oss-sec mailing list archives
Re: new FFMpeg stuff
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 25 Jul 2013 02:48:41 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can the VLC security team confirm/correct this as needed so we can ensure it's correct before I assign CVEs? thanks. On 07/09/2013 08:14 AM, Michael Niedermayer wrote:
Hi On Tue, Jul 09, 2013 at 06:49:34AM +0200, Moritz Muehlenhoff wrote:Kurt Seifried wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugs.gentoo.org/show_bug.cgi?id=476218 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=38229362529ed1619d8ebcc81ecde85b23b45895This should have been fixed by b21ba20cc83c80fe56192fee3626a8087f37d806 in ffmpeg (Apr 22 2012)http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e30b068ef79f604ff439418da07f7e2efd01d4eaThis should have been fixed by 780d45473c32fa356c8ce385c3ea4692567c3228 in ffmpeg (Sep 24 2011)http://git.videolan.org/?p=ffmpeg.git;a=commit;h=6765ee7b9cba46818a45b051438b2552f0a1b70aThis seems listed as buffer overflow but as far as i can tell it fixes just a null pointer dereference. If you want to assign CVEs to all null pointer dereferences and out of array reads that got fixed then quiete a few more CVEs are needed. Also see: a9456c7c5ca883b5a3947e59a9fba5587e18e119http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b36e1893ef3430f039c1eaddeedcbb378f9c4444This was fixed in 4b35ee0b7c0c4cbac3541a25a5e8c00b657c8f95 in ffmpeg (Dec 28 2011)http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7388c0c58601477db076e2e74e8b11f8a644384ahttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=95a57d26d8653d21f0dab1aff3558ee944853dbfThis was fixed in c49d94487c6135325930cbc4a8cd96d38ef6653e in ffmpeg (Jun 6 2013) Note, this issue shouldnt affect any ffmpeg releases as the code was added more recentlyhttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=b564784a207b1395d2b5a41e580539df04651096Same as above jpeg2000dec.c wasnt in any releases yet as of today, what was in the releases was j2kdec.c but that was marked as experimentalhttp://git.videolan.org/?p=ffmpeg.git;a=commit;h=78962d3df49afe5011b572656ecfe940bd5fbf2e
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cf04af2086be105ff86088357b83d672d38417d9
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eae63e3c156f784ee0612422f0c95131ea913c14
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fd54dd028bc9f7bfb80ebf823a533dc84b73f936
Same as aboveCorrect me if I'm wrong but most of these seem to deserve CVEs and none have been assigned, correct? http://ffmpeg.org/security.htmlThese appear to be new, but I'm not sure how previous CVE IDs were assigned for ffmpeg/libav. E.g. CVE-2013-0878 seems to be from a Google CNA, right? (At least CVE-2013-0879 is for Chrome) All these issues (and all the ones in previous rounds) were found through fuzzing done at Google by Mateusz "j00ru" Jurczyk and Gynvael Coldwind.I dont know about the libav side, for the ffmpeg side CVEs where provided by "google" for all serious issues that where found. Which issues where serious could in general only be assesed after the issues where fixed so values where available only after the fixes where commited.It would be very, very welcome if CVE assignments from either ffmpeg or libav for any such issues would have a reference to the filename of the fuzzed file triggering the problem.With the diverging code bases between ffmpeg and libav [1] it becomes very complicated to properly track down if one of the two is affected.yes, its a big headache for us as well. Especialy for me as iam always merging all improvments and fixes from libav into ffmpeg ... [...] Thanks
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR8OZpAAoJEBYNRVNeJnmTKiIQAKKJ7n2IDcEqzM2fjw1uglU7 EBGubJYkMCGgmpuT1NdtLs8l0QKDx+IxYr+OyB70DWuITVdZQY1onwl8pd7LXTnp Q2ymemb5KqtJlopSJWTAF78/I87M1gyt4739b2YmZ/QiCBkZO2CBVO4rcOf0F09T QhL2MgRYbSGL6K0FbrmfEF9DvwNi40IWeV+8R86txWbJsNdxUvtf6USFhbyREHZV 01BopGXA6YVYregRKjgH1yyfJzDamwXpXPDEx4gJOJNYLBroBLON0uEoentlVIhs q+5pQPL4AKSYbgAz3yBkVlmvn+JHtSg821Jl9viAIKCj4qLI+ujUXV2UihZCH2/T EeevJAQdN+gFDo85OsaXQs8JleyL14qbUcO0gpo+/xefKeRXJiwVE4TPl/K7cxd9 fss0Rh5ZYP3PuNm0ULFjgNhierDt0afewWmWWzW+YY8vyKO/X8aPdpd7MSnJOsbn 0kc8dkus6d/uu3+NDWEtUr9ookpRogFToipvs87uP0Cp29TyySY02syWZItiFtIt AK3wpasLw5lLiQv1faMt3hM9Cvvl2+xUUv4fkjmCwbF4J6GxNPQg85DaqhVRb2e5 vxZpSr08HAX7RMCmnBXl/2NcpbYWgNswuShzUoAs8MpExLAZhY6q+czOOc89FtDO R0iu/hvbm1cTopYAX5lD =QAnk -----END PGP SIGNATURE-----
Current thread:
- new FFMpeg stuff Kurt Seifried (Jul 08)
- Re: new FFMpeg stuff Moritz Muehlenhoff (Jul 08)
- Re: new FFMpeg stuff Michael Niedermayer (Jul 09)
- Re: new FFMpeg stuff Kurt Seifried (Jul 25)
- Re: new FFMpeg stuff Jean-Baptiste Kempf (Jul 25)
- Re: new FFMpeg stuff Kurt Seifried (Jul 25)
- Re: new FFMpeg stuff RĂ©mi Denis-Courmont (Jul 25)
- Re: new FFMpeg stuff Jean-Baptiste Kempf (Jul 25)
- Re: new FFMpeg stuff Michael Niedermayer (Jul 09)
- Re: new FFMpeg stuff Moritz Muehlenhoff (Jul 08)