Debian Bug report logs -
#641478
libavcodec insufficient boundary check in CAVS decoding
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 13 Sep 2011 16:45:02 UTC
Severity: important
Fixed in version libav/4:0.7.1-7
Done: Reinhard Tartler <siretart@tauware.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Tue, 13 Sep 2011 16:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Tue, 13 Sep 2011 16:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libav
Severity: important
The following was reported by oCERT:
http://www.ocert.org/advisories/ocert-2011-002.html
A CVE ID is not yet available, I will be requesting one. This is unfixed
in libav from sid. The ffmpeg fix can be found here:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c5cbda50793e311aa73489d12184ffd6761c9fbf
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Wed, 14 Sep 2011 04:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Reinhard Tartler <siretart@tauware.de>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 14 Sep 2011 04:33:06 GMT) (full text, mbox, link).
Message #10 received at 641478@bugs.debian.org (full text, mbox, reply):
On Di, Sep 13, 2011 at 09:43:11 (PDT), Moritz Muehlenhoff wrote:
> Package: libav
> Severity: important
>
> The following was reported by oCERT:
> http://www.ocert.org/advisories/ocert-2011-002.html
>
> A CVE ID is not yet available, I will be requesting one. This is unfixed
> in libav from sid. The ffmpeg fix can be found here:
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c5cbda50793e311aa73489d12184ffd6761c9fbf
Libav upstream believes that patch doesn't fix anything, but provides
the following one instead:
http://git.libav.org/?p=libav.git;a=commitdiff;h=bd968d260aef322fb32e254a3de0d2036c57bd56
(btw, it seems ffmpeg has in the meantime merged this one as well)
Cheers,
Reinhard
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Reply sent
to Reinhard Tartler <siretart@tauware.de>
:
You have taken responsibility.
(Mon, 26 Sep 2011 21:26:46 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Mon, 26 Sep 2011 21:26:47 GMT) (full text, mbox, link).
Message #15 received at 641478-close@bugs.debian.org (full text, mbox, reply):
Source: libav
Source-Version: 4:0.7.1-7
We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive:
ffmpeg-dbg_0.7.1-7_amd64.deb
to main/liba/libav/ffmpeg-dbg_0.7.1-7_amd64.deb
ffmpeg-doc_0.7.1-7_all.deb
to main/liba/libav/ffmpeg-doc_0.7.1-7_all.deb
ffmpeg_0.7.1-7_amd64.deb
to main/liba/libav/ffmpeg_0.7.1-7_amd64.deb
libav-dbg_0.7.1-7_amd64.deb
to main/liba/libav/libav-dbg_0.7.1-7_amd64.deb
libav-doc_0.7.1-7_all.deb
to main/liba/libav/libav-doc_0.7.1-7_all.deb
libav-source_0.7.1-7_all.deb
to main/liba/libav/libav-source_0.7.1-7_all.deb
libav_0.7.1-7.debian.tar.gz
to main/liba/libav/libav_0.7.1-7.debian.tar.gz
libav_0.7.1-7.dsc
to main/liba/libav/libav_0.7.1-7.dsc
libavcodec-dev_0.7.1-7_amd64.deb
to main/liba/libav/libavcodec-dev_0.7.1-7_amd64.deb
libavcodec53_0.7.1-7_amd64.deb
to main/liba/libav/libavcodec53_0.7.1-7_amd64.deb
libavdevice-dev_0.7.1-7_amd64.deb
to main/liba/libav/libavdevice-dev_0.7.1-7_amd64.deb
libavdevice53_0.7.1-7_amd64.deb
to main/liba/libav/libavdevice53_0.7.1-7_amd64.deb
libavfilter-dev_0.7.1-7_amd64.deb
to main/liba/libav/libavfilter-dev_0.7.1-7_amd64.deb
libavfilter2_0.7.1-7_amd64.deb
to main/liba/libav/libavfilter2_0.7.1-7_amd64.deb
libavformat-dev_0.7.1-7_amd64.deb
to main/liba/libav/libavformat-dev_0.7.1-7_amd64.deb
libavformat53_0.7.1-7_amd64.deb
to main/liba/libav/libavformat53_0.7.1-7_amd64.deb
libavutil-dev_0.7.1-7_amd64.deb
to main/liba/libav/libavutil-dev_0.7.1-7_amd64.deb
libavutil51_0.7.1-7_amd64.deb
to main/liba/libav/libavutil51_0.7.1-7_amd64.deb
libpostproc-dev_0.7.1-7_amd64.deb
to main/liba/libav/libpostproc-dev_0.7.1-7_amd64.deb
libpostproc52_0.7.1-7_amd64.deb
to main/liba/libav/libpostproc52_0.7.1-7_amd64.deb
libswscale-dev_0.7.1-7_amd64.deb
to main/liba/libav/libswscale-dev_0.7.1-7_amd64.deb
libswscale2_0.7.1-7_amd64.deb
to main/liba/libav/libswscale2_0.7.1-7_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 641478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 26 Sep 2011 22:24:47 +0200
Source: libav
Binary: ffmpeg ffmpeg-dbg libav-dbg libav-source ffmpeg-doc libav-doc libavutil51 libavcodec53 libavdevice53 libavformat53 libavfilter2 libpostproc52 libswscale2 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libpostproc-dev libswscale-dev
Architecture: source amd64 all
Version: 4:0.7.1-7
Distribution: unstable
Urgency: medium
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
ffmpeg - Multimedia player, server, encoder and transcoder
ffmpeg-dbg - Debug symbols for Libav related packages
ffmpeg-doc - Documentation of the Libav API (transitional package)
libav-dbg - Debug symbols for Libav related packages
libav-doc - Documentation of the Libav API
libav-source - Patched Libav sources
libavcodec-dev - Development files for libavcodec
libavcodec53 - Libav codec library
libavdevice-dev - Development files for libavdevice
libavdevice53 - Libav device handling library
libavfilter-dev - Development files for libavfilter
libavfilter2 - Libav video filtering library
libavformat-dev - Development files for libavformat
libavformat53 - Libav file format library
libavutil-dev - Development files for libavutil
libavutil51 - Libav utility library
libpostproc-dev - Development files for libpostproc
libpostproc52 - Libav video postprocessing library
libswscale-dev - Development files for libswscale
libswscale2 - Libav video scaling library
Closes: 641478
Changes:
libav (4:0.7.1-7) unstable; urgency=medium
.
* Add 63 (!) additional post 0.7.1 patches
- all scheduled for next upstream point release
- Fix missing CAVS boundary checks, Closes: #641478, Fixes: CVE-2011-3362
* Medium urgency for fixing a security issue
* Drop debian/patches/03-fix-movrel.patch, better patch upstream
* prefer libtiff4 over libtiff5 for now
Checksums-Sha1:
d84f60ac345ba34ad5878700465195e7986210e7 2992 libav_0.7.1-7.dsc
71de6fb206908c03443b55e9c10b767a9f99b543 77239 libav_0.7.1-7.debian.tar.gz
c878cb8e8ef8ae28f5caeadda44733a511fe02b7 444934 ffmpeg_0.7.1-7_amd64.deb
6c8dcff269ffad1c0a3abf542c70c8eeb1aaa485 37822 ffmpeg-dbg_0.7.1-7_amd64.deb
e75f7fe434f4eb71ccc3843b26af7eb3734898e4 9467356 libav-dbg_0.7.1-7_amd64.deb
d62bb4abfa8c079cb21ee37ebc43fb9101fb4c30 25591416 libav-source_0.7.1-7_all.deb
b4bf60e0fc725a83cf93d5cb208d3f8613a4239f 37788 ffmpeg-doc_0.7.1-7_all.deb
5a8c2c01c11ccf627e0e78f652086c62c0110331 20190266 libav-doc_0.7.1-7_all.deb
d6be78fc3b970b783c8ee76c56ffdf07e4911b69 92260 libavutil51_0.7.1-7_amd64.deb
51fbb140da799559ba76399e31d2beac4196ea79 2712564 libavcodec53_0.7.1-7_amd64.deb
68bd3c44bf327f0804f02045c206db831b37b7cf 60708 libavdevice53_0.7.1-7_amd64.deb
26c9a61b00090a6fc58b8896a92ce40bc421f966 495290 libavformat53_0.7.1-7_amd64.deb
4fe27908101535722d460dcba2a459b853be412e 94088 libavfilter2_0.7.1-7_amd64.deb
cfe7c4630bd9120a18ca59526d069a75c4c42e39 99402 libpostproc52_0.7.1-7_amd64.deb
3d8a8ea1a8f49ba926eca749c5172d6a9d631291 120740 libswscale2_0.7.1-7_amd64.deb
824c6c750fec3b358b2d0015cc35e520ed99e690 135274 libavutil-dev_0.7.1-7_amd64.deb
328024f24d5ac293c6c958ac3c873522bd67bbac 3146276 libavcodec-dev_0.7.1-7_amd64.deb
4ce55e890c148397a31f741963dcc7bc8a4f41ff 62506 libavdevice-dev_0.7.1-7_amd64.deb
0b076088359423f109cbae3f295ba92137f04428 652040 libavformat-dev_0.7.1-7_amd64.deb
a34208d41013ddb8e6970a1ebbaf7768929fad82 118864 libavfilter-dev_0.7.1-7_amd64.deb
562e9db87f5b1b2b311b5f7ca83fece637d21be3 100016 libpostproc-dev_0.7.1-7_amd64.deb
a75da6fed713356b04554b4d40a6a6aaff92da58 137234 libswscale-dev_0.7.1-7_amd64.deb
Checksums-Sha256:
357cca5db34629734f1bb636b9370e89f8399334fc0061f3387a647ef6fe62a0 2992 libav_0.7.1-7.dsc
1923dbaeb070a4c079e4b5a3e145daa3032418f08bf8d4a701841effda64206a 77239 libav_0.7.1-7.debian.tar.gz
3f96d80cbff994d3b7b1e5d866ef4ba8bcc2074e6a510fec3b0fbeebc7929c11 444934 ffmpeg_0.7.1-7_amd64.deb
514f358cc0b4c9179621ed8f2e19d96aa7b5dbf831612d4011893c34bbfa4d0d 37822 ffmpeg-dbg_0.7.1-7_amd64.deb
e0a962b7fae1187e09b7a8ca638257c94d24bced9336d0addc6c866e43afd570 9467356 libav-dbg_0.7.1-7_amd64.deb
864f344f1e37c3f83a06408a7ad79b70afed24a6f9ccf11252a1aad1b490922f 25591416 libav-source_0.7.1-7_all.deb
645cad9c62f64c5de07924b267f76e539a5671a7823ac2a05ffe5b798b421b76 37788 ffmpeg-doc_0.7.1-7_all.deb
3f43897c1f275b1f929f57bf89353da46dfdb52baa833dcc869e88039094879b 20190266 libav-doc_0.7.1-7_all.deb
724d0da6607d1490a6cabee9517bcf0235c73a134d0b84ce99b7d7b88a010ea5 92260 libavutil51_0.7.1-7_amd64.deb
90db9f86f1cb562caf423ce74dff5a2fd6fff553ee7b30a31e472bc6a96f68f5 2712564 libavcodec53_0.7.1-7_amd64.deb
12c86908dcca342ef6a4907c5580f2bf1558c13507e4702a35101f3a06694d72 60708 libavdevice53_0.7.1-7_amd64.deb
632f8167d22ccbfa8cf28aba0bb2c5bd06a5cf233ca50a63a89eddc232790369 495290 libavformat53_0.7.1-7_amd64.deb
8d2f172e4cb63145ab332cd85fdcbcb7b2cbcb8a8885f34ca81d2fb5fc72ba27 94088 libavfilter2_0.7.1-7_amd64.deb
f9cdb0281bcb127c7e31bf287413ca4855497f8374a6426ca4de58b98107d22c 99402 libpostproc52_0.7.1-7_amd64.deb
8a1c4a3559201d5c36beb9ec9f7ef0161b597b41b7eac91e2765c2089948806d 120740 libswscale2_0.7.1-7_amd64.deb
a828d0349329519a968f53c9e62d3eaf9e9a1a1b6b2350c7f062dfbfdfb387af 135274 libavutil-dev_0.7.1-7_amd64.deb
0360587b2018e589b165849db71356a08494794397ba6cbed3965e865b2b616b 3146276 libavcodec-dev_0.7.1-7_amd64.deb
6ea0a5a8d3c0eb41d570105883ecb01801620878b9d55142388c7ec1419bfdcd 62506 libavdevice-dev_0.7.1-7_amd64.deb
1b089448abfe1bc1cca346fb45d905297525908a61efe999d3523ebbe812a0e6 652040 libavformat-dev_0.7.1-7_amd64.deb
80df8f5575fddd9948072d5ec0d1dec8da6566eba4fbf81c99d75fc2ab265038 118864 libavfilter-dev_0.7.1-7_amd64.deb
8bc39c1b61c0b6b1ae02ccd74407bf6fd87945e8789099d17aa39257dfad25ae 100016 libpostproc-dev_0.7.1-7_amd64.deb
4630c7b99e24b638955c4d91a6469c2378be2600f7805834aea66876929adccd 137234 libswscale-dev_0.7.1-7_amd64.deb
Files:
ce457a77d31c33066524495927ad54c2 2992 libs optional libav_0.7.1-7.dsc
4be215a8d0b1e197ca23ec8c87e4b178 77239 libs optional libav_0.7.1-7.debian.tar.gz
9a9c91069a6e7b632f00ea1d51c194be 444934 video optional ffmpeg_0.7.1-7_amd64.deb
f53189405a36c3525b863d9ab26f939f 37822 debug extra ffmpeg-dbg_0.7.1-7_amd64.deb
101f1aceae20619a5e56fdb094cb8f23 9467356 debug extra libav-dbg_0.7.1-7_amd64.deb
a94e8e91fcb48183fceb81f702413d19 25591416 devel optional libav-source_0.7.1-7_all.deb
2188a3e8946f0f26726de3acf5703664 37788 doc optional ffmpeg-doc_0.7.1-7_all.deb
ca4c7a50ab7759b82a8d86dd2f7e8d2b 20190266 doc optional libav-doc_0.7.1-7_all.deb
a7b5bd5e267bd9a6664df95a952319ff 92260 libs optional libavutil51_0.7.1-7_amd64.deb
1cac3d789036363f53708d706a733b69 2712564 libs optional libavcodec53_0.7.1-7_amd64.deb
1b3988d97f451a4f5bc50885308c0767 60708 libs optional libavdevice53_0.7.1-7_amd64.deb
1ddf870111521bda447dce4c0502533b 495290 libs optional libavformat53_0.7.1-7_amd64.deb
ce264ea6e1a3bbf994088e4ecba8ee3c 94088 libs optional libavfilter2_0.7.1-7_amd64.deb
6e60fa5bbba9c59594f9d7dbc163b604 99402 libs optional libpostproc52_0.7.1-7_amd64.deb
2270800b11d672189d85acbba378595f 120740 libs optional libswscale2_0.7.1-7_amd64.deb
2bfc85c05e7e1380a57d1193a3a3fda7 135274 libdevel optional libavutil-dev_0.7.1-7_amd64.deb
bc9a713ac2528b5a8672c30753689576 3146276 libdevel optional libavcodec-dev_0.7.1-7_amd64.deb
386c7d986dc505fa55b9c5d2f20b2452 62506 libdevel optional libavdevice-dev_0.7.1-7_amd64.deb
2fca83cd311ff85a67f09c6490ca34fc 652040 libdevel optional libavformat-dev_0.7.1-7_amd64.deb
b61f293d4f8e145d88a73eafa15276da 118864 libdevel optional libavfilter-dev_0.7.1-7_amd64.deb
ca0175fdeaa984b85043593bc65af985 100016 libdevel optional libpostproc-dev_0.7.1-7_amd64.deb
ef2a26d7f1e680250e6100a102ed2ef2 137234 libdevel optional libswscale-dev_0.7.1-7_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Debian Powered!
iEYEARECAAYFAk6A5/sACgkQmAg1RJRTSKS5/gCfcZPmp0GewJl73LX84q41zxud
H28AnRpwfvaAabLKzLCrN+LQlZqp0qjx
=Ze71
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Wed, 02 Nov 2011 14:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 02 Nov 2011 14:36:03 GMT) (full text, mbox, link).
Message #20 received at 641478@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hey,
I'm considering the various open issues in ffmpeg in Squeeze
(CVE-2011-{3362,3504,3973,3974}). They were fixed in sid (in libav) but
not yet in Squeeze, so I intented to take a look at them and maybe do an
upload to stable-security but Moritz told me that you maintained a
stable branch so maybe you already have something ready.
What do you think? Should I start preparing something or do you want to
handle it?
Regards,
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Wed, 02 Nov 2011 19:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Reinhard Tartler <siretart@tauware.de>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 02 Nov 2011 19:33:07 GMT) (full text, mbox, link).
Message #25 received at 641478@bugs.debian.org (full text, mbox, reply):
On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
> Hey,
>
> I'm considering the various open issues in ffmpeg in Squeeze
> (CVE-2011-{3362,3504,3973,3974}). They were fixed in sid (in libav) but
> not yet in Squeeze, so I intented to take a look at them and maybe do an
> upload to stable-security but Moritz told me that you maintained a
> stable branch so maybe you already have something ready.
>
> What do you think? Should I start preparing something or do you want to
> handle it?
Thank you for pointing out theses issues.
I'm maintaining a stable branch upstream here:
http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
If you could point me out the corresponding commits that fix these CVEs
the master branch, I'm happy to backport them to that branch and roll a
0.5.5 release on short notice. Based on that release, we then update
our stable packaging branch here:
http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=shortlog;h=refs/heads/squeeze
I'd propose to then build a package from that branch and upload it to
stable-security. Would that work for you?
Cheers,
Reinhard
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Wed, 02 Nov 2011 21:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Reinhard Tartler <siretart@tauware.de>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 02 Nov 2011 21:03:03 GMT) (full text, mbox, link).
Message #30 received at 641478@bugs.debian.org (full text, mbox, reply):
On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
> I'm considering the various open issues in ffmpeg in Squeeze
> (CVE-2011-{3362,3504,3973,3974}).
I'm currently investigating these issues. Let's first discuss the CAVS
related ones (3362,3973,3974):
3974 seems to have been allocated in error, as it even references the
same commit as 3973. What is the procedure to request it
removed/invalidated?
As for 3362 & 3973, I believe both have been fixed by this commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
This commit has also been merged into FFmpeg. That imported commit is
also referenced in the CVE description of CVE-2011-3973, so I assume
that this is the correct fix.
For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
function decode_residual_block(). I'd be curious to see a sample that
still exploits Libav's cavs decoder without that signedness
change. Until I'm presented an exploit that demonstrates this issue, I'm
going to assume that CVE-2011-3362 is fixed by the same patch that fixed
CVE-2011-3973.
Now for CVE-2011-3504, which concerns an allocation error in the
matroska decoder. I strongly believe that this has been fixed by this
commit:
http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
does not seem to exist in bing at all. I currently assume that the CVE
is right and the commit message (which was imported from FFmpeg without
further checking) should have referenced MSVR11-011 instead.
In any case, I've just backported both patches to the 0.5 branch:
http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
Feedback and tests welcome.
If nobody disagrees and nothing else pops up until let's say Friday,
I'm going to roll 0.5.5 tarballs.
Does this work for everyone?
Cheers,
Reinhard.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Thu, 03 Nov 2011 14:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Thu, 03 Nov 2011 14:00:04 GMT) (full text, mbox, link).
Message #35 received at 641478@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On mer., 2011-11-02 at 21:57 +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
>
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
>
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
>
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?
I'm not too sure since I don't know who assigned it. Maybe mailing
someone at Mitre?
>
> As for 3362 & 3973, I believe both have been fixed by this commit:
> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
>
> This commit has also been merged into FFmpeg. That imported commit is
> also referenced in the CVE description of CVE-2011-3973, so I assume
> that this is the correct fix.
Looks like that, yes.
>
> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
> function decode_residual_block(). I'd be curious to see a sample that
> still exploits Libav's cavs decoder without that signedness
> change. Until I'm presented an exploit that demonstrates this issue, I'm
> going to assume that CVE-2011-3362 is fixed by the same patch that fixed
> CVE-2011-3973.
Shouldn't it be safe to still fix the signed-ness?
>
> Now for CVE-2011-3504, which concerns an allocation error in the
> matroska decoder. I strongly believe that this has been fixed by this
> commit:
> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
>
> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
> does not seem to exist in bing at all. I currently assume that the CVE
> is right and the commit message (which was imported from FFmpeg without
> further checking) should have referenced MSVR11-011 instead.
>
> In any case, I've just backported both patches to the 0.5 branch:
> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
Thanks.
>
> Feedback and tests welcome.
>
> If nobody disagrees and nothing else pops up until let's say Friday,
> I'm going to roll 0.5.5 tarballs.
>
> Does this work for everyone?
>
Works for me at least, notwithstanding the 3362 fix.
Regards,
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Thu, 03 Nov 2011 21:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Thu, 03 Nov 2011 21:33:05 GMT) (full text, mbox, link).
Message #40 received at 641478@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 02, 2011 at 09:57:21PM +0100, Reinhard Tartler wrote:
> On Mi, Nov 02, 2011 at 15:33:20 (CET), Yves-Alexis Perez wrote:
>
> > I'm considering the various open issues in ffmpeg in Squeeze
> > (CVE-2011-{3362,3504,3973,3974}).
>
> I'm currently investigating these issues. Let's first discuss the CAVS
> related ones (3362,3973,3974):
>
> 3974 seems to have been allocated in error, as it even references the
> same commit as 3973. What is the procedure to request it
> removed/invalidated?
MITRE loves to split hairs: While it was fixed in a single commit,
while some of missing bitstream validations only lead to denial of
service, the integer overflow allows code injection. Arguing around
this will probably be a waste of time, let's just use both IDs.
(Also the IDs are already in use for quite some time and changing
it would only arise more confusion).
The rest sounds good to me.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Sat, 05 Nov 2011 13:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Reinhard Tartler <siretart@tauware.de>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 05 Nov 2011 13:27:08 GMT) (full text, mbox, link).
Message #45 received at 641478@bugs.debian.org (full text, mbox, reply):
On Do, Nov 03, 2011 at 14:56:51 (CET), Yves-Alexis Perez wrote:
>> As for 3362 & 3973, I believe both have been fixed by this commit:
>> http://git.libav.org/?p=libav.git;a=commitdiff;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
>>
>> This commit has also been merged into FFmpeg. That imported commit is
>> also referenced in the CVE description of CVE-2011-3973, so I assume
>> that this is the correct fix.
>
> Looks like that, yes.
>>
>> For CVE-2011-3362, FFmpeg changed the signedness of two variables in the
>> function decode_residual_block(). I'd be curious to see a sample that
>> still exploits Libav's cavs decoder without that signedness
>> change. Until I'm presented an exploit that demonstrates this issue, I'm
>> going to assume that CVE-2011-3362 is fixed by the same patch that fixed
>> CVE-2011-3973.
>
> Shouldn't it be safe to still fix the signed-ness?
Feel free to propose such a patch. I've tried to come up with a proper
explanation what the signed change is going to fix, but I failed. If
only there existed a sample exploit that showed that libav 0.5.5 is
still vulnerable…
>> Now for CVE-2011-3504, which concerns an allocation error in the
>> matroska decoder. I strongly believe that this has been fixed by this
>> commit:
>> http://git.libav.org/?p=libav.git;a=commitdiff;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec
>>
>> Unlike the CVE Report, the commit message refers to MSVR-11-0080, which
>> does not seem to exist in bing at all. I currently assume that the CVE
>> is right and the commit message (which was imported from FFmpeg without
>> further checking) should have referenced MSVR11-011 instead.
>>
>> In any case, I've just backported both patches to the 0.5 branch:
>> http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.5
>
> Thanks.
released 0.5.5 & updated the branch now.
>> Feedback and tests welcome.
>>
>> If nobody disagrees and nothing else pops up until let's say Friday,
>> I'm going to roll 0.5.5 tarballs.
>>
>> Does this work for everyone?
>>
> Works for me at least, notwithstanding the 3362 fix.
Moritz seems to be OK with this:
On Do, Nov 03, 2011 at 22:30:11 (CET), Moritz Muehlenhoff wrote:
[...]
> The rest sounds good to me.
I'm going to upload 0.5.5-1 to stable-security later today, unless
someone objects. (it needs to be approved manually anyways)
Cheers,
Reinhard.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Tue, 08 Nov 2011 21:51:15 GMT) (full text, mbox, link).
Acknowledgement sent
to lsorense@csclub.uwaterloo.ca (Lennart Sorensen)
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Tue, 08 Nov 2011 21:51:15 GMT) (full text, mbox, link).
Message #50 received at 641478@bugs.debian.org (full text, mbox, reply):
This patched fixes building of ffmpeg 0.5.5-1 on powerpc for me.
It matches what the code is now like in newer versions of ffmpeg.
diff -urN ffmpeg-0.5.5/libavcodec/cavs.h ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h
--- ffmpeg-0.5.5/libavcodec/cavs.h 2011-11-05 07:57:22.000000000 -0400
+++ ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h 2011-11-08 16:27:24.051972526 -0500
@@ -136,7 +136,7 @@
MV_BWD_X3
};
-DECLARE_ALIGNED_8(typedef, struct) {
+DECLARE_ALIGNED(8, typedef, struct) {
int16_t x;
int16_t y;
int16_t dist;
So not much to the patch. Compiles on squeeze for me.
Haven't looked at the armel one yet, but I probably could.
--
Len Sorense
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#641478
; Package libav
.
(Wed, 09 Nov 2011 15:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to lsorense@csclub.uwaterloo.ca (Lennart Sorensen)
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 09 Nov 2011 15:06:03 GMT) (full text, mbox, link).
Message #55 received at 641478@bugs.debian.org (full text, mbox, reply):
On Tue, Nov 08, 2011 at 04:42:56PM -0500, wrote:
> This patched fixes building of ffmpeg 0.5.5-1 on powerpc for me.
> It matches what the code is now like in newer versions of ffmpeg.
>
> diff -urN ffmpeg-0.5.5/libavcodec/cavs.h ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h
> --- ffmpeg-0.5.5/libavcodec/cavs.h 2011-11-05 07:57:22.000000000 -0400
> +++ ffmpeg-0.5.5.powerpcfix/libavcodec/cavs.h 2011-11-08 16:27:24.051972526 -0500
> @@ -136,7 +136,7 @@
> MV_BWD_X3
> };
>
> -DECLARE_ALIGNED_8(typedef, struct) {
> +DECLARE_ALIGNED(8, typedef, struct) {
> int16_t x;
> int16_t y;
> int16_t dist;
>
>
> So not much to the patch. Compiles on squeeze for me.
>
> Haven't looked at the armel one yet, but I probably could.
Same patch actually fixed armel compile as well.
--
Len Sroensen
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 08 Dec 2011 07:33:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:51:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.