Bug 223626 - security/vuxml: Document multiple vulnerabilities in FFmpeg
Summary: security/vuxml: Document multiple vulnerabilities in FFmpeg
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ports Security Team
URL:
Keywords: patch, security
: 225637 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-11-12 11:09 UTC by VK
Modified: 2018-07-27 13:01 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
Document CVE-2017-15186 (1.37 KB, patch)
2017-11-12 11:09 UTC, VK
no flags Details | Diff
Revised document CVE-2017-15186 (1.37 KB, patch)
2017-11-12 11:20 UTC, VK
no flags Details | Diff
Revised ffmpeg vulnerability entry (1.67 KB, patch)
2017-11-28 14:05 UTC, VK
no flags Details | Diff
Revised ffmpeg vulnerability entry #2 (1.71 KB, patch)
2017-11-28 16:28 UTC, VK
no flags Details | Diff
Latest record of ffmpeg vulns (2.01 KB, patch)
2018-02-02 22:18 UTC, VK
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2017-11-12 11:09:26 UTC
Created attachment 187936 [details]
Document CVE-2017-15186

Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file.
Comment 1 VK freebsd_triage 2017-11-12 11:20:23 UTC
Created attachment 187937 [details]
Revised document CVE-2017-15186

Revised patch for VuXML, as the fix has been backported to 2017Q4 in v3.3.4_1,1, adjust version range to comply.
Comment 2 Jan Beich freebsd_committer 2017-11-12 12:16:06 UTC
(In reply to Vladimir Krstulja from comment #1)
> Revised patch for VuXML, as the fix has been backported to 2017Q4 in
> v3.3.4_1,1, adjust version range to comply.

Thanks for noticing. The update to n3.3.5 is waiting on ports-secteam@ approval since 2017-10-26.
Comment 3 VK freebsd_triage 2017-11-28 12:20:26 UTC
Two new vulns should should be added to this entry:

* CVE-2017-15672
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672

From what I see, 3.3.5 (that was committed to 2017Q4 today, r454971) includes the fix. Jan, can you confirm?

* http://git.videolan.org/?p=ffmpeg.git;a=log;h=refs/tags/n3.3.5

  "avcodec/ffv1dec: Fix out of array read in slice counting"

* CVE-2017-16840
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840

New one, affects 3.4 apparently, no upstream release yet.

I'll adjust the patch.
Comment 4 Jan Beich freebsd_committer 2017-11-28 13:48:54 UTC
(In reply to Vladimir Krstulja from comment #3)
> * CVE-2017-15672
>   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15672
>
> From what I see, 3.3.5 (that was committed to 2017Q4 today, r454971) includes the fix.
> Jan, can you confirm?

Yep. I see CVE-2017-15672 fix in 3.3.5.

> * CVE-2017-16840
>   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16840
>
> New one, affects 3.4 apparently, no upstream release yet.

Probably affects 3.3.5 as well given the fix applies without conflicts.
Comment 5 Jan Beich freebsd_committer 2017-11-28 13:58:06 UTC
Curiously, Debian backported CVE-2017-16840 fix to ffmpeg 3.2.9.

https://anonscm.debian.org/cgit/pkg-multimedia/ffmpeg.git/commit/?id=52a351d79816
https://security-tracker.debian.org/tracker/CVE-2017-16840
Comment 6 VK freebsd_triage 2017-11-28 14:05:47 UTC
Created attachment 188355 [details]
Revised ffmpeg vulnerability entry

New patch documenting all three CVEs.
Comment 7 Jan Beich freebsd_committer 2017-11-28 15:58:11 UTC
CVE-2017-16840 was fixed by ports r455047 + ports r455049.
Comment 8 VK freebsd_triage 2017-11-28 16:28:47 UTC
Created attachment 188361 [details]
Revised ffmpeg vulnerability entry #2

Revised patch adjusted for version ranges affected by commits listed in comment #7.
Comment 9 VK freebsd_triage 2017-12-27 21:51:02 UTC
Bump.
Comment 10 rkoberman 2017-12-28 00:15:28 UTC
(In reply to Vladimir Krstulja from comment #9)
Could you clarify which CVEs are still relevant to 3.4.1 after the patches?
Comment 11 VK freebsd_triage 2017-12-28 01:00:22 UTC
(In reply to rkoberman from comment #10)

This PR is about documenting vulns in versions listed in the patch. I'm not aware of any new vulns that would affect 3.4.1 at the moment.
Comment 12 D. Ebdrup 2018-02-02 21:57:53 UTC
There is a new CVE affecting ffmpeg 3.4.1 here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225637
I will close 225637 as that only covers one current exploit while this bug report covers multiple exploits.
Comment 13 D. Ebdrup 2018-02-02 21:58:06 UTC
*** Bug 225637 has been marked as a duplicate of this bug. ***
Comment 14 VK freebsd_triage 2018-02-02 22:18:41 UTC
Created attachment 190282 [details]
Latest record of ffmpeg vulns

Here's the latest revision of the patch. If this doesn't get committed soon, I'll recommend splitting up the vulns as majority of listed CVEs no longer apply to version of ffmpeg in the HEAD or 2018Q1, but still does affect in case any users are still at 2017Q4 for some reason.
Comment 15 commit-hook freebsd_committer 2018-07-27 13:00:57 UTC
A commit references this bug:

Author: swills
Date: Fri Jul 27 13:00:46 UTC 2018
New revision: 475437
URL: https://svnweb.freebsd.org/changeset/ports/475437

Log:
  security/vuxml: Document ffmpeg issues

  PR:		223626
  Submitted by:	VK <vlad-fbsd@acheronmedia.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 16 Steve Wills freebsd_committer 2018-07-27 13:01:57 UTC
Committed, thanks!