Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5294DC97.2010607@redhat.com>
Date: Tue, 26 Nov 2013 10:38:31 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: ffmpeg-security@...peg.org
Subject: Re: CVE Request: FFmpeg 2.1 multiple problems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/26/2013 07:01 AM, Michael Niedermayer wrote:
> Hi
> 
> Id like to request CVE(s) for FFmpeg 2.1, for the changes below:
> 
> 
> https://github.com/FFmpeg/FFmpeg/commit/29ffeef5e73b8f41ff3a3f2242d356759c66f91f
>
> 
fixes a deadlock in h264 decoding
> https://trac.ffmpeg.org/ticket/2927
> 
> https://github.com/FFmpeg/FFmpeg/commit/3819db745da2ac7fb3faacb116788c32f4753f34
>
> 
Fixes out of array (on heap) writes in rpza decoding
> https://trac.ffmpeg.org/ticket/2850
> 
> https://github.com/FFmpeg/FFmpeg/commit/454a11a1c9c686c78aa97954306fb63453299760
>
> 
avcodec/dsputil: fix signedness in sizeof() comparissions leading
> to interger overflow and out of array accesses
> 
> https://github.com/FFmpeg/FFmpeg/commit/547d690d676064069d44703a1917e0dab7e33445
>
> 
Fixes out of array (on heap) writes in ffv1 decoding
> https://trac.ffmpeg.org/ticket/2906 Found-by: ami_stuff
> 
> https://github.com/FFmpeg/FFmpeg/commit/780669ef7c23c00836a24921fcc6b03be2b8ca4a
>
> 
Fixes out of array write in jpeg2000 decoding
> https://trac.ffmpeg.org/ticket/3080 Found-by: ami_stuff
> 
> https://github.com/FFmpeg/FFmpeg/commit/821a5938d100458f4d09d634041b05c860554ce0
>
> 
Fix order of align and pixel size multiplication.
> Fixes out of array accesses in g2m4 
> https://trac.ffmpeg.org/ticket/2922 Found-by: ami_stuff
> 
> https://github.com/FFmpeg/FFmpeg/commit/86736f59d6a527d8bc807d09b93f971c0fe0bb07
>
> 
avcodec/pngdsp: fix (un)signed type in end comparission
> Fixes out of array writes in png decoding 
> https://trac.ffmpeg.org/ticket/2919 Found_by: ami_stuff
> 
> https://github.com/FFmpeg/FFmpeg/commit/880c73cd76109697447fbfbaa8e5ee5683309446
>
> 
avcodec/flashsv: check diff_start/height
> Fixes out of array accesses https://trac.ffmpeg.org/ticket/2844 
> Found-by: ami_stuff
> 
> https://github.com/FFmpeg/FFmpeg/commit/8bb11c3ca77b52e05a9ed1496a65f8a76e6e2d8f
>
> 
Check cdx/y values more carefully
> Fixes out of array accesses in jpeg2000 decoding 
> https://trac.ffmpeg.org/ticket/2848 Found-by: Piotr Bandurski
> <ami_stuff@...pl>
> 
> https://github.com/FFmpeg/FFmpeg/commit/912ce9dd2080c5837285a471d750fa311e09b555
>
> 
fix dereferencing invalid pointers in jpeg2000 decoding
> Found-by: Laurent Butti <laurentb@...il.com>
> 
> https://github.com/FFmpeg/FFmpeg/commit/9a271a9368eaabf99e6c2046103acb33957e63b7
>
> 
jpeg2000: check log2_cblk dimensions
> Fixes out of array access https://trac.ffmpeg.org/ticket/2895 
> Found-by: Piotr Bandurski <ami_stuff@...pl>
> 
> https://github.com/FFmpeg/FFmpeg/commit/a1b9004b768bef606ee98d417bceb9392ceb788d
>
> 
avcodec/jpeg2000dec: fix context consistency with too large lowres
> Fixes out of array accesses in jpeg2000 decoding 
> https://trac.ffmpeg.org/ticket/2898
> 
> https://github.com/FFmpeg/FFmpeg/commit/b05cd1ea7e45a836f7f6071a716c38bb30326e0f
>
> 
ffv1dec: Check bits_per_raw_sample and colorspace for equality in ver
0/1 headers
> prevents inconsistency and out of array write
> 
> https://github.com/FFmpeg/FFmpeg/commit/cdd5df8189ff1537f7abe8defe971f80602cc2d2
>
> 
avfilter/vf_fps: make sure the fifo is not empty before using it
> fixes double free in the fps filter 
> https://trac.ffmpeg.org/ticket/2905
> 
> https://github.com/FFmpeg/FFmpeg/commit/e07ac727c1cc9eed39e7f9117c97006f719864bd
>
> 
fixes out of array access in g2m4
> https://trac.ffmpeg.org/ticket/2971 Found-by: ami_stuff
> 
> https://github.com/FFmpeg/FFmpeg/commit/f31011e9abfb2ae75bb32bc44e2c34194c8dc40a
>
> 
out of array write (on heap) in case of realloc failure
> https://trac.ffmpeg.org/ticket/2982
> 
> https://github.com/FFmpeg/FFmpeg/commit/fe448cd28d674c3eff3072552eae366d0b659ce9
>
> 
avcodec/jpeg2000dec: prevent out of array accesses in pixel addressing
> https://trac.ffmpeg.org/ticket/2921
> 
> 

I will get to this ticket probably tonight, it's going to take a while
to process.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSlNyXAAoJEBYNRVNeJnmTvA8P/Rus/3mHg5WBTWT8FzTgXQTI
ylhRR89QCXhS74c2QyCiSqI880vnZaxN5IJOEOMwdozw+vhCnyMOGTB8ZB+lbMqy
goJRQvi6djY9EAPQPc8R0st1wARJfEDwisUiIiRvfJHGoAz7xwkXiJ7uNjqJmUBn
whPs8JhayMaRKPKDVjK74FNYLiZPEE8rHpLFl28r8t/L5Mh2q/I74s2gDbOwZvAy
Mm4RpCwpRCgMoWhPjSwM7qwTThVTJaWgGWa9aYcibJO8BcWk2UtUvTdwh77t1VSn
aQSvy2gd+fQdxLmmReFUnHcVZUX0jwavCSLuskcA8w4VPXSe6kBW9HcdYjlA7yOn
/l5O4Ih6IT2QA382ofnbP3iwOzIXA3LGFmmGt2DrCMIlqs/FpSk8aBiwMkmzkTHT
CkbrZ88LTSiwbjiXXFg+gKzsr0f7Tt7eXPcwfEUBb/zQMLQvbG9RAWq4v0Uq8nsN
rbBx4QM2i8QPJIorq/fGLsd/B5BoE5+ekAqC5amXLwCJxeN6YjLnkgT/r/hxPVzp
HuxocQ8XmyC4v5/ZDZGeHU7lR7fhLALLTEFK7Qi1IFJcKTdBeLdGcOArksCnUmpR
6aNB8IiM+OLD6Te103BxXMKkbIdRlPk2o9S3W+noW6YOwaag05/yLvsKtMwfR705
d7AkQQz82aYh4KuB3fxm
=kRcK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.