joeris <white@debian.org>

Cc: 628448-done@bugs.debian.org, team@security.debian.org

Subject: Re: several vulnerabilities: CVE-2011-2162 CVE-2011-2161 CVE-2011-2160

Date: Tue, 21 Jun 2011 19:05:52 +0200

Hi,

sorry for the delay, I somehow must have missed this mail and then got
too busy with releasing 0.7 upstream.

This report is pretty problematic because it describe different
vulnerabilities that got fixed in different versions. Moreover, the CVE
descriptions are /very/ vague, which doesn't make this report easier to
process, but well, so let's see.

On Sun, May 29, 2011 at 05:23:17 (CEST), Steffen Joeris wrote:

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for libav.
>
> CVE-2011-2162[0]:
> | Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as
> | used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0,
> | 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva
> | Enterprise Server 5 (aka MES5) have unknown impact and attack vectors,
> | related to issues "originally discovered by Google Chrome developers."

What "multiple unspecified vulnerabilities" is this talking about?!
Looking at the references, it seems they talk about:

 - CVE-2009-4632, fixed upstream commit:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=ef84190a1ab777c35ea9fec64c3ab6ce641b79e5
   
 - CVE-2009-4633, upstream commit:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=9ef13f70f4d38514fa82b998f7e62abb7940f4c1

 - CVE-2009-4634, fixed versions in: 0.5.2 and 0.6.1, upstream commits:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=329e816ed7903cf078c52aecd32a3be3b5dabbee
   http://git.libav.org/?p=libav.git;a=commitdiff;h=d6860fb653ed42a9d35e134f843f03cc049b74f1
   cf. http://security-tracker.debian.org/tracker/CVE-2009-4633 and DSA-2000

 - CVE-2009-4635, Also addressed by DSA-2000, upstream commit is:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=48b086b0efa40799ace96bcec010b6b72a9490d6

 - CVE-2009-4639, classified as "denial-of-service only"
   http://security-tracker.debian.org/tracker/CVE-2009-4639
   required example file to verify

 - CVE-2009-4640, seems be the same as 2009-4634

 - CVE-2010-3429, upstream commit:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=2f504d7a90605b77d1a9ac43a8d1efa208e0f515

 - CVE-2010-4704, seems to the same as CVE-2009-4634

 - CVE-2011-0480, again a vorbis_dec problem, upstream commit:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=329e816ed7903cf078c52aecd32a3be3b5dabbee

 - CVE-2011-0722, upstream commit:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=808f9ce727fb05058a43de8d64539eddf5fa74d6

 - CVE-2011-0723, upstream commit:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=8069e2f6fbd79e3d3d2ba17f5f097475b43e2921

 - CVE-2009-4636, wtf?

With this mess, its quite possible that I missed some important patch,
so feel free to correct me.

> CVE-2011-2161[1]:
> | The ape_read_header function in ape.c in libavformat in FFmpeg before
> | 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other
> | products, allows remote attackers to cause a denial of service
> | (application crash) via an APE (aka Monkey's Audio) file that contains
> | a header but no frames.

 - CVE-2011-2161:
   http://git.libav.org/?p=libav.git;a=commitdiff;h=18c5fe919f4b1818ebdf405812c5a2d16174688f

> CVE-2011-2160[2]:
> | The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in
> | MPlayer and other products, does not properly restrict read
> | operations, which allows remote attackers to have an unspecified
> | impact via a crafted VC-1 file, a related issue to CVE-2011-0723.

Does not explain the difference to CVE-2011-0723, and provides no testfile.

> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.

With this research, I couldn't find any issue that was not already fixed
in a point release or another, so unstable is fixed TTBOMK. Again, if
you think I'm wrong please be more specifc.

For squeeze, I have prepared a 0.5.4 package with all known issues fixed
months ago, but I don't understand why it's not being processed. I
strongly recommend to accept new upstream versions from the same release
branches. That's why I'm doing those upstream releases, after all!

For lenny, sorry, we should EOL it and announce this fact properly. I
don't have the time and infrastructure to backport to such an old
snapshot properly.

Cheers,
Reinhard.


-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #17 received at 628448-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 628448-close@bugs.debian.org

Subject: Bug#628448: fixed in libav 4:0.7-1

Date: Mon, 27 Jun 2011 21:36:15 +0000

Source: libav
Source-Version: 4:0.7-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive:

ffmpeg-dbg_0.7-1_amd64.deb
  to main/liba/libav/ffmpeg-dbg_0.7-1_amd64.deb
ffmpeg-doc_0.7-1_all.deb
  to main/liba/libav/ffmpeg-doc_0.7-1_all.deb
ffmpeg_0.7-1_amd64.deb
  to main/liba/libav/ffmpeg_0.7-1_amd64.deb
libav-dbg_0.7-1_amd64.deb
  to main/liba/libav/libav-dbg_0.7-1_amd64.deb
libav-doc_0.7-1_all.deb
  to main/liba/libav/libav-doc_0.7-1_all.deb
libav-source_0.7-1_all.deb
  to main/liba/libav/libav-source_0.7-1_all.deb
libav_0.7-1.debian.tar.gz
  to main/liba/libav/libav_0.7-1.debian.tar.gz
libav_0.7-1.dsc
  to main/liba/libav/libav_0.7-1.dsc
libav_0.7.orig.tar.gz
  to main/liba/libav/libav_0.7.orig.tar.gz
libavcodec-dev_0.7-1_amd64.deb
  to main/liba/libav/libavcodec-dev_0.7-1_amd64.deb
libavcodec53_0.7-1_amd64.deb
  to main/liba/libav/libavcodec53_0.7-1_amd64.deb
libavdevice-dev_0.7-1_amd64.deb
  to main/liba/libav/libavdevice-dev_0.7-1_amd64.deb
libavdevice53_0.7-1_amd64.deb
  to main/liba/libav/libavdevice53_0.7-1_amd64.deb
libavfilter-dev_0.7-1_amd64.deb
  to main/liba/libav/libavfilter-dev_0.7-1_amd64.deb
libavfilter2_0.7-1_amd64.deb
  to main/liba/libav/libavfilter2_0.7-1_amd64.deb
libavformat-dev_0.7-1_amd64.deb
  to main/liba/libav/libavformat-dev_0.7-1_amd64.deb
libavformat53_0.7-1_amd64.deb
  to main/liba/libav/libavformat53_0.7-1_amd64.deb
libavutil-dev_0.7-1_amd64.deb
  to main/liba/libav/libavutil-dev_0.7-1_amd64.deb
libavutil51_0.7-1_amd64.deb
  to main/liba/libav/libavutil51_0.7-1_amd64.deb
libpostproc-dev_0.7-1_amd64.deb
  to main/liba/libav/libpostproc-dev_0.7-1_amd64.deb
libpostproc52_0.7-1_amd64.deb
  to main/liba/libav/libpostproc52_0.7-1_amd64.deb
libswscale-dev_0.7-1_amd64.deb
  to main/liba/libav/libswscale-dev_0.7-1_amd64.deb
libswscale2_0.7-1_amd64.deb
  to main/liba/libav/libswscale2_0.7-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 628448@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 21 Jun 2011 07:49:59 +0200
Source: libav
Binary: ffmpeg ffmpeg-dbg libav-dbg libav-source ffmpeg-doc libav-doc libavutil51 libavcodec53 libavdevice53 libavformat53 libavfilter2 libpostproc52 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: source amd64 all
Version: 4:0.7-1
Distribution: experimental
Urgency: low
Maintainer: siretart <siretart@tauware.de>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 ffmpeg     - Multimedia player, server, encoder and transcoder
 ffmpeg-dbg - Debug symbols for Libav related packages
 ffmpeg-doc - Documentation of the Libav API (transitional package)
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-source - Patched Libav sources
 libavcodec-dev - Development files for libavcodec
 libavcodec53 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice53 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter2 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat53 - Libav file format library
 libavutil-dev - Development files for libavutil
 libavutil51 - Libav utility library
 libpostproc-dev - Development files for libpostproc
 libpostproc52 - Libav video postprocessing library
 libswscale-dev - Development files for libswscale
 libswscale2 - Libav video scaling library
Closes: 594108 627818 628448
Changes: 
 libav (4:0.7-1) experimental; urgency=low
 .
   * New upstream release.
   * Fixes several potential security issues, Closes: #628448
   * Much imporved libavfilter, Closes: #594108
   * Fixes some overlapping memcpys my using memmove instead, Closes: #627818
   * Bump libswscale SONAME
   * Bump shlibs
   * Bump Standards version to 3.9.2
Checksums-Sha1: 
 ba72d7b289858ed357acebf4f83df979fb34c17a 2371 libav_0.7-1.dsc
 ec4e3714a4f59aa3a25e75f5d7b4a64d7e46f03d 4918413 libav_0.7.orig.tar.gz
 2f335b6d38c049146cdbd06594688bfa53d38c6d 34651 libav_0.7-1.debian.tar.gz
 7d2dcf9d21bfd50f8c260bd438b978da80680d0d 445276 ffmpeg_0.7-1_amd64.deb
 1569d2d87b90b9f2ca275a3241d6d1825e3540d5 36966 ffmpeg-dbg_0.7-1_amd64.deb
 670834ab1fae1d21fcce2f04378980c2820ac6dd 9418840 libav-dbg_0.7-1_amd64.deb
 f9d2434ca5a39484c52eabee523c2cd67ba78f6c 25471736 libav-source_0.7-1_all.deb
 edb8bf74495647cb284093dfc0908591ab62f847 36932 ffmpeg-doc_0.7-1_all.deb
 5895f3f0ddb98a19df62d59d83bbaf5629d687de 20095888 libav-doc_0.7-1_all.deb
 5cf1775e4bcd1ab226c67598508bf81788a2bd4a 90518 libavutil51_0.7-1_amd64.deb
 9162f29bf47c4a0d1925eafb1310902e55da000a 2697134 libavcodec53_0.7-1_amd64.deb
 73d261b60cbcaf931eb44ded015e9a28fe7cdb57 59604 libavdevice53_0.7-1_amd64.deb
 59b9db609b5282e25b6b0c7de76cd2d98a822f87 490072 libavformat53_0.7-1_amd64.deb
 4b8e3fb0626a9f1f7c09c8c6eeb00d503a925878 92428 libavfilter2_0.7-1_amd64.deb
 ab3b358f0519a8805f81b8dcf609f7eddd9c276a 97524 libpostproc52_0.7-1_amd64.deb
 589a62db5a7d306bdfbba748ba8dab37527eadc4 118676 libswscale2_0.7-1_amd64.deb
 c5117e80b9e328108b5a9a106e95341ca2a31285 134334 libavutil-dev_0.7-1_amd64.deb
 eaae2d089abf82ec6964c1f405740803c3bf746a 3135542 libavcodec-dev_0.7-1_amd64.deb
 922cb6d355d3321361e813f881143ea6d3930e65 61462 libavdevice-dev_0.7-1_amd64.deb
 c66564d940bdc8f0d0ad3db4793c552a0298d3f9 649844 libavformat-dev_0.7-1_amd64.deb
 d6344891d9cf433489b63dc5f38dd28be6b081da 118404 libavfilter-dev_0.7-1_amd64.deb
 63bc67e0115cfb4a82681e9c6afe92538c030da4 98028 libpostproc-dev_0.7-1_amd64.deb
 1a710265a4733f7142d8052083f02e2c6bd666ed 136320 libswscale-dev_0.7-1_amd64.deb
Checksums-Sha256: 
 65bf77b09c6b47458e6d9a8f971f12fce962a504c36fb275c04fefbb135c7468 2371 libav_0.7-1.dsc
 6c6896dd0da3bc4a955824f5d798f97251280608d68c8c480fe5cf8edd54a28f 4918413 libav_0.7.orig.tar.gz
 e7e5aff090ec5ca14238b2d389129aa89d5ee9b0b4769711039a87ee885bd1a4 34651 libav_0.7-1.debian.tar.gz
 51d337ebe0073e56fc1438525f594fb22f82fad08319f1110dab7d7b18b35ebd 445276 ffmpeg_0.7-1_amd64.deb
 7d4171d18fd8dc664006ece136abf0f5bbd67b4369a2145247537b7fab5d51c2 36966 ffmpeg-dbg_0.7-1_amd64.deb
 91821b2a52d37af0e1775299f32546ccb20b86f3467b5e2abd6fa70218a4183d 9418840 libav-dbg_0.7-1_amd64.deb
 98474412cdc38556548a6cc48ffadc2338a340675d4697a2ff2b810dcd9dd500 25471736 libav-source_0.7-1_all.deb
 5db82327fa391ad0abde689be3327b76405aa44a14a940f1ca08dc0dbb70f819 36932 ffmpeg-doc_0.7-1_all.deb
 638b9033a367b451b22018c76bee3c3ab7d9f844cd869df02c745160cfcb4119 20095888 libav-doc_0.7-1_all.deb
 b7ee96fbfc615f3d4b988c33790b2ea77827a670c172d7839492385223184548 90518 libavutil51_0.7-1_amd64.deb
 e523bdce9ebda56efb0e9f83b65e5349e73517195ff0183ba260950823ce3f87 2697134 libavcodec53_0.7-1_amd64.deb
 a2076feecd76c30dfbbc9c4743db7816329b0fab26cd1c6b2b0f27d90a46fc81 59604 libavdevice53_0.7-1_amd64.deb
 c934256369a2320d791fbc32e9767f9d4a8216b5d0676f07caaebd2d9d82d523 490072 libavformat53_0.7-1_amd64.deb
 b967a4cf9b7c908eb716e9de6fe351717b1b880d9466ed250f2b714e45ccec0e 92428 libavfilter2_0.7-1_amd64.deb
 6cfba7f189628daf7172363d588c979227065b3e8c97a4fd03a880482b7264a1 97524 libpostproc52_0.7-1_amd64.deb
 255d0757c6cac17e29bda58733a00468204698a8ae12b95a6e7af19d8dcb66e6 118676 libswscale2_0.7-1_amd64.deb
 e4fba42e621adc6fbe718c322aee8a1a6b48711c59b0140a56b5c46f7033d87f 134334 libavutil-dev_0.7-1_amd64.deb
 3f832f381497db812f360909ed5990110facaf3e5d1ac20dd7d6b931f53ea77a 3135542 libavcodec-dev_0.7-1_amd64.deb
 ce9e996b5088797e0d90b8366a77b9aa44283df2852f95ed79bb7ae3ca865d0e 61462 libavdevice-dev_0.7-1_amd64.deb
 43fc8a3b5113f3073a4480d2c110c081134da672f5bcefbaafb206d1814a6640 649844 libavformat-dev_0.7-1_amd64.deb
 17107d1c0eba384c81f78fa7589bd36514adedae71abbe49a9a7b3279004aed0 118404 libavfilter-dev_0.7-1_amd64.deb
 330d3b71dbc0894dad7c3cd0dc34ee4efb2cd9016bb40ae18d106bba90e0acae 98028 libpostproc-dev_0.7-1_amd64.deb
 ad1a1d0d0382c28f39b0770321bbf1c23872bf61c3f15b20a1a5f9e02de52d28 136320 libswscale-dev_0.7-1_amd64.deb
Files: 
 1efd164a2c42d5326dbd8400aaae6332 2371 libs optional libav_0.7-1.dsc
 ac31895757745bbd23f5eb386e9a46ca 4918413 libs optional libav_0.7.orig.tar.gz
 ad8f67aa208fb4fb818d6a8c4f6afbc6 34651 libs optional libav_0.7-1.debian.tar.gz
 2aee264f2f238e8093c9b00f9087978c 445276 video optional ffmpeg_0.7-1_amd64.deb
 dbd903bf2a4659b5fb7f1839cb2fe76d 36966 debug extra ffmpeg-dbg_0.7-1_amd64.deb
 ab58333de1bd144dbc394ddd881914f2 9418840 debug extra libav-dbg_0.7-1_amd64.deb
 b9c5296116c934b2df4b614e8c5c708c 25471736 devel optional libav-source_0.7-1_all.deb
 3b5d80e6664a3da9b6cf5319ee173e4c 36932 doc optional ffmpeg-doc_0.7-1_all.deb
 453747a5212dff1201963620c2c25c10 20095888 doc optional libav-doc_0.7-1_all.deb
 990559b904655d8204bc0babcc38b4d4 90518 libs optional libavutil51_0.7-1_amd64.deb
 4dc7cde531d9d5926cf0e3d14c7d1c70 2697134 libs optional libavcodec53_0.7-1_amd64.deb
 8b7bd9549d57b113b98b97c4c1844d0d 59604 libs optional libavdevice53_0.7-1_amd64.deb
 1c78d9a7cccf68d039b52c234ac55720 490072 libs optional libavformat53_0.7-1_amd64.deb
 d01605385b8980a8da73ba4c0be6cfe6 92428 libs optional libavfilter2_0.7-1_amd64.deb
 1522967e3a25ae40fff7520977b0fe52 97524 libs optional libpostproc52_0.7-1_amd64.deb
 a7c93ce57f7ad8d1884ac5589023edb9 118676 libs optional libswscale2_0.7-1_amd64.deb
 805cfcdf61e7dd883df01d41282a50ae 134334 libdevel optional libavutil-dev_0.7-1_amd64.deb
 bb9081b1ad805b3eb7af5831bbe0ed46 3135542 libdevel optional libavcodec-dev_0.7-1_amd64.deb
 cf30a2ffb3ae7915526bb02939cb5797 61462 libdevel optional libavdevice-dev_0.7-1_amd64.deb
 a6fd1a3ad34e59818cd93c07eadb89f4 649844 libdevel optional libavformat-dev_0.7-1_amd64.deb
 5e3cbddc6dd66f174c14606d51167d04 118404 libdevel optional libavfilter-dev_0.7-1_amd64.deb
 11bb5ae4c1310ad342a32499a95fd998 98028 libdevel optional libpostproc-dev_0.7-1_amd64.deb
 be1be94a7a69a2731ea7e1330d0c52aa 136320 libdevel optional libswscale-dev_0.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAk4Af/oACgkQmAg1RJRTSKQ9hACeLwEVbF7t/+3Bg1SRE1JTcajY
+c4An0fARA0TPWBr5pvDp1s/WkHdabDB
=hYV8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.