Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Reinhard Tartler siretart at tauware.de
Thu Oct 15 11:03:39 UTC 2009


Hello Security Teams,

Michael Gilbert reported in debian bug #550442 that ffmpeg in debian and
ubuntu contained "a deluge of crashes". I have backported a bunch of
fixes from ffmpeg trunk, which now need review, validation and
eventually publishing.

Affected are all distros that ship ffmpeg 0.5, this includes

 - lenny
 - squeeze
 - sid
 - jaunty
 - karmic

earlier version of ffmpeg might be affected as well.

Michael Gilbert <michael.s.gilbert at gmail.com> writes:

> On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote:
>> As for this bug, I'm inclined to close this bug with the upload of
>> [2]. The reason is that this report is way to inprecise. This report
>> currently reads "the package has been found crashers that might
>> compromise the system". Sorry, this is just not helpful. We'd really
>> need at least a list of concrete issues, ideally with reference to the
>> relevant svn commits (so that commit messages can be reviewed) that can
>> be processed and backported.
>
> in an ideal world every security issue would come with a complete
> prescription and regiment to make it all better.  however, we do not
> live in such a place.  the best we can do is track the issue at hand,
> follow work being done elsewhere, and potentially spend our own
> precious time testing and writing fixes.  obviously this is a lot of
> work, but it is the price we pay since there are nefarious peoples
> about.  
>
> i would recommend working with the security team to request cve's on
> oss-sec for specific issues once they are well-defined, and address each
> of them in turn; while keeping this bug open to track the meta-issue
> (potentially downgrading to important as to not impede transitions).
>
> note that any of these crashers that show signs of memory corruption
> are very much cause for concern (see recent pdf jbig2 decoder issues).
> the others can probably be safely discarded.  by "may enable remote
> compromise," i mean via user-assisted (social engineered) attack
> vectors (i.e. downloading and viewing a malicious video file).  this
> is a very legitimate concern since most users are very trusting of
> untrustworthy data.

I've worked on the packaging branch for karmic. The relevant backports
that I produced so far can be found here:

http://git.debian.org/?p=pkg-multimedia/ffmpeg.git;a=tree;f=debian/patches/security;hb=ubuntu.karmic

Most of these patches have been proposed by the chromium developers,
that collect patches for upstream here:

http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/

most of the patches got further polishing by upstream before
applying. In many cases, the chromium developers did rather fix
symptoms, upstream prefers real fixes. Anyway, I went through the list
of chromium patches and managed to locate most patches in ffmpeg trunk

Patches that I couldn't find upstream include:

09_mov_stsz_int_oflow.patch
32_mov_stream_index.patch
35_mov_bad_timings.patch
40_ogg_missing_header.patch

They probably need further investigation.

Michael, could you please check if and what patches I might have missed?

I'd like to ask you (both security teams) to review my patches so far
and if and to what security queues the should be uploaded or not.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4





More information about the pkg-multimedia-maintainers mailing list