Bug 49545

Summary: ffmpeg: Multiple issues (4.4)
Product: UCS Reporter: Quality Assurance <qa>
Component: Security updatesAssignee: Quality Assurance <qa>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3    
Version: UCS 4.4   
Target Milestone: UCS 4.4-0-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Debian NVD RedHat

Description Quality Assurance univentionstaff 2019-05-24 11:52:27 CEST 
New Debian ffmpeg 7:3.2.14-1~deb9u1 fixes:
This update addresses the following issues:
* The flv_write_packet function in libavformat/flvenc.c in FFmpeg through  4.0.2 does not check for an empty audio packet, leading to an assertion  failure. (CVE-2018-15822)
* FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a  Buffer Overflow vulnerability in asf_o format demuxer that can result in  heap-buffer-overflow that may result in remote code execution. This attack  appears to be exploitable via specially crafted ASF file that has to be  provided as input to FFmpeg. This vulnerability appears to have been fixed  in 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later. (CVE-2018-1999011)
* denial of service in subtitle decoder allows attackers to hog CPU via  crafted video file (CVE-2019-9718)
* libavcodec/hevcdec.c in FFmpeg 4.1.2 mishandles detection of duplicate  first slices, which allows remote attackers to cause a denial of service  (NULL pointer dereference and out-of-array access) or possibly have  unspecified other impact via crafted HEVC data. (CVE-2019-11338)
Comment 1 Quality Assurance univentionstaff 2019-05-24 12:01:39 CEST 
--- mirror/ftp/4.3/unmaintained/4.3-2/source/ffmpeg_3.2.12-1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-0/source/ffmpeg_3.2.14-1~deb9u1.dsc
@@ -1,3 +1,13 @@
+7:3.2.14-1~deb9u1 [Wed, 22 May 2019 00:04:41 +0200] Moritz Mühlenhoff <jmm@debian.org>:
+
+  * New upstream release(s).
+    - avcodec/htmlsubtitles: Fixes denial of service due to use
+      of sscanf in inner loop for handling braces (CVE-2019-9718)
+    - avcodec/hevcdec: Avoid only partly skiping duplicate first slices
+      (CVE-2019-11338)
+    - avformat/asfdec_o: Check size_bmp more fully (CVE-2018-1999011)
+    - avformat/flvenc: Check audio packet size (CVE-2018-15822)
+
 7:3.2.12-1~deb9u1 [Sat, 28 Jul 2018 16:27:42 +0800] James Cowgill <jcowgill@debian.org>:
 
   * New upstream release.

<http://10.200.17.11/4.4-0/#397840453870570022>
Comment 2 Philipp Hahn univentionstaff 2019-05-26 11:32:39 CEST 
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-0] 898431f219 Bug #49545: ffmpeg 7:3.2.14-1~deb9u1
 doc/errata/staging/ffmpeg.yaml | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

[4.4-0] 58709a99a1 Bug #49545: ffmpeg 7:3.2.14-1~deb9u1
 doc/errata/staging/ffmpeg.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
Comment 3 Arvid Requate univentionstaff 2019-05-29 13:24:31 CEST 
<http://errata.software-univention.de/ucs/4.4/114.html>