libavcodec insufficient boundary check in CAVS decoding

Debian Bug report logs - #641478
libavcodec insufficient boundary check in CAVS decoding

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libavcodec insufficient boundary check in CAVS decoding

Date: Tue, 13 Sep 2011 18:43:11 +0200

Package: libav
Severity: important

The following was reported by oCERT:
http://www.ocert.org/advisories/ocert-2011-002.html

A CVE ID is not yet available, I will be requesting one. This is unfixed
in libav from sid. The ffmpeg fix can be found here:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c5cbda50793e311aa73489d12184ffd6761c9fbf

Cheers,
        Moritz

Message #10 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>

Cc: 641478@bugs.debian.org

Subject: Re: Bug#641478: libavcodec insufficient boundary check in CAVS decoding

Date: Tue, 13 Sep 2011 21:29:04 -0700

On Di, Sep 13, 2011 at 09:43:11 (PDT), Moritz Muehlenhoff wrote:

> Package: libav
> Severity: important
>
> The following was reported by oCERT:
> http://www.ocert.org/advisories/ocert-2011-002.html
>
> A CVE ID is not yet available, I will be requesting one. This is unfixed
> in libav from sid. The ffmpeg fix can be found here:
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c5cbda50793e311aa73489d12184ffd6761c9fbf

Libav upstream believes that patch doesn't fix anything, but provides
the following one instead:

http://git.libav.org/?p=libav.git;a=commitdiff;h=bd968d260aef322fb32e254a3de0d2036c57bd56

(btw, it seems ffmpeg has in the meantime merged this one as well)

Cheers,
Reinhard

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #15 received at 641478-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 641478-close@bugs.debian.org

Subject: Bug#641478: fixed in libav 4:0.7.1-7

Date: Mon, 26 Sep 2011 21:17:52 +0000

Source: libav
Source-Version: 4:0.7.1-7

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive:

ffmpeg-dbg_0.7.1-7_amd64.deb
  to main/liba/libav/ffmpeg-dbg_0.7.1-7_amd64.deb
ffmpeg-doc_0.7.1-7_all.deb
  to main/liba/libav/ffmpeg-doc_0.7.1-7_all.deb
ffmpeg_0.7.1-7_amd64.deb
  to main/liba/libav/ffmpeg_0.7.1-7_amd64.deb
libav-dbg_0.7.1-7_amd64.deb
  to main/liba/libav/libav-dbg_0.7.1-7_amd64.deb
libav-doc_0.7.1-7_all.deb
  to main/liba/libav/libav-doc_0.7.1-7_all.deb
libav-source_0.7.1-7_all.deb
  to main/liba/libav/libav-source_0.7.1-7_all.deb
libav_0.7.1-7.debian.tar.gz
  to main/liba/libav/libav_0.7.1-7.debian.tar.gz
libav_0.7.1-7.dsc
  to main/liba/libav/libav_0.7.1-7.dsc
libavcodec-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libavcodec-dev_0.7.1-7_amd64.deb
libavcodec53_0.7.1-7_amd64.deb
  to main/liba/libav/libavcodec53_0.7.1-7_amd64.deb
libavdevice-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libavdevice-dev_0.7.1-7_amd64.deb
libavdevice53_0.7.1-7_amd64.deb
  to main/liba/libav/libavdevice53_0.7.1-7_amd64.deb
libavfilter-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libavfilter-dev_0.7.1-7_amd64.deb
libavfilter2_0.7.1-7_amd64.deb
  to main/liba/libav/libavfilter2_0.7.1-7_amd64.deb
libavformat-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libavformat-dev_0.7.1-7_amd64.deb
libavformat53_0.7.1-7_amd64.deb
  to main/liba/libav/libavformat53_0.7.1-7_amd64.deb
libavutil-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libavutil-dev_0.7.1-7_amd64.deb
libavutil51_0.7.1-7_amd64.deb
  to main/liba/libav/libavutil51_0.7.1-7_amd64.deb
libpostproc-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libpostproc-dev_0.7.1-7_amd64.deb
libpostproc52_0.7.1-7_amd64.deb
  to main/liba/libav/libpostproc52_0.7.1-7_amd64.deb
libswscale-dev_0.7.1-7_amd64.deb
  to main/liba/libav/libswscale-dev_0.7.1-7_amd64.deb
libswscale2_0.7.1-7_amd64.deb
  to main/liba/libav/libswscale2_0.7.1-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 641478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 26 Sep 2011 22:24:47 +0200
Source: libav
Binary: ffmpeg ffmpeg-dbg libav-dbg libav-source ffmpeg-doc libav-doc libavutil51 libavcodec53 libavdevice53 libavformat53 libavfilter2 libpostproc52 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: source amd64 all
Version: 4:0.7.1-7
Distribution: unstable
Urgency: medium
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 ffmpeg     - Multimedia player, server, encoder and transcoder
 ffmpeg-dbg - Debug symbols for Libav related packages
 ffmpeg-doc - Documentation of the Libav API (transitional package)
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-source - Patched Libav sources
 libavcodec-dev - Development files for libavcodec
 libavcodec53 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice53 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter2 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat53 - Libav file format library
 libavutil-dev - Development files for libavutil
 libavutil51 - Libav utility library
 libpostproc-dev - Development files for libpostproc
 libpostproc52 - Libav video postprocessing library
 libswscale-dev - Development files for libswscale
 libswscale2 - Libav video scaling library
Closes: 641478
Changes: 
 libav (4:0.7.1-7) unstable; urgency=medium
 .
   * Add 63 (!) additional post 0.7.1 patches
     - all scheduled for next upstream point release
     - Fix missing CAVS boundary checks, Closes: #641478, Fixes: CVE-2011-3362
   * Medium urgency for fixing a security issue
   * Drop debian/patches/03-fix-movrel.patch, better patch upstream
   * prefer libtiff4 over libtiff5 for now
Checksums-Sha1: 
 d84f60ac345ba34ad5878700465195e7986210e7 2992 libav_0.7.1-7.dsc
 71de6fb206908c03443b55e9c10b767a9f99b543 77239 libav_0.7.1-7.debian.tar.gz
 c878cb8e8ef8ae28f5caeadda44733a511fe02b7 444934 ffmpeg_0.7.1-7_amd64.deb
 6c8dcff269ffad1c0a3abf542c70c8eeb1aaa485 37822 ffmpeg-dbg_0.7.1-7_amd64.deb
 e75f7fe434f4eb71ccc3843b26af7eb3734898e4 9467356 libav-dbg_0.7.1-7_amd64.deb
 d62bb4abfa8c079cb21ee37ebc43fb9101fb4c30 25591416 libav-source_0.7.1-7_all.deb
 b4bf60e0fc725a83cf93d5cb208d3f8613a4239f 37788 ffmpeg-doc_0.7.1-7_all.deb
 5a8c2c01c11ccf627e0e78f652086c62c0110331 20190266 libav-doc_0.7.1-7_all.deb
 d6be78fc3b970b783c8ee76c56ffdf07e4911b69 92260 libavutil51_0.7.1-7_amd64.deb
 51fbb140da799559ba76399e31d2beac4196ea79 2712564 libavcodec53_0.7.1-7_amd64.deb
 68bd3c44bf327f0804f02045c206db831b37b7cf 60708 libavdevice53_0.7.1-7_amd64.deb
 26c9a61b00090a6fc58b8896a92ce40bc421f966 495290 libavformat53_0.7.1-7_amd64.deb
 4fe27908101535722d460dcba2a459b853be412e 94088 libavfilter2_0.7.1-7_amd64.deb
 cfe7c4630bd9120a18ca59526d069a75c4c42e39 99402 libpostproc52_0.7.1-7_amd64.deb
 3d8a8ea1a8f49ba926eca749c5172d6a9d631291 120740 libswscale2_0.7.1-7_amd64.deb
 824c6c750fec3b358b2d0015cc35e520ed99e690 135274 libavutil-dev_0.7.1-7_amd64.deb
 328024f24d5ac293c6c958ac3c873522bd67bbac 3146276 libavcodec-dev_0.7.1-7_amd64.deb
 4ce55e890c148397a31f741963dcc7bc8a4f41ff 62506 libavdevice-dev_0.7.1-7_amd64.deb
 0b076088359423f109cbae3f295ba92137f04428 652040 libavformat-dev_0.7.1-7_amd64.deb
 a34208d41013ddb8e6970a1ebbaf7768929fad82 118864 libavfilter-dev_0.7.1-7_amd64.deb
 562e9db87f5b1b2b311b5f7ca83fece637d21be3 100016 libpostproc-dev_0.7.1-7_amd64.deb
 a75da6fed713356b04554b4d40a6a6aaff92da58 137234 libswscale-dev_0.7.1-7_amd64.deb
Checksums-Sha256: 
 357cca5db34629734f1bb636b9370e89f8399334fc0061f3387a647ef6fe62a0 2992 libav_0.7.1-7.dsc
 1923dbaeb070a4c079e4b5a3e145daa3032418f08bf8d4a701841effda64206a 77239 libav_0.7.1-7.debian.tar.gz
 3f96d80cbff994d3b7b1e5d866ef4ba8bcc2074e6a510fec3b0fbeebc7929c11 444934 ffmpeg_0.7.1-7_amd64.deb
 514f358cc0b4c9179621ed8f2e19d96aa7b5dbf831612d4011893c34bbfa4d0d 37822 ffmpeg-dbg_0.7.1-7_amd64.deb
 e0a962b7fae1187e09b7a8ca638257c94d24bced9336d0addc6c866e43afd570 9467356 libav-dbg_0.7.1-7_amd64.deb
 864f344f1e37c3f83a06408a7ad79b70afed24a6f9ccf11252a1aad1b490922f 25591416 libav-source_0.7.1-7_all.deb
 645cad9c62f64c5de07924b267f76e539a5671a7823ac2a05ffe5b798b421b76 37788 ffmpeg-doc_0.7.1-7_all.deb
 3f43897c1f275b1f929f57bf89353da46dfdb52baa833dcc869e88039094879b 20190266 libav-doc_0.7.1-7_all.deb
 724d0da6607d1490a6cabee9517bcf0235c73a134d0b84ce99b7d7b88a010ea5 92260 libavutil51_0.7.1-7_amd64.deb
 90db9f86f1cb562caf423ce74dff5a2fd6fff553ee7b30a31e472bc6a96f68f5 2712564 libavcodec53_0.7.1-7_amd64.deb
 12c86908dcca342ef6a4907c5580f2bf1558c13507e4702a35101f3a06694d72 60708 libavdevice53_0.7.1-7_amd64.deb
 632f8167d22ccbfa8cf28aba0bb2c5bd06a5cf233ca50a63a89eddc232790369 495290 libavformat53_0.7.1-7_amd64.deb
 8d2f172e4cb63145ab332cd85fdcbcb7b2cbcb8a8885f34ca81d2fb5fc72ba27 94088 libavfilter2_0.7.1-7_amd64.deb
 f9cdb0281bcb127c7e31bf287413ca4855497f8374a6426ca4de58b98107d22c 99402 libpostproc52_0.7.1-7_amd64.deb
 8a1c4a3559201d5c36beb9ec9f7ef0161b597b41b7eac91e2765c2089948806d 120740 libswscale2_0.7.1-7_amd64.deb
 a828d0349329519a968f53c9e62d3eaf9e9a1a1b6b2350c7f062dfbfdfb387af 135274 libavutil-dev_0.7.1-7_amd64.deb
 0360587b2018e589b165849db71356a08494794397ba6cbed3965e865b2b616b 3146276 libavcodec-dev_0.7.1-7_amd64.deb
 6ea0a5a8d3c0eb41d570105883ecb01801620878b9d55142388c7ec1419bfdcd 62506 libavdevice-dev_0.7.1-7_amd64.deb
 1b089448abfe1bc1cca346fb45d905297525908a61efe999d3523ebbe812a0e6 652040 libavformat-dev_0.7.1-7_amd64.deb
 80df8f5575fddd9948072d5ec0d1dec8da6566eba4fbf81c99d75fc2ab265038 118864 libavfilter-dev_0.7.1-7_amd64.deb
 8bc39c1b61c0b6b1ae02ccd74407bf6fd87945e8789099d17aa39257dfad25ae 100016 libpostproc-dev_0.7.1-7_amd64.deb
 4630c7b99e24b638955c4d91a6469c2378be2600f7805834aea66876929adccd 137234 libswscale-dev_0.7.1-7_amd64.deb
Files: 
 ce457a77d31c33066524495927ad54c2 2992 libs optional libav_0.7.1-7.dsc
 4be215a8d0b1e197ca23ec8c87e4b178 77239 libs optional libav_0.7.1-7.debian.tar.gz
 9a9c91069a6e7b632f00ea1d51c194be 444934 video optional ffmpeg_0.7.1-7_amd64.deb
 f53189405a36c3525b863d9ab26f939f 37822 debug extra ffmpeg-dbg_0.7.1-7_amd64.deb
 101f1aceae20619a5e56fdb094cb8f23 9467356 debug extra libav-dbg_0.7.1-7_amd64.deb
 a94e8e91fcb48183fceb81f702413d19 25591416 devel optional libav-source_0.7.1-7_all.deb
 2188a3e8946f0f26726de3acf5703664 37788 doc optional ffmpeg-doc_0.7.1-7_all.deb
 ca4c7a50ab7759b82a8d86dd2f7e8d2b 20190266 doc optional libav-doc_0.7.1-7_all.deb
 a7b5bd5e267bd9a6664df95a952319ff 92260 libs optional libavutil51_0.7.1-7_amd64.deb
 1cac3d789036363f53708d706a733b69 2712564 libs optional libavcodec53_0.7.1-7_amd64.deb
 1b3988d97f451a4f5bc50885308c0767 60708 libs optional libavdevice53_0.7.1-7_amd64.deb
 1ddf870111521bda447dce4c0502533b 495290 libs optional libavformat53_0.7.1-7_amd64.deb
 ce264ea6e1a3bbf994088e4ecba8ee3c 94088 libs optional libavfilter2_0.7.1-7_amd64.deb
 6e60fa5bbba9c59594f9d7dbc163b604 99402 libs optional libpostproc52_0.7.1-7_amd64.deb
 2270800b11d672189d85acbba378595f 120740 libs optional libswscale2_0.7.1-7_amd64.deb
 2bfc85c05e7e1380a57d1193a3a3fda7 135274 libdevel optional libavutil-dev_0.7.1-7_amd64.deb
 bc9a713ac2528b5a8672c30753689576 3146276 libdevel optional libavcodec-dev_0.7.1-7_amd64.deb
 386c7d986dc505fa55b9c5d2f20b2452 62506 libdevel optional libavdevice-dev_0.7.1-7_amd64.deb
 2fca83cd311ff85a67f09c6490ca34fc 652040 libdevel optional libavformat-dev_0.7.1-7_amd64.deb
 b61f293d4f8e145d88a73eafa15276da 118864 libdevel optional libavfilter-dev_0.7.1-7_amd64.deb
 ca0175fdeaa984b85043593bc65af985 100016 libdevel optional libpostproc-dev_0.7.1-7_amd64.deb
 ef2a26d7f1e680250e6100a102ed2ef2 137234 libdevel optional libswscale-dev_0.7.1-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAk6A5/sACgkQmAg1RJRTSKS5/gCfcZPmp0GewJl73LX84q41zxud
H28AnRpwfvaAabLKzLCrN+LQlZqp0qjx
=Ze71
-----END PGP SIGNATURE-----

Message #20 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: 641478@bugs.debian.org

Cc: Reinhard Tartler <siretart@tauware.de>

Subject: Upload of ffmpeg for Squeeze

Date: Wed, 02 Nov 2011 15:33:20 +0100

[Message part 1 (text/plain, inline)]

Hey,

I'm considering the various open issues in ffmpeg in Squeeze
(CVE-2011-{3362,3504,3973,3974}). They were fixed in sid (in libav) but
not yet in Squeeze, so I intented to take a look at them and maybe do an
upload to stable-security but Moritz told me that you maintained a
stable branch so maybe you already have something ready.

What do you think? Should I start preparing something or do you want to
handle it?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 641478@bugs.debian.org, team@security.debian.org

Subject: Re: Upload of ffmpeg for Squeeze

Date: Wed, 02 Nov 2011 20:28:36 +0100

On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:

> Hey,
>
> I'm considering the various open issues in ffmpeg in Squeeze
> (CVE-2011-{3362,3504,3973,3974}). They were fixed in sid (in libav) but
> not yet in Squeeze, so I intented to take a look at them and maybe do an
> upload to stable-security but Moritz told me that you maintained a
> stable branch so maybe you already have something ready.
>
> What do you think? Should I start preparing something or do you want to
> handle it?

Thank you for pointing out theses issues.

I'm maintaining a stable branch upstream here:

http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5

If you could point me out the corresponding commits that fix these CVEs
the master branch, I'm happy to backport them to that branch and roll a
0.5.5 release on short notice.  Based on that release, we then update
our stable packaging branch here:

http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=shortlog;h=refs/heads/squeeze

I'd propose to then build a package from that branch and upload it to
stable-security. Would that work for you?

Cheers,
Reinhard
-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #30 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 641478@bugs.debian.org, team@security.debian.org, libav-devel@libav.org

Subject: Re: Bug#641478: Upload of ffmpeg for Squeeze

Date: Wed, 02 Nov 2011 21:57:21 +0100

On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:

> I'm considering the various open issues in ffmpeg in Squeeze
> (CVE-2011-{3362,3504,3973,3974}).

I'm currently investigating these issues. Let's first discuss the CAVS
related ones (3362,3973,3974):

3974 seems to have been allocated in error, as it even references the
same commit as 3973. What is the procedure to request it
removed/invalidated?

As for 3362 & 3973, I believe both have been fixed by this commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78

This commit has also been merged into FFmpeg. That imported commit is
also referenced in the CVE description of CVE-2011-3973, so I assume
that this is the correct fix.

For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
function decode_residual_block(). I'd be curious to see a sample that
still exploits Libav's cavs decoder without that signedness
change. Until I'm presented an exploit that demonstrates this issue, I'm
going to assume that CVE-2011-3362 is fixed by the same patch that fixed
CVE-2011-3973.

Now for CVE-2011-3504, which concerns an allocation error in the
matroska decoder. I strongly believe that this has been fixed by this
commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec

Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
does not seem to exist in bing at all. I currently assume that the CVE
is right and the commit message (which was imported from FFmpeg without
further checking) should have referenced MSVR11-011 instead.

In any case, I've just backported both patches to the 0.5 branch:
http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5

Feedback and tests welcome.

If nobody disagrees and nothing else pops up until let's say Friday,
I'm going to roll 0.5.5 tarballs.

Does this work for everyone?

Cheers,
Reinhard.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #35 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Reinhard Tartler <siretart@tauware.de>

Cc: 641478@bugs.debian.org, team@security.debian.org, libav-devel@libav.org

Subject: Re: Bug#641478: Upload of ffmpeg for Squeeze

Date: Thu, 03 Nov 2011 14:56:51 +0100

[Message part 1 (text/plain, inline)]

On mer., 2011-11-02 at 21:57 +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
> 
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
> 
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
> 
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?

I'm not too sure since I don't know who assigned it. Maybe mailing
someone at Mitre?
> 
> As for 3362 & 3973, I believe both have been fixed by this commit:
> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
> 
> This commit has also been merged into FFmpeg. That imported commit is
> also referenced in the CVE description of CVE-2011-3973, so I assume
> that this is the correct fix.

Looks like that, yes.
> 
> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
> function decode_residual_block(). I'd be curious to see a sample that
> still exploits Libav's cavs decoder without that signedness
> change. Until I'm presented an exploit that demonstrates this issue, I'm
> going to assume that CVE-2011-3362 is fixed by the same patch that fixed
> CVE-2011-3973.

Shouldn't it be safe to still fix the signed-ness?
> 
> Now for CVE-2011-3504, which concerns an allocation error in the
> matroska decoder. I strongly believe that this has been fixed by this
> commit:
> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
> 
> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
> does not seem to exist in bing at all. I currently assume that the CVE
> is right and the commit message (which was imported from FFmpeg without
> further checking) should have referenced MSVR11-011 instead.
> 
> In any case, I've just backported both patches to the 0.5 branch:
> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5

Thanks.
> 
> Feedback and tests welcome.
> 
> If nobody disagrees and nothing else pops up until let's say Friday,
> I'm going to roll 0.5.5 tarballs.
> 
> Does this work for everyone?
> 
Works for me at least, notwithstanding the 3362 fix.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Yves-Alexis Perez <corsac@debian.org>, 641478@bugs.debian.org, team@security.debian.org, libav-devel@libav.org

Subject: Re: Bug#641478: Upload of ffmpeg for Squeeze

Date: Thu, 3 Nov 2011 22:30:11 +0100

On Wed, Nov 02, 2011 at 09:57:21PM +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
> 
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
> 
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
> 
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?

MITRE loves to split hairs: While it was fixed in a single commit,
while some of missing bitstream validations only lead to denial of
service, the integer overflow allows code injection. Arguing around
this will probably be a waste of time, let's just use both IDs.
(Also the IDs are already in use for quite some time and changing
it would only arise more confusion).

The rest sounds good to me.

Cheers,
        Moritz

Message #45 received at 641478@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: 641478@bugs.debian.org, team@security.debian.org, libav-devel@libav.org, libav development <libav-devel@libav.org>

Subject: Re: [libav-devel] Bug#641478: Upload of ffmpeg for Squeeze, Re: [libav-devel] Bug#641478: Upload of ffmpeg for Squeeze

Date: Sat, 05 Nov 2011 14:24:00 +0100

On Do, Nov 03, 2011 at 14:56:51 (CET), Yves-Alexis Perez wrote:

>> As for 3362 & 3973, I believe both have been fixed by this commit:
>> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
>> 
>> This commit has also been merged into FFmpeg. That imported commit is
>> also referenced in the CVE description of CVE-2011-3973, so I assume
>> that this is the correct fix.
>
> Looks like that, yes.
>> 
>> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
>> function decode_residual_block(). I'd be curious to see a sample that
>> still exploits Libav's cavs decoder without that signedness
>> change. Until I'm presented an exploit that demonstrates this issue, I'm
>> going to assume that CVE-2011-3362 is fixed by the same patch that fixed
>> CVE-2011-3973.
>
> Shouldn't it be safe to still fix the signed-ness?

Feel free to propose such a patch. I've tried to come up with a proper
explanation what the signed change is going to fix, but I failed.  If
only there existed a sample exploit that showed that libav 0.5.5 is
still vulnerable…

>> Now for CVE-2011-3504, which concerns an allocation error in the
>> matroska decoder. I strongly believe that this has been fixed by this
>> commit:
>> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
>> 
>> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
>> does not seem to exist in bing at all. I currently assume that the CVE
>> is right and the commit message (which was imported from FFmpeg without
>> further checking) should have referenced MSVR11-011 instead.
>> 
>> In any case, I've just backported both patches to the 0.5 branch:
>> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
>
> Thanks.

released 0.5.5 & updated the branch now.

>> Feedback and tests welcome.
>> 
>> If nobody disagrees and nothing else pops up until let's say Friday,
>> I'm going to roll 0.5.5 tarballs.
>> 
>> Does this work for everyone?
>> 
> Works for me at least, notwithstanding the 3362 fix.

Moritz seems to be OK with this:

On Do, Nov 03, 2011 at 22:30:11 (CET), Moritz Muehlenhoff wrote:

[...]

> The rest sounds good to me.


I'm going to upload 0.5.5-1 to stable-security later today, unless
someone objects. (it needs to be approved manually anyways)

Cheers,
Reinhard.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #50 received at 641478@bugs.debian.org (full text, mbox, reply):

From: lsorense@csclub.uwaterloo.ca (Lennart Sorensen)

To: 641478@bugs.debian.org

Subject: Patch to fix ffmpeg 0.5.5-1 build on powerpc.

Date: Tue, 8 Nov 2011 16:42:56 -0500

This patched fixes building of ffmpeg 0.5.5-1 on powerpc for me.
It matches what the code is now like in newer versions of ffmpeg.

diff -urN ffmpeg-0.5.5/libavcodec/cavs.h ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h
--- ffmpeg-0.5.5/libavcodec/cavs.h	2011-11-05 07:57:22.000000000 -0400
+++ ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h	2011-11-08 16:27:24.051972526 -0500
@@ -136,7 +136,7 @@
   MV_BWD_X3
 };
 
-DECLARE_ALIGNED_8(typedef, struct) {
+DECLARE_ALIGNED(8, typedef, struct) {
     int16_t x;
     int16_t y;
     int16_t dist;


So not much to the patch.  Compiles on squeeze for me.

Haven't looked at the armel one yet, but I probably could.

-- 
Len Sorense

Message #55 received at 641478@bugs.debian.org (full text, mbox, reply):

From: lsorense@csclub.uwaterloo.ca (Lennart Sorensen)

To: 641478@bugs.debian.org

Subject: Re: Patch to fix ffmpeg 0.5.5-1 build on powerpc.

Date: Wed, 9 Nov 2011 10:02:36 -0500

On Tue, Nov 08, 2011 at 04:42:56PM -0500,  wrote:
> This patched fixes building of ffmpeg 0.5.5-1 on powerpc for me.
> It matches what the code is now like in newer versions of ffmpeg.
> 
> diff -urN ffmpeg-0.5.5/libavcodec/cavs.h ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h
> --- ffmpeg-0.5.5/libavcodec/cavs.h	2011-11-05 07:57:22.000000000 -0400
> +++ ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h	2011-11-08 16:27:24.051972526 -0500
> @@ -136,7 +136,7 @@
>    MV_BWD_X3
>  };
>  
> -DECLARE_ALIGNED_8(typedef, struct) {
> +DECLARE_ALIGNED(8, typedef, struct) {
>      int16_t x;
>      int16_t y;
>      int16_t dist;
> 
> 
> So not much to the patch.  Compiles on squeeze for me.
> 
> Haven't looked at the armel one yet, but I probably could.

Same patch actually fixed armel compile as well.

-- 
Len Sroensen

Send a report that this bug log contains spam.