On Sa, Feb 20, 2010 at 22:02:51 (CET), Michael Gilbert wrote:
> package: ffmpeg
> version: 0.svn20080206-18
> severity: serious
> tags: security
> hi, i have just tested the latest ffmpeg update against the original
> proof of concepts  reported in bug #550442 . many of them are
> still effective. there is some good news though; i've found that
> upstream has addressed all of the problems in their latest svn version.
> attached are my findings.
> reference  may be useful to track down the other needed patches; or
> it may be easier to just upgrade to a new svn (however, the patches
> still need to be determined for stable).
Okay, disregarding the dos only crashers, here is my analysis so far:
*** dv/smclockdv.avi.2.0: vulnerable / fixed in upstream svn20100220
unreproducable in 0.5: smclockdv.avi.2.0: Error while opening file
*** huffyuv/*: all vulnerable / all fixed in upstream svn20100220
confirmed in smclockhuffyuv.avi.1.0
fixed by backporting r19322, committed to 0.5
all fixed by backporting these two patches:
Make decode_init fail if the huffman tables are invalid and thus init_vlc fails.
Otherwise this will crash during decoding because the vlc tables are NULL.
Partially fixes ogv/smclock.ogv.1.101.ogv from issue 1240.
backport r19355 by reimar
Add extra validation checks to ff_vorbis_len2vlc.
They should not be necessary, but it seems like a reasonable precaution.
r19374 by reimar
**** ogv/smclock.ogv.1.0.ogv: vulnerable / fixed in upstream svn20100220
**** ogv/smclock.ogv.1.842.ogv: vulnerable / fixed in upstream svn20100220
**** ogv/smclock.ogv.1.181.ogv: vulnerable / fixed in upstream svn20100220
**** ogv/smclock.ogv.2.164.ogv: vulnerable / fixed in upstream svn20100220
*** vp62/smclockvp62hsp.avi.3.118: vulnerable / fixed in upstream svn20100220
unreproducable in 0.5:
[avi @ 0x9253a60]Something went wrong during header parsing, I will ignore it
and try to continue anyway.
[avi @ 0x9253a60]Could not find codec parameters (Invalid Codec type -1)
vp62/smclockvp62hsp.avi.3.118: could not find codec parameters
*** wmv division by zero erros:
fixed in 0.5, backported r19330
*** wmv7/smclockv7.wmv.1.0: vulnerable / fixed in upstream svn20100220
*** wmv8/smclockv8.wmv.1.0: vulnerable / fixed in upstream svn20100220
*** wmv9/smclockv9.wmv.1.0: vulnerable / fixed in upstream svn20100220
I imagine that these revision apply to the version in lenny as well.
Reinhard Tartler, KeyID 945348A4
pkg-multimedia-maintainers mailing list