FFmpeg security fixes March 2015

Bug #1436296 reported by Andreas Cadhalpun
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ffmpeg (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

FFmpeg 2.5.5 fixing a number of crashes and other potentially security relevant issues was released.
From the upstream Changelog:

version 2.5.5:
- vp9: make above buffer pointer 32-byte aligned.
- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field
- avformat/mov: Disallow ".." in dref unless use_absolute_path is set
- avformat/mov: Check for string truncation in mov_open_dref()
- avformat/mov: Use sizeof(filename) instead of a literal number
- eac3dec: fix scaling
- ac3_fixed: fix computation of spx_noise_blend
- ac3_fixed: fix out-of-bound read
- ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext
- avcodec/012v: redesign main loop
- avcodec/012v: Check dimensions more completely
- asfenc: fix leaking asf->index_ptr on error
- avcodec/options_table: remove extradata_size from the AVOptions table
- ffmdec: limit the backward seek to the last resync position
- ffmdec: make sure the time base is valid
- ffmdec: fix infinite loop at EOF
- ffmdec: initialize f_cprv, f_stvi and f_stau
- avformat/rm: limit packet size
- avcodec/webp: validate the distance prefix code
- avcodec/rv10: check size of s->mb_width * s->mb_height
- eamad: check for out of bounds read
- mdec: check for out of bounds read
- arm: Suppress tags about used cpu arch and extensions
- aic: Fix decoding files with odd dimensions
- avcodec/tiff: move bpp check to after "end:"
- mxfdec: Fix the error handling for when strftime fails
- avcodec/opusdec: Fix delayed sample value
- avcodec/opusdec: Clear out pointers per packet
- avcodec/utils: Align YUV411 by as much as the other YUV variants
- vp9: fix segmentation map retention with threading enabled.
- webp: ensure that each transform is only used once
- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds
- fix VP9 packet decoder returning 0 instead of the used data size
- avformat/flvenc: check that the codec_tag fits in the available bits
- avcodec/utils: use correct printf specifier in ff_set_sar
- avutil/imgutils: correctly check for negative SAR components
- swscale/utils: clear formatConvBuffer on allocation
- avformat/bit: only accept the g729 codec and 1 channel
- avformat/bit: check that pkt->size is 10 in write_packet
- avformat/adxdec: check avctx->channels for invalid values
- avformat/adxdec: set avctx->channels in adx_read_header
- Fix buffer_size argument to init_put_bits() in multiple encoders.
- mips/acelp_filters: fix incorrect register constraint
- avcodec/hevc_ps: Sanity checks for some log2_* values
- avcodec/zmbv: Check len before reading in decode_frame()
- avcodec/h264: Only reinit quant tables if a new PPS is allowed
- avcodec/snowdec: Fix ref value check
- swscale/utils: More carefully merge and clear coefficients outside the input
- avcodec/a64multienc: Assert that the Packet size does not grow
- avcodec/a64multienc: simplify frame handling code
- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop
- avcodec/a64multienc: initialize mc_meta_charset to zero
- avcodec/a64multienc: don't set incorrect packet size
- avcodec/a64multienc: use av_frame_ref instead of copying the frame
- avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()
- h264: initialize H264Context.avctx in init_thread_copy
- wtvdec: fix integer overflow resulting in errors with large files
- avcodec/gif: fix off by one in column offsetting finding

Since Debian has already the next major upstream version 2.6.1, syncing is probably incompatible with the vivid freeze.
Thus I've created a vivid branch in the git repository on Alioth [1], where I imported 2.5.5.
I'm attaching the debdiff.

I've tested the resulting package using the autopkgtests from 2.6.1-1 and only 2 failures remain of the 4 failures and 7 crashes with 2.5.4.

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git

Revision history for this message
Andreas Cadhalpun (andreas-cadhalpun) wrote :
information type: Private Security → Public Security
Changed in ffmpeg (Ubuntu):
status: New → Confirmed
Revision history for this message
Daniel Holbach (dholbach) wrote :

 - Subscribing release team.
 - Debian has 2.6.1 now. Ubuntu has no local changes.

Revision history for this message
Daniel Holbach (dholbach) wrote :

Builds fine on amd64 vivid:

 dpkg-genchanges >../ffmpeg_2.6.1-1_amd64.changes
dpkg-genchanges: including full source code in upload
 dpkg-source --after-build ffmpeg-2.6.1
dpkg-buildpackage: full upload (original source is included)
I: Copying back the cached apt archive contents
I: unmounting dev/pts filesystem
W: Could not unmount dev/pts: umount: /var/cache/pbuilder/build//10360/dev/pts: not mounted
W: Ignored error in unmount
I: unmounting run/shm filesystem
I: unmounting proc filesystem

Revision history for this message
Iain Lane (laney) wrote :

Why did you build 2.6.1 instead of 2.5.5 as the bug requests?

I don't think that would require an exception.

Revision history for this message
Andreas Cadhalpun (andreas-cadhalpun) wrote :

In the meanwhile FFmpeg 2.5.6 with some more fixes has been released.

version 2.5.6
- avcodec/atrac3plusdsp: fix on stack alignment
- ac3: validate end in ff_ac3_bit_alloc_calc_mask
- aacpsy: avoid psy_band->threshold becoming NaN
- aasc: return correct buffer size from aasc_decode_frame
- msrledec: use signed pixel_ptr in msrle_decode_pal4
- swresample: Allow reinitialization without ever setting channel layouts (cherry picked from commit 80a28c7509a11114e1aea5b208d56c6646d69c07)
- swresample: Allow reinitialization without ever setting channel counts
- avcodec/h264: Do not fail with randomly truncated VUIs
- avcodec/h264_ps: Move truncation check from VUI to SPS
- avcodec/h264: Be more tolerant to changing pps id between slices
- avcodec/aacdec: Fix storing state before PCE decode
- avcodec/h264: reset the counts in the correct context
- avcodec/h264_slice: Do not reset mb_aff_frame per slice
- avcodec/h264: finish previous slices before switching to single thread mode
- avcodec/h264: Fix race between slices where one overwrites data from the next
- avcodec/h264_refs: Do not set reference to things which do not exist
- avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode
- h264: avoid unnecessary calls to get_format
- avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer

I updated the vivid branch on Alioth [1].

It builds fine in a vivid chroot, including build time tests.
Attached is a debdiff from 2.5.4-1.

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=vivid

Revision history for this message
Andreas Cadhalpun (andreas-cadhalpun) wrote :

As vivid is released now, this update needs to go through vivid-security.
Attached is an updated debdiff. (git repo is at [1])

Testing performed (in a vivid chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * running the autopkgtests from 2.6.2-1 (in Debian) gives 2 less failures and 7 less crashes than 2.5.4-1
    (Only two failures remain.)

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=vivid

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Ack on the debdiff, looks good. I've uploaded it to build and will release it later today. Thanks!

Changed in ffmpeg (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ffmpeg - 7:2.5.6-0ubuntu0.15.04.1

---------------
ffmpeg (7:2.5.6-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * Import new upstream bugfix release 2.5.6. (LP: #1436296)

 -- Andreas Cadhalpun <email address hidden> Sun, 19 Apr 2015 19:39:22 +0200

Changed in ffmpeg (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.