February 2014 libav security tracking bug

Bug #1277173 reported by Marc Deslauriers on 2014-02-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libav (Ubuntu)
High
Reinhard Tartler
Precise
Undecided
Marc Deslauriers
Quantal
Undecided
Marc Deslauriers
Saucy
Undecided
Marc Deslauriers
Trusty
High
Marc Deslauriers

Bug Description

This is a bug to track the February 2014 libav security updates:

version 0.8.10:

- oggparseogm: check timing variables
- mathematics: remove asserts from av_rescale_rnd()
- vc1: Always reset numref when parsing a new frame header.
- h264: reset num_reorder_frames if it is invalid
- h264: check that an IDR NAL only contains I slices
- mov: Free an earlier allocated array if allocating a new one
- segafilm: fix leaks if reading the header fails
- h264_cavlc: check the size of the intra PCM data.
- cavs: Check for negative cbp
- avi: DV in AVI must be considered single stream
- avutil: use align == 0 for default alignment in audio sample buffer functions
- flashsv: Check diff_start diff_height values
- dsputil/pngdsp: fix signed/unsigned type in end comparison
- vqavideo: check chunk sizes before reading chunks
- avi: directly resync on DV in AVI read failure
- get_bits: change the failure condition in init_get_bits
- twinvq: Cope with gcc-4.8.2 miscompilation
- pthread: Avoid spurious wakeups
- pthread: Fix deadlock during thread initialization
- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0
- vc1dec: Don't decode slices when the latest slice header failed to decode
- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks
- r3d: Add more input value validation
- fraps: Make the input buffer size checks more strict
- svq3: Avoid a division by zero
- rmdec: Validate the fps value
- twinvqdec: Check the ibps parameter separately
- asfdec: Check the return value of asf_read_stream_properties
- mxfdec: set audio timebase to 1/samplerate
- pcx: Check the packet size before assuming it fits a palette
- rpza: Fix a buffer size check
- xxan: Disallow odd width
- xan: Only read within the data that actually was initialized
- xan: Use bytestream2 to limit reading to within the buffer
- pcx: Consume the whole packet if giving up due to missing palette
- pngdec: Stop trying to decode once inflate returns Z_STREAM_END
- mov: Make sure the read sample count is nonnegative
- bfi: Add some very basic sanity checks for input packet sizes
- bfi: Avoid divisions by zero
- electronicarts: Add more sanity checking for the number of channels
- riffdec: Add sanity checks for the sample rate
- mvi: Add sanity checking for the audio frame size
- xwma: Avoid division by zero
- avidec: Make sure a packet is large enough before reading its data
- vqf: Make sure the bitrate is in the valid range
- vqf: Make sure sample_rate is set to a valid value
- vc1dec: Undo mpegvideo initialization if unable to allocate tables
- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
- wnv1: Make sure the input packet is large enough
- dca: Validate the lfe parameter
- rl2: Avoid a division by zero
- wtv: Add more sanity checks for a length read from the file
- segafilm: Validate the number of audio channels
- qpeg: Add checks for running out of rows in qpeg_decode_inter
- mpegaudiodec: Validate that the number of channels fits at the given offset
- asv1: Verify the amount of extradata
- idroqdec: Make sure a video stream has been allocated before returning packets
- rv10: Validate the dimensions set from the container
- xmv: Add more sanity checks for parameters read from the bitstream
- ffv1: Make sure at least one slice context is initialized
- truemotion2: Use av_freep properly in an error path
- eacmv: Make sure a reference frame exists before referencing it
- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
- ivi_common: Make sure color planes have been initialized
- oggparseogm: Convert to use bytestream2
- rv34: Check the return value from ff_rv34_decode_init
- matroskadec: Verify realaudio codec parameters
- mace: Make sure that the channel count is set to a valid value
- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode
- vp3: Check the framerate for validity
- cavsdec: Make sure a sequence header has been decoded before decoding pictures
- sierravmd: Do sanity checking of frame sizes
- omadec: Properly check lengths before incrementing the position
- mpc8: Make sure the first stream exists before parsing the seek table
- mpc8: Check the seek table size parsed from the bitstream
- zmbvdec: Check the buffer size for uncompressed data
- ape: Don't allow the seektable to be omitted
- shorten: Break out of loop looking for fmt chunk if none is found
- shorten: Use a checked bytestream reader for the wave header
- smacker: Make sure we don't fill in huffman codes out of range
- smacker: Avoid integer overflow when allocating packets
- smacker: Don't return packets in unallocated streams
- dsicin: Add some basic sanity checks for fields read from the file
- roqvideodec: check dimensions validity
- qdm2: check array index before use, fix out of array accesses
- alsdec: check block length

Changed in libav (Ubuntu Precise):
status: New → Confirmed
Changed in libav (Ubuntu Quantal):
status: New → Confirmed
Changed in libav (Ubuntu Saucy):
status: New → Confirmed
Changed in libav (Ubuntu Trusty):
status: New → Confirmed
Changed in libav (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libav (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:0.8.10-0ubuntu0.13.10.1

---------------
libav (6:0.8.10-0ubuntu0.13.10.1) saucy-security; urgency=medium

  * Update to 0.8.10 to fix multiple security issues (LP: #1277173)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 12:06:04 -0500

Changed in libav (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:0.8.10-0ubuntu0.12.10.1

---------------
libav (6:0.8.10-0ubuntu0.12.10.1) quantal-security; urgency=medium

  * Update to 0.8.10 to fix multiple security issues (LP: #1277173)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 12:09:43 -0500

Changed in libav (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 4:0.8.10-0ubuntu0.12.04.1

---------------
libav (4:0.8.10-0ubuntu0.12.04.1) precise-security; urgency=medium

  * Update to 0.8.10 to fix multiple security issues (LP: #1277173)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 12:10:23 -0500

Changed in libav (Ubuntu Precise):
status: Confirmed → Fix Released
David (eggheadbeaver) on 2014-02-14
Changed in libav (Ubuntu Trusty):
assignee: nobody → David (eggheadbeaver)
Changed in libav (Ubuntu Trusty):
importance: Undecided → High
Reinhard Tartler (siretart) wrote :

David, Marc, I've uploaded a proposed package to my ppa: https://launchpad.net/~siretart/+archive/ppa

What are the next steps to get this to the main archive?

Marc Deslauriers (mdeslaur) wrote :

You just need to subscribe ubuntu-security-sponsors, and someone will sponsor the upload as a security update. Thanks!

Marc Deslauriers (mdeslaur) wrote :

ACK on the packages, looks good. I've uploaded them to be built and will release them later today. Thanks!

Changed in libav (Ubuntu):
assignee: David (eggheadbeaver) → nobody
status: Confirmed → Fix Committed
Changed in libav (Ubuntu Trusty):
status: Confirmed → Fix Committed
assignee: David (eggheadbeaver) → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libav - 6:9.13-0ubuntu0.14.04.1

---------------
libav (6:9.13-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * Merge from unstable, remaining changes:
    - build-depend on libtiff5-dev rather than libtiff4-dev,
      avoids FTBFS caused by imlib
  * New upstream release 9.13:
    - Many security fixes issues LP: #1277173
    - swscale: Fix an undefined behaviour
    - matroska: add the Opus mapping
    - mp3enc: Properly write bitrate value in XING header (Closes: #736088)
    - origin/pu/9 oggdec: add support for Opus in Ogg demuxing
      (Fixes: libav/603, Closes: #720563)
    - apedec: do not buffer decoded samples over AVPackets (Closes: #744901)
    - isom: lpcm in mov default to big endian
    - movdec: handle 0x7fff langcode as macintosh per the specs
    - h264: reset next_output_pic earlier in start_frame()
      (Fixes: libav/672, Closes: #741240, LP: #1288206)
    - rtmpproto: Make sure to pass on the error code if read_connect failed
    - lavr: allocate the resampling buffer with a positive size
    - tiffdec: use bytestream2 to simplify overread/overwrite protection
    - resample: fix avresample_get_delay() return value
    - avi: Improve non-interleaved detection (Fixes: libav/666)
    - af_channelmap: fix ONE_STR mapping mode
    - movenc: allow override of "writing application" tag
    - matroskaenc: allow override of "writing application" tag
    - avfilter: Add missing emms_c when needed
    - build: Use pkg-config for openjpeg (Fixes: libav/387)
    - mpeg12: check scantable indices in all decode_block functions
    - sgidec: fix buffer size check in expand_rle_row()
    - adx: check that the offset is not negative
    - mpegvideo: set reference/pict_type on generated reference frames
    - h264: Fix various crashes found in samples pointed by Mateusz
    "j00ru" Jurczyk and Gynvael Coldwind - Thanks!
  * Rebuild is reported to fix vaapi, Closes: #745655
  * Fix invocation of dpkg-maintscript helper, LP: #1315672
  * cleanup leftovers of the former libav-source package
  * Simplify listing packages with dh_listpackage
  * Drop transitional arch:all -extra- packages
  * Bump standards version to 3.9.5, no changes needed

libav (6:9.11-4) unstable; urgency=medium

  * Imported Upstream version 9.11
    - bumped severity because of many security relevant changes
    - update freetype header detection

libav (6:9.11-3) unstable; urgency=low

  * Add upstream patch to enable PIC on s390(x), Closes: #726733

libav (6:9.11-2ubuntu3) utopic; urgency=high

  * No change rebuild against librtmp1.
 -- Reinhard Tartler <email address hidden> Sun, 04 May 2014 16:11:03 -0400

Changed in libav (Ubuntu Trusty):
status: Fix Committed → Fix Released

Thanks for the clarification, will do so next time!

On Fri, May 9, 2014 at 7:22 AM, Marc Deslauriers
<email address hidden> wrote:
> You just need to subscribe ubuntu-security-sponsors, and someone will
> sponsor the upload as a security update. Thanks!
>
> --
> You received this bug notification because you are a member of MOTU
> Media Team, which is subscribed to libav in Ubuntu.
> https://bugs.launchpad.net/bugs/1277173
>
> Title:
> February 2014 libav security tracking bug
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libav/+bug/1277173/+subscriptions
>

--
regards,
    Reinhard

Changed in libav (Ubuntu):
status: Fix Committed → Confirmed
status: Confirmed → Fix Committed
Changed in libav (Ubuntu):
assignee: nobody → Reinhard Tartler (siretart)
Reinhard Tartler (siretart) wrote :

Libav10 transition has started now

Changed in libav (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers