Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Reinhard Tartler siretart at tauware.de
Tue Oct 13 17:23:26 UTC 2009

Michael S Gilbert <michael.s.gilbert at gmail.com> writes:

> ffmpeg has been found to be vulnerable to many crashers [0],[1].  this
> may enable remote compromise of a system.
> please coordinate with upstream and the security team to push out
> updates for these issues.
> mike
> [0] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240
> [1] https://roundup.ffmpeg.org/roundup/ffmpeg/issue1245

Issue 1240 is as such not usable, as the submitter refused to split out
his findings by single issues. Instead, he insisted on providing a huge
tarball with 73(!) test files that demonstrate crashes. Many of these
file seem to trigger very similar (if not identical) bugs. Issue 1245 is
one of the issues that has been split out. I've imported [2] that patch
already to our packaging branch, and will be part of the next upload.

[2] http://git.debian.org/?p=pkg-multimedia/ffmpeg-debian.git;a=blob;f=debian/patches/issue1245.patch;h=23e180a0972146f650c0254d8677f8a1a4a371eb;hb=c1bc30d1370dab75f103bc6dce0bbe95f482099e

The upstream thread can be read at [3]. After reading the thread it
seems that many of these issues are not exactly security relevant but
merely crashers without potential for remote code execution. Still, the
relevant revision should probably backported to 0.5.

[3] http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/97154

Please note that there is an upstream 0.5 branch (and we are tracking
that branch), but there is not really much activity there. However
AFAIUI, security relevant patches are within submission policy of that
branch. So any security patches we can do within Debian can be proposed
for that branch.

As for this bug, I'm inclined to close this bug with the upload of
[2]. The reason is that this report is way to inprecise. This report
currently reads "the package has been found crashers that might
compromise the system". Sorry, this is just not helpful. We'd really
need at least a list of concrete issues, ideally with reference to the
relevant svn commits (so that commit messages can be reviewed) that can
be processed and backported.

Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list