Created attachment 187936 [details] Document CVE-2017-15186 Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file.
Created attachment 187937 [details] Revised document CVE-2017-15186 Revised patch for VuXML, as the fix has been backported to 2017Q4 in v3.3.4_1,1, adjust version range to comply.
(In reply to Vladimir Krstulja from comment #1) > Revised patch for VuXML, as the fix has been backported to 2017Q4 in > v3.3.4_1,1, adjust version range to comply. Thanks for noticing. The update to n3.3.5 is waiting on ports-secteam@ approval since 2017-10-26.
Two new vulns should should be added to this entry: * CVE-2017-15672 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672 From what I see, 3.3.5 (that was committed to 2017Q4 today, r454971) includes the fix. Jan, can you confirm? * http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/tags/n3.3.5 "avcodec/ffv1dec: Fix out of array read in slice counting" * CVE-2017-16840 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840 New one, affects 3.4 apparently, no upstream release yet. I'll adjust the patch.
(In reply to Vladimir Krstulja from comment #3) > * CVE-2017-15672 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672 > > From what I see, 3.3.5 (that was committed to 2017Q4 today, r454971) includes the fix. > Jan, can you confirm? Yep. I see CVE-2017-15672 fix in 3.3.5. > * CVE-2017-16840 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840 > > New one, affects 3.4 apparently, no upstream release yet. Probably affects 3.3.5 as well given the fix applies without conflicts.
Curiously, Debian backported CVE-2017-16840 fix to ffmpeg 3.2.9. https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/commit/?id=52a351d79816 https://security-tracker.debian.org/tracker/CVE-2017-16840
Created attachment 188355 [details] Revised ffmpeg vulnerability entry New patch documenting all three CVEs.
CVE-2017-16840 was fixed by ports r455047 + ports r455049.
Created attachment 188361 [details] Revised ffmpeg vulnerability entry #2 Revised patch adjusted for version ranges affected by commits listed in comment #7.
Bump.
(In reply to Vladimir Krstulja from comment #9) Could you clarify which CVEs are still relevant to 3.4.1 after the patches?
(In reply to rkoberman from comment #10) This PR is about documenting vulns in versions listed in the patch. I'm not aware of any new vulns that would affect 3.4.1 at the moment.
There is a new CVE affecting ffmpeg 3.4.1 here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225637 I will close 225637 as that only covers one current exploit while this bug report covers multiple exploits.
*** Bug 225637 has been marked as a duplicate of this bug. ***
Created attachment 190282 [details] Latest record of ffmpeg vulns Here's the latest revision of the patch. If this doesn't get committed soon, I'll recommend splitting up the vulns as majority of listed CVEs no longer apply to version of ffmpeg in the HEAD or 2018Q1, but still does affect in case any users are still at 2017Q4 for some reason.
A commit references this bug: Author: swills Date: Fri Jul 27 13:00:46 UTC 2018 New revision: 475437 URL: https://svnweb.freebsd.org/changeset/ports/475437 Log: security/vuxml: Document ffmpeg issues PR: 223626 Submitted by: VK <vlad-fbsd@acheronmedia.com> Changes: head/security/vuxml/vuln.xml
Committed, thanks!