Tobias Klein from TrapKit found that FFmpeg's 4X movied decoder is prone to the user-controlled memory overwrite vulnerablity. Fix: The following patch adds almost-upstream patch for FFmpeg (modulo trivial modifications since snapshot from 2008-07-27). Works fine for my setup when FFmpeg is used as the movie transcoder. The following VuXML entry should be evaluated and added: <vuln vid="e5e6fb01-0c21-11de-b26a-001fc66e7203"> <topic>ffmpeg -- attacker-controlled memory overwrite vulnerability in 4X movie parser</topic> <affects> <package> <name>ffmpeg</name> <range><lt>2008.07.27_9</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Tobias Klein reports:</p> <blockquote cite="http://trapkit.de/advisories/TKADV2009-004.txt"> <p>FFmpeg contains a type conversion vulnerability while parsing malformed 4X movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of FFmpeg or an application using the FFmpeg library.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-0385</cvename> <bid>33502</bid> <url>http://trapkit.de/advisories/TKADV2009-004.txt</url> </references> <dates> <discovery>2009-01-28</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----rf0VExOtIBuFgMa8FWjEYbDX59jqoTUezyzrItgDNJY5oOMq Content-Type: text/plain; name="fix-tkadv2009-004.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="fix-tkadv2009-004.diff" From 1d8af9e70b4060787039c00464341aa8e6cc1c5c Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sun, 8 Mar 2009 23:42:20 +0300 overwrite possibility Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- multimedia/ffmpeg/Makefile | 2 +- multimedia/ffmpeg/files/patch-tkadv2009-004 | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletions(-) create mode 100644 multimedia/ffmpeg/files/patch-tkadv2009-004 diff --git a/multimedia/ffmpeg/Makefile b/multimedia/ffmpeg/Makefile index 75a5f06..0b6fadb 100644 --- a/multimedia/ffmpeg/Makefile +++ b/multimedia/ffmpeg/Makefile @@ -7,7 +7,7 @@ PORTNAME= ffmpeg DISTVERSION= 2008-07-27 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= multimedia audio ipv6 net MASTER_SITES= ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= ahze diff --git a/multimedia/ffmpeg/files/patch-tkadv2009-004 b/multimedia/ffmpeg/files/patch-tkadv2009-004 new file mode 100644 index 0000000..27e4d5c --- /dev/null +++ b/multimedia/ffmpeg/files/patch-tkadv2009-004 @@ -0,0 +1,22 @@ +Patch for TKADV2009-004, type conversion vulnerability in 4X +movie parser + +Modified version of: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17#patch1 + +--- libavformat/4xm.c.orig 2008-06-03 20:20:54.000000000 +0400 ++++ libavformat/4xm.c 2009-03-08 23:38:44.000000000 +0300 +@@ -163,10 +163,12 @@ + return AVERROR_INVALIDDATA; + } + current_track = AV_RL32(&header[i + 8]); ++ if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){ ++ av_log(s, AV_LOG_ERROR, "current_track too large\n"); ++ return -1; ++ } + if (current_track + 1 > fourxm->track_count) { + fourxm->track_count = current_track + 1; +- if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)) +- return -1; + fourxm->tracks = av_realloc(fourxm->tracks, + fourxm->track_count * sizeof(AudioTrack)); + if (!fourxm->tracks) { -- 1.6.1.3 How-To-Repeat: http://trapkit.de/advisories/TKADV2009-004.txt
Responsible Changed From-To: freebsd-ports-bugs->freebsd-multimedia Over to maintainer (via the GNATS Auto Assign Tool)
miwi 2009-03-16 19:25:07 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document ffmpeg -- 4xm processing memory corruption vulnerability PR: based on 132434 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Revision Changes Path 1.1885 +35 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
miwi 2009-03-16 19:38:08 UTC FreeBSD ports repository Modified files: multimedia/ffmpeg Makefile Added files: multimedia/ffmpeg/files patch-tkadv2009-004 Log: - Fix 4xm Processing Memory Corruption Vulnerability - Bump PORTREVISON PR: 132434 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Security: http://www.vuxml.org/freebsd/6733e1bf-125f-11de-a964-0030843d3802.html Revision Changes Path 1.92 +1 -1 ports/multimedia/ffmpeg/Makefile 1.1 +17 -0 ports/multimedia/ffmpeg/files/patch-tkadv2009-004 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!