Bug#504977: ffmpeg-debian: Several security issues

Reinhard Tartler siretart at tauware.de
Mon Nov 10 16:17:52 UTC 2008 

Thank you for your work on security issues.

Please avoid munging that many seperate issues into the same bug.

Steffen Joeris <steffen.joeris at skolelinux.de> writes:

> Package: ffmpeg-debian
> Version: 0.svn20080206-14
> Severity: grave
> Tags: security, patch
> Justification: user security hole
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for ffmpeg.
>
> CVE-2008-4869[0]:
> | FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers
> | to cause a denial of service (memory consumption) via unknown vectors,
> | aka a "Tcp/udp memory leak."

you asked me later to ignore this. ok.

> CVE-2008-4868[1]:
> | Unspecified vulnerability in the avcodec_close function in
> | libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer,
> | has unknown impact and attack vectors, related to a free "on random
> | pointers."

Here is the relevant patch:

===================================================================
--- libavcodec/utils.c  (Revision 14786)
+++ libavcodec/utils.c  (Revision 14787)
@@ -994,7 +994,6 @@
         avctx->codec->close(avctx);
     avcodec_default_free_buffers(avctx);
     av_freep(&avctx->priv_data);
-    av_freep(&avctx->rc_eq);
     avctx->codec = NULL;
     entangled_thread_counter--;
     return 0;

Are you really sure that this should be applied to the package? It
looks, well, uhm, interesting to me?


> CVE-2008-4867[2]:
> | Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as
> | used by MPlayer, allows context-dependent attackers to have an unknown
> | impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value.

That is already reported as #496612, unfixed in lenny. Please read that
bug backlog and attach a patch there.

> CVE-2008-4866[3]:
> | Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9
> | before r14715, as used by MPlayer, allow context-dependent attackers
> | to have an unknown impact via vectors related to execution of DTS
> | generation code with a delay greater than MAX_REORDER_DELAY.

committed in the pkg-multimedia svn branch. still untested, and the
patch did not apply cleanly. another set of eyes if that still makes
sense very appreciated.


-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list