Bug 223626

Summary: security/vuxml: Document multiple vulnerabilities in FFmpeg
Product: Ports & Packages Reporter: VK <vlad-fbsd>
Component: Individual Port(s)Assignee: Ports Security Team <ports-secteam>
Status: Closed FIXED    
Severity: Affects Some People CC: debdrup, multimedia, rkoberman
Priority: --- Keywords: patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (ports-secteam)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Document CVE-2017-15186
none
Revised document CVE-2017-15186
none
Revised ffmpeg vulnerability entry
none
Revised ffmpeg vulnerability entry #2
none
Latest record of ffmpeg vulns none

Description VK freebsd_triage 2017-11-12 11:09:26 UTC 
Created attachment 187936 [details]
Document CVE-2017-15186

Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file.
Comment 1 VK freebsd_triage 2017-11-12 11:20:23 UTC 
Created attachment 187937 [details]
Revised document CVE-2017-15186

Revised patch for VuXML, as the fix has been backported to 2017Q4 in v3.3.4_1,1, adjust version range to comply.
Comment 2 Jan Beich freebsd_committer freebsd_triage 2017-11-12 12:16:06 UTC 
(In reply to Vladimir Krstulja from comment #1)
> Revised patch for VuXML, as the fix has been backported to 2017Q4 in
> v3.3.4_1,1, adjust version range to comply.

Thanks for noticing. The update to n3.3.5 is waiting on ports-secteam@ approval since 2017-10-26.
Comment 3 VK freebsd_triage 2017-11-28 12:20:26 UTC 
Two new vulns should should be added to this entry:

* CVE-2017-15672
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672

From what I see, 3.3.5 (that was committed to 2017Q4 today, r454971) includes the fix. Jan, can you confirm?

* http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/tags/n3.3.5

  "avcodec/ffv1dec: Fix out of array read in slice counting"

* CVE-2017-16840
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840

New one, affects 3.4 apparently, no upstream release yet.

I'll adjust the patch.
Comment 4 Jan Beich freebsd_committer freebsd_triage 2017-11-28 13:48:54 UTC 
(In reply to Vladimir Krstulja from comment #3)
> * CVE-2017-15672
>   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672
>
> From what I see, 3.3.5 (that was committed to 2017Q4 today, r454971) includes the fix.
> Jan, can you confirm?

Yep. I see CVE-2017-15672 fix in 3.3.5.

> * CVE-2017-16840
>   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840
>
> New one, affects 3.4 apparently, no upstream release yet.

Probably affects 3.3.5 as well given the fix applies without conflicts.
Comment 5 Jan Beich freebsd_committer freebsd_triage 2017-11-28 13:58:06 UTC 
Curiously, Debian backported CVE-2017-16840 fix to ffmpeg 3.2.9.

https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/commit/?id=52a351d79816
https://security-tracker.debian.org/tracker/CVE-2017-16840
Comment 6 VK freebsd_triage 2017-11-28 14:05:47 UTC 
Created attachment 188355 [details]
Revised ffmpeg vulnerability entry

New patch documenting all three CVEs.
Comment 7 Jan Beich freebsd_committer freebsd_triage 2017-11-28 15:58:11 UTC 
CVE-2017-16840 was fixed by ports r455047 + ports r455049.
Comment 8 VK freebsd_triage 2017-11-28 16:28:47 UTC 
Created attachment 188361 [details]
Revised ffmpeg vulnerability entry #2

Revised patch adjusted for version ranges affected by commits listed in comment #7.
Comment 9 VK freebsd_triage 2017-12-27 21:51:02 UTC 
Bump.
Comment 10 rkoberman 2017-12-28 00:15:28 UTC 
(In reply to Vladimir Krstulja from comment #9)
Could you clarify which CVEs are still relevant to 3.4.1 after the patches?
Comment 11 VK freebsd_triage 2017-12-28 01:00:22 UTC 
(In reply to rkoberman from comment #10)

This PR is about documenting vulns in versions listed in the patch. I'm not aware of any new vulns that would affect 3.4.1 at the moment.
Comment 12 Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2018-02-02 21:57:53 UTC 
There is a new CVE affecting ffmpeg 3.4.1 here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225637
I will close 225637 as that only covers one current exploit while this bug report covers multiple exploits.
Comment 13 Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2018-02-02 21:58:06 UTC 
*** Bug 225637 has been marked as a duplicate of this bug. ***
Comment 14 VK freebsd_triage 2018-02-02 22:18:41 UTC 
Created attachment 190282 [details]
Latest record of ffmpeg vulns

Here's the latest revision of the patch. If this doesn't get committed soon, I'll recommend splitting up the vulns as majority of listed CVEs no longer apply to version of ffmpeg in the HEAD or 2018Q1, but still does affect in case any users are still at 2017Q4 for some reason.
Comment 15 commit-hook freebsd_committer freebsd_triage 2018-07-27 13:00:57 UTC 
A commit references this bug:

Author: swills
Date: Fri Jul 27 13:00:46 UTC 2018
New revision: 475437
URL: https://svnweb.freebsd.org/changeset/ports/475437

Log:
  security/vuxml: Document ffmpeg issues

  PR:		223626
  Submitted by:	VK <vlad-fbsd@acheronmedia.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 16 Steve Wills freebsd_committer freebsd_triage 2018-07-27 13:01:57 UTC 
Committed, thanks!