[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Launchpad Bug Tracker]

This bug was fixed in the package ffmpeg - 7:2.8.6-1ubuntu1

---
ffmpeg (7:2.8.6-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable.  Remaining changes:
- Compile with -O2 rather than -O3 on s390x, to work around
  https://bugs.launchpad.net/bugs/1526324.
  * Should fix LP: #1533367

ffmpeg (7:2.8.6-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.6.
  * Update Standards-Version to 3.9.7.
 - Move documentatation from /u/s/d/ffmpeg-doc/ to /u/s/d/ffmpeg/.
  * Use https for the Vcs-Git link.

ffmpeg (7:2.8.5-1) unstable; urgency=medium

  * Import new upstream bugfix release 2.8.5.
 - Fixes CVE-2016-1897 and CVE-2016-1898.
  * Update doc-make-apidoc-output-independent-of-SRC_PATH.patch.
  * Add patch to make out-of-tree builds bit-identical to in-tree-builds.
  * Enable the now available opencv and frei0r on mips64el.
  * Fix altivec-extra compile time optimization.
  * Update copyright year for the debian files.
  * Change priority of libavcodec*-extra* to extra.

 -- Iain Lane   Thu, 25 Feb 2016 17:48:20
+

** Changed in: ffmpeg (Ubuntu Xenial)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Launchpad Bug Tracker]

This bug was fixed in the package ffmpeg - 7:2.5.10-0ubuntu0.15.04.1

---
ffmpeg (7:2.5.10-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * Import new upstream bugfix release 2.5.10.
 - Fixes CVE-2016-1897 and CVE-2016-1898. (LP: #1533367)

 -- Andreas Cadhalpun   Tue, 19 Jan
2016 20:24:46 +0100

** Changed in: ffmpeg (Ubuntu Vivid)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Marc Deslauriers]

ACK on the debdiff in comment #7. Package is building now and will be
released as a security update today. Thanks!

** Changed in: ffmpeg (Ubuntu Vivid)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Launchpad Bug Tracker]

This bug was fixed in the package ffmpeg - 7:2.7.5-0ubuntu0.15.10.1

---
ffmpeg (7:2.7.5-0ubuntu0.15.10.1) wily-security; urgency=medium

  * Import new upstream bugfix release 2.7.5.
 - Fixes CVE-2016-1897 and CVE-2016-1898. (LP: #1533367)

 -- Andreas Cadhalpun   Fri, 15 Jan
2016 21:05:04 +0100

** Changed in: ffmpeg (Ubuntu Wily)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Andreas Cadhalpun]

Filipp, if an issue is fixed in libavformat it doesn't affect programs
using this dynamic library  (like mplayer) anymore, once they have been
restarted after libavformat has been upgraded.

To fix this issue in xenial, 2.8.5-1 needs to be merged from
Debian/unstable.

Attached is a debdiff for vivid. (git repo is at [1])

Testing performed (in a vivid chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * no regression in the autopkgtests from 2.8.5-1

>From the upstream Changelog:

version 2.5.10
- configure: bump copyright year to 2016
- avformat/hls: Even stricter URL checks
- avformat/hls: More strict url checks
- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls
- swscale/yuv2rgb: Increase YUV2RGB table headroom
- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out
- avformat/hls: forbid all protocols except http(s) & file
- avformat/aviobuf: Fix end check in put_str16()
- avformat/asfenc: Check pts
- avcodec/mpeg4video: Check time_incr
- avcodec/wavpackenc: Check the number of channels
- avcodec/wavpackenc: Headers are per channel
- avcodec/dvdec: Fix "left shift of negative value -254"
- avcodec/mjpegdec: Fix negative shift
- avcodec/mss2: Check for repeat overflow
- avformat: Add integer fps from 31 to 60 to get_std_framerate()
- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
- avfilter/vf_scale: set proper out frame color range
- avcodec/motion_est: Fix mv_penalty table size
- avcodec/h264_slice: Fix integer overflow in implicit weight computation
- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny 
dimensions
- avcodec/put_bits: Always check buffer end before writing
- mjpegdec: extend check for incompatible values of s->rgb and s->ls
- swscale/utils: Fix intermediate format for cascaded alpha downscaling
- avcodec/h264_refs: Fix long_idx check
- avfilter/vf_mpdecimate: Add missing emms_c()
- avformat/mxfenc: Do not crash if there is no packet in the first stream
- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes 
invalid duration for ts files with hevc codec
- avformat/matroskaenc: Check codecdelay before use
- avutil/mathematics: Fix division by 0
- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
- avcodec/mpeg4videodec: also for empty partitioned slices
- nuv: sanitize negative fps rate
- rawdec: only exempt BIT0 with need_copy from buffer sanity check
- mlvdec: check that index_entries exist
- nutdec: reject negative value_len in read_sm_data
- xwddec: prevent overflow of lsize * avctx->height
- nutdec: only copy the header if it exists
- exr: fix out of bounds read in get_code
- on2avc: limit number of bits to 30 in get_egolomb
- sonic: make sure num_taps * channels is not larger than frame_size
- opus_silk: fix typo causing overflow in silk_stabilize_lsf
- ffm: reject invalid codec_id and codec_type
- aaccoder: prevent crash of anmr coder
- ffmdec: reject zero-sized chunks
- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the 
alignment is insufficient for SSE*
- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=vivid

** Patch added: "debdiff for 2.5.10"
   
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+attachment/4553060/+files/ffmpeg_2.5.10.diff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Marc Deslauriers]

** Also affects: ffmpeg (Ubuntu Vivid)
   Importance: Undecided
   Status: New

** Also affects: ffmpeg (Ubuntu Xenial)
   Importance: Medium
   Status: Confirmed

** Also affects: ffmpeg (Ubuntu Wily)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Filipp Frizzy]

Thank you, guys
Is it also fixed another packages like Mplayer or KDE Baloo?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Marc Deslauriers]

** Changed in: ffmpeg (Ubuntu Vivid)
   Status: New => Confirmed

** Changed in: ffmpeg (Ubuntu Wily)
   Status: New => Confirmed

** Changed in: ffmpeg (Ubuntu Vivid)
   Importance: Undecided => Medium

** Changed in: ffmpeg (Ubuntu Wily)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Marc Deslauriers]

ACK on the debdiff in comment #3. Packages are building now and will be
released as a security update today. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Mathew Hodson]

** Changed in: ffmpeg (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Andreas Cadhalpun]

CVE-2016-1897 (concat) and CVE-2016-1898 (subfile) were assigned to this
bug, which (among other potentially security relevant issues) is fixed
in FFmpeg 2.7.5 (the lines below starting with avformat/hls refer to
this bug).

Attached is a debdiff. (git repo is at [1])

Testing performed (in a wily chroot):
 * build including test suite works
 * installation works
 * upgrade works
 * autopkgtests pass

>From the upstream Changelog:

version 2.7.5
- configure: bump copyright year to 2016
- avformat/hls: Even stricter URL checks
- avformat/hls: More strict url checks
- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls
- swscale/yuv2rgb: Increase YUV2RGB table headroom
- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out
- avformat/hls: forbid all protocols except http(s) & file
- avformat/aviobuf: Fix end check in put_str16()
- avformat/asfenc: Check pts
- avcodec/mpeg4video: Check time_incr
- avcodec/wavpackenc: Check the number of channels
- avcodec/wavpackenc: Headers are per channel
- avcodec/aacdec_template: Check id_map
- avcodec/dvdec: Fix "left shift of negative value -254"
- avcodec/mjpegdec: Fix negative shift
- avcodec/mss2: Check for repeat overflow
- avformat: Add integer fps from 31 to 60 to get_std_framerate()
- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
- avfilter/vf_scale: set proper out frame color range
- avcodec/motion_est: Fix mv_penalty table size
- avcodec/h264_slice: Fix integer overflow in implicit weight computation
- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny 
dimensions
- avcodec/put_bits: Always check buffer end before writing
- mjpegdec: extend check for incompatible values of s->rgb and s->ls
- swscale/utils: Fix intermediate format for cascaded alpha downscaling
- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
- avfilter/vf_zoompan: do not free frame we pushed to lavfi


1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git/log/?h=wily

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1897

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1898

** Patch added: "debdiff for 2.7.5"
   
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+attachment/4550765/+files/ffmpeg_2.7.5.diff

** Changed in: ffmpeg (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1533367] Re: ffmpeg allows Server-Side Request Forgery attack

[Marc Deslauriers]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Information type changed from Private Security to Public Security

** Changed in: ffmpeg (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1533367

Title:
  ffmpeg allows Server-Side Request Forgery attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1533367/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs