Ubuntu
ffmpeg package

FFmpeg security fixes March 2015

Bug #1436296 reported by Andreas Cadhalpun on 2015-03-25
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ffmpeg (Ubuntu)
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

FFmpeg 2.5.5 fixing a number of crashes and other potentially security relevant issues was released.
From the upstream Changelog:

version 2.5.5:
- vp9: make above buffer pointer 32-byte aligned.
- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field
- avformat/mov: Disallow ".." in dref unless use_absolute_path is set
- avformat/mov: Check for string truncation in mov_open_dref()
- avformat/mov: Use sizeof(filename) instead of a literal number
- eac3dec: fix scaling
- ac3_fixed: fix computation of spx_noise_blend
- ac3_fixed: fix out-of-bound read
- ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext
- avcodec/012v: redesign main loop
- avcodec/012v: Check dimensions more completely
- asfenc: fix leaking asf->index_ptr on error
- avcodec/options_table: remove extradata_size from the AVOptions table
- ffmdec: limit the backward seek to the last resync position
- ffmdec: make sure the time base is valid
- ffmdec: fix infinite loop at EOF
- ffmdec: initialize f_cprv, f_stvi and f_stau
- avformat/rm: limit packet size
- avcodec/webp: validate the distance prefix code
- avcodec/rv10: check size of s->mb_width * s->mb_height
- eamad: check for out of bounds read
- mdec: check for out of bounds read
- arm: Suppress tags about used cpu arch and extensions
- aic: Fix decoding files with odd dimensions
- avcodec/tiff: move bpp check to after "end:"
- mxfdec: Fix the error handling for when strftime fails
- avcodec/opusdec: Fix delayed sample value
- avcodec/opusdec: Clear out pointers per packet
- avcodec/utils: Align YUV411 by as much as the other YUV variants
- vp9: fix segmentation map retention with threading enabled.
- webp: ensure that each transform is only used once
- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds
- fix VP9 packet decoder returning 0 instead of the used data size
- avformat/flvenc: check that the codec_tag fits in the available bits
- avcodec/utils: use correct printf specifier in ff_set_sar
- avutil/imgutils: correctly check for negative SAR components
- swscale/utils: clear formatConvBuffer on allocation
- avformat/bit: only accept the g729 codec and 1 channel
- avformat/bit: check that pkt->size is 10 in write_packet
- avformat/adxdec: check avctx->channels for invalid values
- avformat/adxdec: set avctx->channels in adx_read_header
- Fix buffer_size argument to init_put_bits() in multiple encoders.
- mips/acelp_filters: fix incorrect register constraint
- avcodec/hevc_ps: Sanity checks for some log2_* values
- avcodec/zmbv: Check len before reading in decode_frame()
- avcodec/h264: Only reinit quant tables if a new PPS is allowed
- avcodec/snowdec: Fix ref value check
- swscale/utils: More carefully merge and clear coefficients outside the input
- avcodec/a64multienc: Assert that the Packet size does not grow
- avcodec/a64multienc: simplify frame handling code
- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop
- avcodec/a64multienc: initialize mc_meta_charset to zero
- avcodec/a64multienc: don't set incorrect packet size
- avcodec/a64multienc: use av_frame_ref instead of copying the frame
- avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()
- h264: initialize H264Context.avctx in init_thread_copy
- wtvdec: fix integer overflow resulting in errors with large files
- avcodec/gif: fix off by one in column offsetting finding

Since Debian has already the next major upstream version 2.6.1, syncing is probably incompatible with the vivid freeze.
Thus I've created a vivid branch in the git repository on Alioth [1], where I imported 2.5.5.
I'm attaching the debdiff.

I've tested the resulting package using the autopkgtests from 2.6.1-1 and only 2 failures remain of the 4 failures and 7 crashes with 2.5.4.

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git

Andreas Cadhalpun (andreas-cadhalpun) wrote :
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) on 2015-03-26
Changed in ffmpeg (Ubuntu):
status: New → Confirmed
Daniel Holbach (dholbach) wrote :

 - Subscribing release team.
 - Debian has 2.6.1 now. Ubuntu has no local changes.

Daniel Holbach (dholbach) wrote :

Builds fine on amd64 vivid:

 dpkg-genchanges >../ffmpeg_2.6.1-1_amd64.changes
dpkg-genchanges: including full source code in upload
 dpkg-source --after-build ffmpeg-2.6.1
dpkg-buildpackage: full upload (original source is included)
I: Copying back the cached apt archive contents
I: unmounting dev/pts filesystem
W: Could not unmount dev/pts: umount: /var/cache/pbuilder/build//10360/dev/pts: not mounted
W: Ignored error in unmount
I: unmounting run/shm filesystem
I: unmounting proc filesystem

Iain Lane (laney) wrote :

Why did you build 2.6.1 instead of 2.5.5 as the bug requests?

I don't think that would require an exception.

Andreas Cadhalpun (andreas-cadhalpun) wrote :

In the meanwhile FFmpeg 2.5.6 with some more fixes has been released.

version 2.5.6
- avcodec/atrac3plusdsp: fix on stack alignment
- ac3: validate end in ff_ac3_bit_alloc_calc_mask
- aacpsy: avoid psy_band->threshold becoming NaN
- aasc: return correct buffer size from aasc_decode_frame
- msrledec: use signed pixel_ptr in msrle_decode_pal4
- swresample: Allow reinitialization without ever setting channel layouts (cherry picked from commit 80a28c7509a11114e1aea5b208d56c6646d69c07)
- swresample: Allow reinitialization without ever setting channel counts
- avcodec/h264: Do not fail with randomly truncated VUIs
- avcodec/h264_ps: Move truncation check from VUI to SPS
- avcodec/h264: Be more tolerant to changing pps id between slices
- avcodec/aacdec: Fix storing state before PCE decode
- avcodec/h264: reset the counts in the correct context
- avcodec/h264_slice: Do not reset mb_aff_frame per slice
- avcodec/h264: finish previous slices before switching to single thread mode
- avcodec/h264: Fix race between slices where one overwrites data from the next
- avcodec/h264_refs: Do not set reference to things which do not exist
- avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode
- h264: avoid unnecessary calls to get_format
- avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer

I updated the vivid branch on Alioth [1].

It builds fine in a vivid chroot, including build time tests.
Attached is a debdiff from 2.5.4-1.

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=vivid

Andreas Cadhalpun (andreas-cadhalpun) wrote :

As vivid is released now, this update needs to go through vivid-security.
Attached is an updated debdiff. (git repo is at [1])

Testing performed (in a vivid chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * running the autopkgtests from 2.6.2-1 (in Debian) gives 2 less failures and 7 less crashes than 2.5.4-1
    (Only two failures remain.)

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=vivid

Marc Deslauriers (mdeslaur) wrote :

Ack on the debdiff, looks good. I've uploaded it to build and will release it later today. Thanks!

Changed in ffmpeg (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ffmpeg - 7:2.5.6-0ubuntu0.15.04.1

---------------
ffmpeg (7:2.5.6-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * Import new upstream bugfix release 2.5.6. (LP: #1436296)

 -- Andreas Cadhalpun <email address hidden> Sun, 19 Apr 2015 19:39:22 +0200

Changed in ffmpeg (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers