Bug 47504 - ffmpeg: Multiple issues (4.3)
ffmpeg: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks: 47479
  Show dependency treegraph
 
Reported: 2018-08-08 12:52 CEST by Quality Assurance
Modified: 2018-08-15 13:14 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 0.0 ()


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-08 12:52:20 CEST
New Debian ffmpeg 7:3.2.12-1~deb9u1 fixes:
This update addresses the following issue(s):
* 
* The filter_slice function in libavfilter/vf_transpose.c in FFmpeg through 3.4.1 allows remote attackers to cause a denial of service (out-of-array access) via a crafted MP4 file. (CVE-2018-6392)
* The decode_frame function in libavcodec/utvideodec.c in FFmpeg through 3.4.1 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file. (CVE-2018-6621)
* The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (Out of array read) via an AVI file with crafted dimensions within chroma subsampling data. (CVE-2018-7557)
* The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out of array read) via an AVI file. (CVE-2018-10001)
* An improper integer type in the mpeg4_encode_gop_header function in libavcodec/mpeg4videoenc.c in FFmpeg 4.0 may trigger an assertion violation while converting a crafted AVI file to MPEG4, leading to a denial of service. (CVE-2018-12458)
* In FFmpeg 4.0.1, an improper argument (AVCodecParameters) passed to the avpriv_request_sample function in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array read while converting a crafted AVI file to MPEG4, leading to a denial of service and possibly an information disclosure. (CVE-2018-13300)
* In FFmpeg 4.0.1, improper handling of frame types (other than EAC3_FRAME_TYPE_INDEPENDENT) that have multiple independent substreams in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to a denial of service or possibly unspecified other impact. (CVE-2018-13302)
* libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file. (CVE-2018-14394)
* libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format. (CVE-2018-14395)
* FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later. (CVE-2018-1999010)
CVE_2018-1999011 is open
* FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later. (CVE-2018-1999012)
* FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. This attack appear to be exploitable via specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later. (CVE-2018-1999013)

7:3.2.12-1~deb9u1 (Sat, 28 Jul 2018 16:27:42 +0800) * New upstream release. - avformat/movenc: Write version 2 of audio atom if channels is not known. (CVE-2018-14395) - avcodec/imgconvert: fix possible null pointer dereference.

7:3.2.11-1~deb9u1 (Fri, 13 Jul 2018 23:29:52 +0100) - avfilter/vf_transpose: Fix used plane count. (CVE-2018-6392) - avcodec/utvideodec: Fix bytes left check in decode_frame(). (CVE-2018-6621) - avcodec/utvideodec: Check subsample factors. (CVE-2018-7557) - avcodec/utvideodec: Set pro flag based on fourcc. (CVE-2018-10001) - avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header(). (CVE-2018-12458) - avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample. (CVE-2018-13300) - avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id. (CVE-2018-13302) * debian/control: - Add Breaks on vokoscreen << 2.2.0 to libav-tools.
Comment 1 Quality Assurance univentionstaff 2018-08-08 19:10:02 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/ffmpeg_3.2.10-1~deb9u1.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/ffmpeg_3.2.12-1~deb9u1.dsc
@@ -1,3 +1,29 @@
+7:3.2.12-1~deb9u1 [Sat, 28 Jul 2018 16:27:42 +0800] James Cowgill <jcowgill@debian.org>:
+
+  * New upstream release.
+    - avformat/movenc: Write version 2 of audio atom if channels is not known.
+      (CVE-2018-14395)
+    - avcodec/imgconvert: fix possible null pointer dereference.
+      (Closes: #904123)
+
+7:3.2.11-1~deb9u1 [Fri, 13 Jul 2018 23:29:52 +0100] James Cowgill <jcowgill@debian.org>:
+
+  * New upstream release.
+    - avfilter/vf_transpose: Fix used plane count. (CVE-2018-6392)
+    - avcodec/utvideodec: Fix bytes left check in decode_frame().
+      (CVE-2018-6621)
+    - avcodec/utvideodec: Check subsample factors. (CVE-2018-7557)
+    - avcodec/utvideodec: Set pro flag based on fourcc. (CVE-2018-10001)
+    - avcodec/mpeg4videoenc: Use 64 bit for times in
+      mpeg4_encode_gop_header(). (CVE-2018-12458)
+    - avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample.
+      (CVE-2018-13300)
+    - avformat/movenc: Check that frame_types other than
+      EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id.
+      (CVE-2018-13302)
+  * debian/control:
+    - Add Breaks on vokoscreen << 2.2.0 to libav-tools. (Closes: #864917)
+
 7:3.2.10-1~deb9u1 [Fri, 26 Jan 2018 09:45:14 +0000] James Cowgill <jcowgill@debian.org>:
 
   * New upstream release.

<http://10.200.17.11/4.3-1/#3701014347878508005>
Comment 2 Philipp Hahn univentionstaff 2018-08-09 09:02:51 CEST
OK: patches
OK: piuparts
OK: yaml
OK: errata-announce ffmpeg.yaml

[4.3-1] c9efd3e06b Bug #47504: ffmpeg 7:3.2.12-1~deb9u1
 doc/errata/staging/ffmpeg.yaml | 50 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 13:14:48 CEST
<http://errata.software-univention.de/ucs/4.3/177.html>