libav: multiple security issues

Debian Bug report logs - #773626
libav: multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libav: multiple security issues

Date: Sat, 20 Dec 2014 23:31:11 -0500

package: src:libav
version: 6:0.8.16-1
severity: serious
tags: security

Hi,

the following vulnerabilities were published for libav.

CVE-2014-8541[0]:
| libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension
| differences, and not bits-per-pixel differences, when determining
| whether an image size has changed, which allows remote attackers to
| cause a denial of service (out-of-bounds access) or possibly have
| unspecified other impact via crafted MJPEG data.

CVE-2014-8542[1]:
| libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID
| during enforcement of alignment, which allows remote attackers to
| cause a denial of service (out-of-bounds access) or possibly have
| unspecified other impact via crafted JV data.

CVE-2014-8543[2]:
| libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all
| lines of HHV Intra blocks during validation of image height, which
| allows remote attackers to cause a denial of service (out-of-bounds
| access) or possibly have unspecified other impact via crafted MM video
| data.

CVE-2014-8543[3]:
| libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all
| lines of HHV Intra blocks during validation of image height, which
| allows remote attackers to cause a denial of service (out-of-bounds
| access) or possibly have unspecified other impact via crafted MM video
| data.

CVE-2014-8544[4]:
| libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
| bits-per-pixel fields, which allows remote attackers to cause a denial
| of service (out-of-bounds access) or possibly have unspecified other
| impact via crafted TIFF data.

CVE-2014-8545[5]:
| libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
| monochrome-black format without verifying that the bits-per-pixel
| value is 1, which allows remote attackers to cause a denial of service
| (out-of-bounds access) or possibly have unspecified other impact via
| crafted PNG data.

CVE-2014-8546[6]:
| Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
| allows remote attackers to cause a denial of service (out-of-bounds
| access) or possibly have unspecified other impact via crafted Cinepak
| video data.

CVE-2014-8547[7]:
| libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute
| image heights, which allows remote attackers to cause a denial of
| service (out-of-bounds access) or possibly have unspecified other
| impact via crafted GIF data.

CVE-2014-8548[8]:
| Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows
| remote attackers to cause a denial of service (out-of-bounds access)
| or possibly have unspecified other impact via crafted Quicktime
| Graphics (aka SMC) video data.

CVE-2014-8549[9]:
| libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the
| number of channels to at most 2, which allows remote attackers to
| cause a denial of service (out-of-bounds access) or possibly have
| unspecified other impact via crafted On2 data.

CVE-2014-9316[10]:
| The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
| before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
| remote attackers to cause a denial of service (out-of-bounds heap
| access) and possibly have other unspecified impact via vectors related
| to LJIF tags in an MJPEG file.

CVE-2014-9318[11]:
| The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
| 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
| cause a denial of service (out-of-bounds heap access) and possibly
| have other unspecified impact via a crafted .cine file that triggers
| the avpicture_get_size function to return a negative frame size.

CVE-2014-9319[12]:
| The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
| before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
| remote attackers to cause a denial of service (out-of-bounds access)
| via a crafted .bit file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8541
[1] https://security-tracker.debian.org/tracker/CVE-2014-8542
[2] https://security-tracker.debian.org/tracker/CVE-2014-8543
[3] https://security-tracker.debian.org/tracker/CVE-2014-8543
[4] https://security-tracker.debian.org/tracker/CVE-2014-8544
[5] https://security-tracker.debian.org/tracker/CVE-2014-8545
[6] https://security-tracker.debian.org/tracker/CVE-2014-8546
[7] https://security-tracker.debian.org/tracker/CVE-2014-8547
[8] https://security-tracker.debian.org/tracker/CVE-2014-8548
[9] https://security-tracker.debian.org/tracker/CVE-2014-8549
[10] https://security-tracker.debian.org/tracker/CVE-2014-9316
[11] https://security-tracker.debian.org/tracker/CVE-2014-9318
[12] https://security-tracker.debian.org/tracker/CVE-2014-9319

Please adjust the affected versions in the BTS as needed.

Message #18 received at 773626@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 773626@bugs.debian.org

Subject: Available fixes for some of the issues

Date: Sat, 17 Jan 2015 12:27:20 +0000

[Message part 1 (text/plain, inline)]

Just to update the bug for others scanning the RC bug list...

https://security-tracker.debian.org/tracker/CVE-2014-8545
- libav <not-affected> (Vulnerable code not present)
CVE-2014-8545[5]:
| libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
| monochrome-black format without verifying that the bits-per-pixel
| value is 1, which allows remote attackers to cause a denial of service
| (out-of-bounds access) or possibly have unspecified other impact via
| crafted PNG data.

So this one can be discounted from the list.

Other patches exist as upstream commits linked from the security
tracker:

CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
CVE-2014-8548, CVE-2014-8549

https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686

Five CVEs therefore remain without upstream patches in libav:

https://security-tracker.debian.org/tracker/CVE-2014-8544
https://security-tracker.debian.org/tracker/CVE-2014-8546
https://security-tracker.debian.org/tracker/CVE-2014-9316
https://security-tracker.debian.org/tracker/CVE-2014-9318
https://security-tracker.debian.org/tracker/CVE-2014-9319 

Each of these has fixes upstream in ffmpeg but it'll need someone with
more familiarity with the mpeg source code than me to investigate
whether the fixes in ffmpeg can become fixes in libav.

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

[Message part 2 (application/pgp-signature, inline)]

Message #23 received at 773626@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Neil Williams <codehelp@debian.org>, 773626@bugs.debian.org

Subject: Re: Bug#773626: Available fixes for some of the issues

Date: Sat, 17 Jan 2015 13:40:38 +0100

[Message part 1 (text/plain, inline)]

On 2015-01-17 12:27:20, Neil Williams wrote:
> Just to update the bug for others scanning the RC bug list...
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8545
> - libav <not-affected> (Vulnerable code not present)
> CVE-2014-8545[5]:
> | libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the
> | monochrome-black format without verifying that the bits-per-pixel
> | value is 1, which allows remote attackers to cause a denial of service
> | (out-of-bounds access) or possibly have unspecified other impact via
> | crafted PNG data.
> 
> So this one can be discounted from the list.
> 
> Other patches exist as upstream commits linked from the security
> tracker:
> 
> CVE-2014-8541, CVE-2014-8542, CVE-2014-8543, CVE-2014-8547,
> CVE-2014-8548, CVE-2014-8549
> 
> https://git.libav.org/?p=libav.git;a=patch;h=809c3023b699c54c90511913d3b6140dd2436550
> https://git.libav.org/?p=libav.git;a=patch;h=88626e5af8d006e67189bf10b96b982502a7e8ad
> https://git.libav.org/?p=libav.git;a=patch;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28
> https://git.libav.org/?p=libav.git;a=patch;h=0b39ac6f54505a538c21fe49a626de94c518c903
> https://git.libav.org/?p=libav.git;a=patch;h=d423dd72be451462c6fb1cbbe313bed0194001ab
> https://git.libav.org/?p=libav.git;a=patch;h=cee4490b521fd0d02476d46aa2598af24fb8d686
> 
> Five CVEs therefore remain without upstream patches in libav:
> 
> https://security-tracker.debian.org/tracker/CVE-2014-8544
> https://security-tracker.debian.org/tracker/CVE-2014-8546
> https://security-tracker.debian.org/tracker/CVE-2014-9316
> https://security-tracker.debian.org/tracker/CVE-2014-9318
> https://security-tracker.debian.org/tracker/CVE-2014-9319 
> 
> Each of these has fixes upstream in ffmpeg but it'll need someone with
> more familiarity with the mpeg source code than me to investigate
> whether the fixes in ffmpeg can become fixes in libav.

Thanks for taking the time for investigating the issue. We are currently
waiting for 11.2 tarballs to appear. They have been taged already and
tarball just needs to be released.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #28 received at 773626@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Michael Gilbert <mgilbert@debian.org>, 773626@bugs.debian.org

Subject: Re: Bug#773626: libav: multiple security issues

Date: Sat, 17 Jan 2015 20:56:02 +0100

[Message part 1 (text/plain, inline)]

Control: clone -1 -2
Control: retitle -2 libav: CVE-2014-{8544,8546,9316,9318,9319}
Control: tags -1 + fixed-upstream pending

On 2014-12-20 23:31:11, Michael Gilbert wrote:
> CVE-2014-8544[4]:
> | libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate
> | bits-per-pixel fields, which allows remote attackers to cause a denial
> | of service (out-of-bounds access) or possibly have unspecified other
> | impact via crafted TIFF data.

> CVE-2014-8546[6]:
> | Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2
> | allows remote attackers to cause a denial of service (out-of-bounds
> | access) or possibly have unspecified other impact via crafted Cinepak
> | video data.

> CVE-2014-9316[10]:
> | The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg
> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
> | remote attackers to cause a denial of service (out-of-bounds heap
> | access) and possibly have other unspecified impact via vectors related
> | to LJIF tags in an MJPEG file.

> CVE-2014-9318[11]:
> | The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6,
> | 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to
> | cause a denial of service (out-of-bounds heap access) and possibly
> | have other unspecified impact via a crafted .cine file that triggers
> | the avpicture_get_size function to return a negative frame size.

> CVE-2014-9319[12]:
> | The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg
> | before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows
> | remote attackers to cause a denial of service (out-of-bounds access)
> | via a crafted .bit file.

> [4] https://security-tracker.debian.org/tracker/CVE-2014-8544
> [6] https://security-tracker.debian.org/tracker/CVE-2014-8546
> [10] https://security-tracker.debian.org/tracker/CVE-2014-9316
> [11] https://security-tracker.debian.org/tracker/CVE-2014-9318
> [12] https://security-tracker.debian.org/tracker/CVE-2014-9319

I'm cloning this bug report to keep track of the unfixed CVEs.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 773626-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 773626-close@bugs.debian.org

Subject: Bug#773626: fixed in libav 6:11.2-1

Date: Sat, 17 Jan 2015 21:19:52 +0000

Source: libav
Source-Version: 6:11.2-1

We believe that the bug you reported is fixed in the latest version of
libav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated libav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 17 Jan 2015 20:56:19 +0100
Source: libav
Binary: libav-tools libav-dbg libav-doc libavutil54 libavcodec56 libavdevice55 libavformat56 libavfilter5 libswscale3 libavutil-dev libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libswscale-dev libavresample-dev libavresample2 libavcodec-extra-56 libavcodec-extra
Architecture: source all
Version: 6:11.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libav-dbg  - Debug symbols for Libav related packages
 libav-doc  - Documentation of the Libav API
 libav-tools - Multimedia player, encoder and transcoder
 libavcodec-dev - Development files for libavcodec
 libavcodec-extra - Libav codec library (additional codecs meta-package)
 libavcodec-extra-56 - Libav codec library (additional codecs)
 libavcodec56 - Libav codec library
 libavdevice-dev - Development files for libavdevice
 libavdevice55 - Libav device handling library
 libavfilter-dev - Development files for libavfilter
 libavfilter5 - Libav video filtering library
 libavformat-dev - Development files for libavformat
 libavformat56 - Libav file format library
 libavresample-dev - Development files for libavresample
 libavresample2 - Libav audio resampling library
 libavutil-dev - Development files for libavutil
 libavutil54 - Libav utility library
 libswscale-dev - Development files for libswscale
 libswscale3 - Libav video scaling library
Closes: 773055 773626
Changes:
 libav (6:11.2-1) unstable; urgency=medium
 .
   * New upstream release fixing multiple security issues. (Closes: #773626)
     - h464: restore a block mistakenly removed in e10fd08a
     - on2avc: check number of channels (CVE-2014-8549)
     - smc: fix the bounds check (CVE-2014-8548)
     - gifdec: refactor interleave end handling (CVE-2014-8547)
     - mmvideo: check frame dimensions (CVE-2014-8543)
     - jvdec: check frame dimensions (CVE-2014-8542)
     - mjpegdec: check for pixel format changes (CVE-2014-8541)
     - mov: avoid a memleak when multiple stss boxes are present
     - vc1: Do not assume seek happens after decoding
     - avconv: Use the mpeg12 private option scan_offset (Closes: #773055)
     - xsub: Support DXSA subtitles
     - mp3dec: fix reading the Xing tag
     - matroskaenc: write correct Display{Width, Height} in stereo encoding
     - configure: Fix enabling memalign_hack automatically
     - mp3enc: fix a triggerable assert
     - latm: Do not give a score for a single instance
     - mp3: Tweak the probe scores
     - matroskaenc: write correct Display{Width, Height} in stereo encoding
     - coverity: Fix most of the reported warnings and issues
   * debian/control: Add myself to Uploaders.
Checksums-Sha1:
 cb4beda65e1622b42c8b86e6b336f77f99deb1f5 3945 libav_11.2-1.dsc
 52ba52cabe5d86b45ce62f56e11fa7912c6e5083 4855224 libav_11.2.orig.tar.xz
 e331fb19f3d7cdf0b338a749b8e12c318c5f94a5 67392 libav_11.2-1.debian.tar.xz
 3598f3ed2a7aa3051fef8bbdb664f1acb98cdc14 18628804 libav-doc_11.2-1_all.deb
 b355e200173d0ee54778aa0fa6f0b8526115423d 57112 libavcodec-extra_11.2-1_all.deb
Checksums-Sha256:
 31780b8fe22d42c6f699ad248221dcb4f288ca312ed51d2dae08bbe5d650f41f 3945 libav_11.2-1.dsc
 48f4a36cd823f2449d1e45b114371033dc68f0e09ff0f7c841405c09a707682e 4855224 libav_11.2.orig.tar.xz
 9e3db24d45c8ec17e3ffc2e3926aa14eeb2f45557a7b02a54d0a2097c229837a 67392 libav_11.2-1.debian.tar.xz
 b28ed96ac757bdab6774b1d0d0e0162c2e5e6276feca8a86cdd43d91aaa01b11 18628804 libav-doc_11.2-1_all.deb
 4bd8b4f4abc56b9460687c1cb7f0af47c5c8c30638d30dbde0936ab68a1cdb93 57112 libavcodec-extra_11.2-1_all.deb
Files:
 ed02af27bf51d801208397d1c3a200dd 3945 libs optional libav_11.2-1.dsc
 b8680998ad53376c37508688293ecaa4 4855224 libs optional libav_11.2.orig.tar.xz
 fe393245fbe69823e53ca5bf6835106f 67392 libs optional libav_11.2-1.debian.tar.xz
 95c20dfd661a6c2e0908f5920ae91f50 18628804 doc optional libav-doc_11.2-1_all.deb
 2953f572c244daa715cc35a0441f29b4 57112 metapackages extra libavcodec-extra_11.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUusKXAAoJEGny/FFupxmTw5YP+QEfG/ylKUfpqxu9TeWaIIrL
Q/QpnMcaWgskXJhZ6Zcfo10WSYmVR7jLGXJkSeJI0rCY6n+L+Bq6dUshJTzIK+wi
C8je652tIYky5E9EBJbJCsF5FOmYCncxhs00CrVoqmHCYIgLPQh6a8HbCPpnV+qt
qYjTG0E5injDoMN6yQW8m1T4028MVLAygCeXAsdi5pBCDLi4uCMgO16Bja3BBVZY
9b8nM5AtQ7XDcdSiK9W1ZqTtdX8bAJ6KdqfQF5AbDZ6nLsrLbXPlgBGm8cREt313
ox0wmtqdG9OGMTAxz8+RkrRukmxmCVT45J8jAzbCha6/XZfHY3RhhWs/iN7Q8oAK
FmzjXwwwvV1GeM7UU8HsG6s+AX5EqpsOu499QZh4N0ANU/H7ddPmWHOQE1AiW0pv
KhOcgGr0t54YS6CxH4VJxKphAJqB6zfTzDp4J/BCvpqbzQ4rMrmBnjsHYWT7tU/f
f/2LUtgB3N1hPxjcqz8JoJduaGU580e5exC8zazAa88TWCG7TA/VOr5MJ6zNKtMz
ou8WTUFuO5G6xpTp2wjVJq9ZV5Lwym1RZrd35G80jst0O0+dztcqiARIM+2j2h9Z
pX79fIQkTU1PH4TuSmlxd0OXyy0okcbMg6LoSy0SipJ3PFmdWdD3H3qUz5j0SgC3
JG2V0SLxj/ee17dcQrDY
=mqSu
-----END PGP SIGNATURE-----

Message #42 received at 773626-done@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 773626-done@bugs.debian.org

Subject: Re: Bug#773626: libav: multiple security issues

Date: Sun, 15 Mar 2015 21:12:34 +0100

[Message part 1 (text/plain, inline)]

Version: 6:0.8.17-1

On 2014-12-20 23:31:11, Michael Gilbert wrote:
> package: src:libav
> version: 6:0.8.16-1
> severity: serious
> tags: security
> 
> Hi,
> 
> the following vulnerabilities were published for libav.

Forgot to close this bug in the changelog, doing so now.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.