Bug 48391 - libav: Multiple issues (4.2)
libav: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-21 09:44 CET by Quality Assurance
Modified: 2019-01-09 14:16 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) Debian NVD RedHat


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-12-21 09:44:15 CET
New Debian libav 6:11.12-1~deb8u3 fixes:
This update addresses the following issues:
* The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before  2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers  to cause a denial of service (out-of-bounds heap access) and possibly have  other unspecified impact via an IDAT before an IHDR in a PNG file.  (CVE-2014-9317)
* Memory corruption in FFMpeg (CVE-2015-6761)
* The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before  2.7.2 does not enforce uniqueness of the IHDR (aka image header) chunk in a  PNG image, which allows remote attackers to cause a denial of service  (out-of-bounds array access) or possibly have unspecified other impact via  a crafted image with two or more of these chunks. (CVE-2015-6818)
* The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7.2  does not check for a matching AAC frame syntax element before proceeding  with Spectral Band Replication calculations, which allows remote attackers  to cause a denial of service (out-of-bounds array access) or possibly have  unspecified other impact via crafted AAC data. (CVE-2015-6820)
* The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before  2.7.2 does not properly maintain the encoding context, which allows remote  attackers to cause a denial of service (invalid pointer access) or possibly  have unspecified other impact via crafted MPEG data. (CVE-2015-6821)
* The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7.2  does not properly maintain height and width values in the video context,  which allows remote attackers to cause a denial of service (segmentation  violation and application crash) or possibly have unspecified other impact  via crafted LucasArts Smush video data. (CVE-2015-6822)
* The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.7.2  does not initialize certain context data, which allows remote attackers to  cause a denial of service (segmentation violation) or possibly have  unspecified other impact via crafted Apple Lossless Audio Codec (ALAC)  data. (CVE-2015-6823)
* The sws_init_context function in libswscale/utils.c in FFmpeg before 2.7.2  does not initialize certain pixbuf data structures, which allows remote  attackers to cause a denial of service (segmentation violation) or possibly  have unspecified other impact via crafted video data. (CVE-2015-6824)
* The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg  before 2.7.2 mishandles certain memory-allocation failures, which allows  remote attackers to cause a denial of service (invalid pointer access) or  possibly have unspecified other impact via a crafted file, as demonstrated  by an AVI file. (CVE-2015-6825)
* The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg  before 2.7.2 does not initialize certain structure members, which allows  remote attackers to cause a denial of service (invalid pointer access) or  possibly have unspecified other impact via crafted (1) RV30 or (2) RV40  RealVideo data. (CVE-2015-6826)
* The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg  before 2.8.2 omits certain width and height checks, which allows remote  attackers to cause a denial of service (out-of-bounds array access) or  possibly have unspecified other impact via crafted MJPEG data.  (CVE-2015-8216)
* The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg before  2.8.2 does not validate the Chroma Format Indicator, which allows remote  attackers to cause a denial of service (out-of-bounds array access) or  possibly have unspecified other impact via crafted High Efficiency Video  Coding (HEVC) data. (CVE-2015-8217)
* The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in  FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not  enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows  remote attackers to cause a denial of service (out-of-bounds heap-memory  access) or possibly have unspecified other impact via a crafted image with  two or more of these markers. (CVE-2015-8363)
* Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in  FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows  remote attackers to cause a denial of service (out-of-bounds heap-memory  access) or possibly have unspecified other impact via crafted image  dimensions in Indeo Video Interactive data. (CVE-2015-8364)
* The h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg  before 2.8.3 does not validate the relationship between the number of  threads and the number of slices, which allows remote attackers to cause a  denial of service (out-of-bounds array access) or possibly have unspecified  other impact via crafted H.264 data. (CVE-2015-8661)
* The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before  2.8.4 does not validate the number of decomposition levels before  proceeding with Discrete Wavelet Transform decoding, which allows remote  attackers to cause a denial of service (out-of-bounds array access) or  possibly have unspecified other impact via crafted JPEG 2000 data.  (CVE-2015-8662)
* The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8.4  preserves width and height values after a failure, which allows remote  attackers to cause a denial of service (out-of-bounds array access) or  possibly have unspecified other impact via a crafted .mov file.  (CVE-2015-8663)
* Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10,  3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows  remote web servers to execute arbitrary code via a negative chunk size in  an HTTP response. (CVE-2016-10190)
* Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before  2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2  allows remote attackers to execute arbitrary code by leveraging failure to  check for RTMP packet size mismatches. (CVE-2016-10191)
Comment 1 Quality Assurance univentionstaff 2018-12-21 10:00:16 CET
--- mirror/ftp/4.2/unmaintained/4.2-4/source/libav_11.12-1~deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/libav_11.12-1~deb8u3.dsc
@@ -1,3 +1,51 @@
+6:11.12-1~deb8u3 [Thu, 20 Dec 2018 22:56:40 +0100] Mike Gabriel <sunweaver@debian.org>:
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * debian/patches:
+    + Rename CVE-2015-6822+6823+6824.patch to CVE-2015-6822.patch..
+  * CVE-2015-6823: avcodec/alac: Clear pointers in allocate_buffers().
+  * CVE-2015-6824: swscale/utils: Clear pix buffers. Fixes use of
+    uninitialized memory.
+
+6:11.12-1~deb8u2 [Wed, 19 Dec 2018 14:31:49 +0100] Mike Gabriel <sunweaver@debian.org>:
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * CVE-2014-9317: avcodec/pngdec: Check IHDR/IDAT order. Prevent remote
+    attackers from causing a denial of service (out-of-bounds heap access)
+    and possibly have other unspecified impact via an IDAT before an IHDR 
+    in a PNG file.
+  * CVE-2015-6761: avcodec/vp8: Do not use num_coeff_partitions in
+    thread/buffer setup. The variable is not a constant and can lead to
+    race conditions.
+  * CVE-2015-6818: avcodec/pngdec: Only allow one IHDR chunk. Multiple IHDR
+    chunks are forbidden in PNG. Fixes inconsistency and out of array accesses.
+  * CVE-2015-6820: avcodec/aacsbr: check that the element type matches before
+    applying SBR. Fixes out of array access.
+  * CVE-2015-6821: avcodec/mpegvideo: Clear pointers in ff_mpv_common_init().
+    This ensures that no stale pointers leak through on any path.
+  * CVE-2015-6822, CVE-2015-6823, CVE-2015-6824: avcodec/sanm: Reset sizes in
+    destroy_buffers().
+  * CVE-2015-6825: avcodec/pthread_frame: clear priv_data, avoid stale pointer
+    in error case.
+  * CVE-2015-6826: avcodec/rv34: Clear pointers in
+    ff_rv34_decode_init_thread_copy(). Avoids leaving stale pointers.
+  * CVE-2015-8216: avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan()
+    before using it. Fixes out of array access.
+  * CVE-2015-8217: avcodec/hevc_ps: Check chroma_format_idc. Fixes out of
+    array access.
+  * CVE-2015-8363: avcodec/jpeg2000dec: Check for duplicate SIZ marker.
+  * CVE-2015-8364: avcodec/ivi: Check image dimensions. Fixes integer overflow.
+  * CVE-2015-8661: avcodec/h264_slice: Limit max_contexts when
+    slice_context_count is initialized. Fixes out of array access.
+  * CVE-2015-8662: avcodec/jpeg2000dwt: Check ndeclevels before calling
+    dwt_decode*(). Fixes out of array access.
+  * CVE-2015-8663: avcodec/utils: Clear dimensions in ff_get_buffer() on
+    failure. Fixes out of array access.
+  * CVE-2016-10190: http: make length/offset-related variables unsigned.
+    Required cherry-picking 3668701f and 362c17e6 from ffmpeg.git.
+  * CVE-2016-10191: avformat/rtmppkt: Check for packet size mismatches.
+    Fixes out of array access.
+
 6:11.12-1~deb8u1 [Sun, 18 Feb 2018 21:20:56 +0100] Sebastian Ramacher <sramacher@debian.org>:
 
   * New upstream release.

<http://10.200.17.11/4.2-5/#7653744052422993102>
Comment 2 Philipp Hahn univentionstaff 2018-12-21 10:34:44 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] 40a54ff549 Bug #48391: libav 6:11.12-1~deb8u3
 doc/errata/staging/libav.yaml | 163 ++++++++++++++++++++----------------------
 1 file changed, 77 insertions(+), 86 deletions(-)

[4.2-5] 9c555cc69f Bug #48391: libav 6:11.12-1~deb8u3
 doc/errata/staging/libav.yaml | 118 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
Comment 3 Arvid Requate univentionstaff 2019-01-09 14:16:38 CET
<http://errata.software-univention.de/ucs/4.2/570.html>