Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130725085235.GA9457@videolan.org>
Date: Thu, 25 Jul 2013 10:52:35 +0200
From: Jean-Baptiste Kempf <jb@...eolan.org>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, Michael Niedermayer <michaelni@....at>,
	Moritz Muehlenhoff <jmm@...til.org>,
	Moritz Muehlenhoff <jmm@...ian.org>, ffmpeg-security@...peg.org,
	security@...eolan.org
Subject: Re: new FFMpeg stuff

On 25 Jul, Kurt Seifried wrote :
> Can the VLC security team confirm/correct this as needed so we can
> ensure it's correct before I assign CVEs? thanks.

Why the VLC security team should be involved in that?


> On 07/09/2013 08:14 AM, Michael Niedermayer wrote:
> > Hi
> > 
> > On Tue, Jul 09, 2013 at 06:49:34AM +0200, Moritz Muehlenhoff
> > wrote:
> >> Kurt Seifried wrote:
> >> 
> >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>> 
> >>> https://bugs.gentoo.org/show_bug.cgi?id=476218
> >>> 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=38229362529ed1619d8ebcc81ecde85b23b45895
> >
> >>> 
> > This should have been fixed by
> > b21ba20cc83c80fe56192fee3626a8087f37d806 in ffmpeg (Apr 22 2012)
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e30b068ef79f604ff439418da07f7e2efd01d4ea
> >
> >>> 
> > This should have been fixed by
> > 780d45473c32fa356c8ce385c3ea4692567c3228 in ffmpeg (Sep 24 2011)
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=6765ee7b9cba46818a45b051438b2552f0a1b70a
> >
> >>> 
> > This seems listed as buffer overflow but as far as i can tell it
> > fixes just a null pointer dereference. If you want to assign CVEs
> > to all null pointer dereferences and out of array reads that got
> > fixed then quiete a few more CVEs are needed.
> > 
> > Also see: a9456c7c5ca883b5a3947e59a9fba5587e18e119
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b36e1893ef3430f039c1eaddeedcbb378f9c4444
> >
> >>> 
> > This was fixed in 4b35ee0b7c0c4cbac3541a25a5e8c00b657c8f95 in
> > ffmpeg (Dec 28 2011)
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7388c0c58601477db076e2e74e8b11f8a644384a
> >
> >>> 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=95a57d26d8653d21f0dab1aff3558ee944853dbf
> >
> >>> 
> > This was fixed in c49d94487c6135325930cbc4a8cd96d38ef6653e in
> > ffmpeg (Jun 6 2013) Note, this issue shouldnt affect any ffmpeg
> > releases as the code was added more recently
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b564784a207b1395d2b5a41e580539df04651096
> >
> >>> 
> > Same as above jpeg2000dec.c wasnt in any releases yet as of today, 
> > what was in the releases was j2kdec.c but that was marked as 
> > experimental
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=78962d3df49afe5011b572656ecfe940bd5fbf2e
> >>>
> >>> 
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cf04af2086be105ff86088357b83d672d38417d9
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eae63e3c156f784ee0612422f0c95131ea913c14
> >>>
> >>> 
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fd54dd028bc9f7bfb80ebf823a533dc84b73f936
> > 
> > Same as above
> > 
> > 
> > 
> >>> 
> >>> Correct me if I'm wrong but most of these seem to deserve CVEs
> >>> and none have been assigned, correct?
> >>> 
> >>> http://ffmpeg.org/security.html
> >> 
> >> These appear to be new, but I'm not sure how previous CVE IDs
> >> were assigned for ffmpeg/libav. E.g. CVE-2013-0878 seems to be
> >> from a Google CNA, right? (At least CVE-2013-0879 is for Chrome)
> >> 
> >> All these issues (and all the ones in previous rounds) were found
> >> through fuzzing done at Google by Mateusz "j00ru" Jurczyk and
> >> Gynvael Coldwind.
> > 
> > I dont know about the libav side, for the ffmpeg side CVEs where 
> > provided by "google" for all serious issues that where found.
> > Which issues where serious could in general only be assesed after
> > the issues where fixed so values where available only after the
> > fixes where commited.
> > 
> > 
> >> 
> >> It would be very, very welcome if CVE assignments from either
> >> ffmpeg or libav for any such issues would have a reference to the
> >> filename of the fuzzed file triggering the problem.
> >> 
> > 
> >> With the diverging code bases between ffmpeg and libav [1] it
> >> becomes very complicated to properly track down if one of the two
> >> is affected.
> > 
> > yes, its a big headache for us as well. Especialy for me as iam
> > always merging all improvments and fixes from libav into ffmpeg
> > ...
> > 
> > [...]
> > 
> > Thanks
> > 
> 
> 
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJR8OZpAAoJEBYNRVNeJnmTKiIQAKKJ7n2IDcEqzM2fjw1uglU7
> EBGubJYkMCGgmpuT1NdtLs8l0QKDx+IxYr+OyB70DWuITVdZQY1onwl8pd7LXTnp
> Q2ymemb5KqtJlopSJWTAF78/I87M1gyt4739b2YmZ/QiCBkZO2CBVO4rcOf0F09T
> QhL2MgRYbSGL6K0FbrmfEF9DvwNi40IWeV+8R86txWbJsNdxUvtf6USFhbyREHZV
> 01BopGXA6YVYregRKjgH1yyfJzDamwXpXPDEx4gJOJNYLBroBLON0uEoentlVIhs
> q+5pQPL4AKSYbgAz3yBkVlmvn+JHtSg821Jl9viAIKCj4qLI+ujUXV2UihZCH2/T
> EeevJAQdN+gFDo85OsaXQs8JleyL14qbUcO0gpo+/xefKeRXJiwVE4TPl/K7cxd9
> fss0Rh5ZYP3PuNm0ULFjgNhierDt0afewWmWWzW+YY8vyKO/X8aPdpd7MSnJOsbn
> 0kc8dkus6d/uu3+NDWEtUr9ookpRogFToipvs87uP0Cp29TyySY02syWZItiFtIt
> AK3wpasLw5lLiQv1faMt3hM9Cvvl2+xUUv4fkjmCwbF4J6GxNPQg85DaqhVRb2e5
> vxZpSr08HAX7RMCmnBXl/2NcpbYWgNswuShzU

-- 
Best regards,

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.