Bug 37024 - libav: Multiple issues (4.1)
libav: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P4 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-26 07:57 CET by Moritz Muehlenhoff
Modified: 2017-11-08 16:06 CET (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) - CVE-2017-7862
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-11-26 07:57:01 CET
Various security bugs have been found in decoders:

Off-by-one in the SMC (CVE-2014-8548)
Out of bounds access in GIF (CVE-2014-8547)
Integer underflow in Cinepak (CVE-2014-8546)
Invalid memory access in PNG (CVE-2014-8545)
Invalid memory access in TIFF (CVE-2014-8544)
Invalid memory access in MMVideo (CVE-2014-8543)
Memory corruption in MJPEG (CVE-2014-8541)
Comment 1 Moritz Muehlenhoff univentionstaff 2015-01-19 08:24:54 CET
Memory corruption in he VMD decoder (CVE-2014-9603)
Denial of service in the Ut Video decoder (CVE-2014-9604)
Comment 2 Janek Walkenhorst univentionstaff 2015-01-27 14:59:06 CET
Multiple off-by-one errors in libavcodec/vorbisdec.c (CVE-2014-7937)
Use-after-free vulnerability in the matroska_read_seek function (CVE-2014-7933)
Comment 3 Arvid Requate univentionstaff 2015-05-06 19:14:53 CEST
All but one of the issues above have been fixed in upstream Debian package version 6:0.8.17-1


Currently still open:

Multiple off-by-one errors in libavcodec/vorbisdec.c (CVE-2014-7937)
Comment 4 Arvid Requate univentionstaff 2015-06-01 12:36:54 CEST
Another issue has been reported upstream (patch available):

* invalid memory access (CVE-2015-3395)

CVE-2015-3395 has been marked as unreproducable in wheezy.
Comment 5 Arvid Requate univentionstaff 2016-03-07 17:51:43 CET
Upstream Debian package version 6:0.8.17-2 fixes these additional issues:

* remote cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file. (CVE-2016-1897)

* remote cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file. (CVE-2016-1898)

* Integer overflow in the asf_write_packet function in libavformat/asfenc.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PTS (aka presentation timestamp) value in a .mov file. (CVE-2016-2326)
Comment 6 Arvid Requate univentionstaff 2016-05-11 10:29:16 CEST
Upstream Debian package verison 6:0.8.17-2+deb7u1 fixes this issue:

* The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free. (CVE-2014-9676)
Comment 7 Arvid Requate univentionstaff 2016-06-16 20:02:49 CEST
Upstream Debian package verison 6:0.8.17-2+deb7u2 fixes this issue:

* memory corruption when parsing .mp4 files possibly leading to crash or arbitrary code execution (CVE-2016-3062)
Comment 8 Arvid Requate univentionstaff 2016-10-06 18:54:21 CEST
Upstream Debian package version 6:0.8.18-0+deb7u1 fixes these additional issues:

* The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in Libav before 0.8.18 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data (CVE-2015-1872)

* The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav before 11.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a file with crafted dimensions (CVE-2015-5479)

* The aac_sync function in libavcodec/aac_parser.c in Libav before 11.5 is vulnerable to a stack-based buffer overflow (CVE-2016-7393)
Comment 9 Arvid Requate univentionstaff 2017-01-21 18:30:27 CET
Upstream Debian package version 6:0.8.19-0+deb7u1 fixes additional issues:

* The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav 11.7 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted MP3 file (CVE-2016-7424)

* The h264 codec is vulnerable to various crashes with invalid-free, corrupted double-linked list or out-of-bounds read (No CVE assigned)
Comment 10 Arvid Requate univentionstaff 2017-01-21 18:35:59 CET
Upstream Debian package version 6:0.8.20-0+deb7u1 fixes:

* Multiple integer overflows have been discovered in libav 11.8 and earlier,
allowing remote attackers to cause a crash via a crafted MP3 file (CVE-2016-9819 CVE-2016-9820 CVE-2016-9821 CVE-2016-9822)
Comment 11 Stefan Gohmann univentionstaff 2017-06-16 20:38:45 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 12 Arvid Requate univentionstaff 2017-11-01 17:26:16 CET
6:0.8.21-0+deb7u1 fixes:

* The smka_decode_frame function in libavcodec/smacker.c does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data. (CVE-2015-8365)
* The decode_residual function in libavcodec allows remote attackers to cause a denial of service (buffer over-read) or obtain sensitive information from process memory via a crafted h264 video file. (CVE-2017-7208)
* FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c. (CVE-2017-7862)
* Heap-based buffer overflow in the decode_dds1 function in libavcodec/dfa.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. (CVE-2017-9992)
Comment 13 Arvid Requate univentionstaff 2017-11-01 18:46:53 CET
Packet imported and built.

Advisory: libav.yaml
Comment 14 Philipp Hahn univentionstaff 2017-11-06 13:10:03 CET
OK: apt-get install ffmpeg
OK: apt-get upgrade

FIXED: errata-announce -V --only libav.yaml
  PYTHONPATH=~/misc/repo-ng/src python -m univention.repong.errata format -i libav.yaml
FIXED: libav.yaml
  105a2cf7f5, 88b6262be1
Comment 15 Arvid Requate univentionstaff 2017-11-08 16:06:41 CET
<http://errata.software-univention.de/ucs/4.1/483.html>