[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989570: unblock: ffmpeg/7:4.3.2-0+deb11u2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ffmpeg.

[ Reason ]
New CVEs (out-of-band reads caused by malicious files and a buffer
overflow) have been reported for ffmpeg.

[ Impact ]
Some CVEs remain unpatched. If this upload is not unblocked, they will
likely be fixed when pushing the next stable release of the 4.3.x series
via DSA to bullseye.

[ Tests ]
ffmpeg's and the reverse dependencies' autopkgtests have all succeeded.

[ Risks ]
Low as the patches can be reverted in case of regressions.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
ffmpeg is a key package and requires an unblock.

unblock ffmpeg/7:4.3.2-0+deb11u2

Cheers
-- 
Sebastian Ramacher

diff -Nru ffmpeg-4.3.2/debian/changelog ffmpeg-4.3.2/debian/changelog
--- ffmpeg-4.3.2/debian/changelog	2021-02-21 22:19:57.000000000 +0100
+++ ffmpeg-4.3.2/debian/changelog	2021-06-04 22:34:50.000000000 +0200
@@ -1,3 +1,13 @@
+ffmpeg (7:4.3.2-0+deb11u2) unstable; urgency=medium
+
+  * debian/patches: Apply upstream patches for CVEs (Closes: #989439)
+    - avfilter/vf_vmafmotion: Fix out-of-bounds access (CVE-2020-22019, CVE-2020-22033)
+    - avfilter/vf_yadif: Fix out-of-bounds access (CVE-2020-22021)
+    - avformat/movenc: Fix out-of-bounds access (CVE-2020-22015)
+    - avcodec/pngen: Fix buffer overflow (CVE-2020-21041)
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Fri, 04 Jun 2021 22:34:50 +0200
+
 ffmpeg (7:4.3.2-0+deb11u1) unstable; urgency=medium
 
   * New upstream release
diff -Nru ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch
--- ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch	1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch	2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,29 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 09:58:31 +0200
+Subject: avfilter/vf_vmafmotion: Check dimensions
+
+Fixes: out of array access
+Fixes: Ticket8241
+Fixes: Ticket8246
+Fixes: CVE-2020-22019
+Fixes: CVE-2020-22033
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/vf_vmafmotion.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c
+index 88d0b35..0730147 100644
+--- a/libavfilter/vf_vmafmotion.c
++++ b/libavfilter/vf_vmafmotion.c
+@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s,
+     int i;
+     const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt);
+ 
++    if (w < 3 || h < 3)
++        return AVERROR(EINVAL);
++
+     s->width = w;
+     s->height = h;
+     s->stride = FFALIGN(w * sizeof(uint16_t), 32);
diff -Nru ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch
--- ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch	1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch	2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,78 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 11:17:35 +0200
+Subject: avfilter/vf_yadif: Fix handing of tiny images
+
+Fixes: out of array access
+Fixes: Ticket8240
+Fixes: CVE-2020-22021
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/vf_yadif.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c
+index 43dea67..06fd24e 100644
+--- a/libavfilter/vf_yadif.c
++++ b/libavfilter/vf_yadif.c
+@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
+     uint8_t *next2 = parity ? cur  : next;
+ 
+     const int edge = MAX_ALIGN - 1;
++    int offset = FFMAX(w - edge, 3);
+ 
+     /* Only edge pixels need to be processed here.  A constant value of false
+      * for is_not_edge should let the compiler ignore the whole branch. */
+-    FILTER(0, 3, 0)
++    FILTER(0, FFMIN(3, w), 0)
+ 
+-    dst  = (uint8_t*)dst1  + w - edge;
+-    prev = (uint8_t*)prev1 + w - edge;
+-    cur  = (uint8_t*)cur1  + w - edge;
+-    next = (uint8_t*)next1 + w - edge;
++    dst  = (uint8_t*)dst1  + offset;
++    prev = (uint8_t*)prev1 + offset;
++    cur  = (uint8_t*)cur1  + offset;
++    next = (uint8_t*)next1 + offset;
+     prev2 = (uint8_t*)(parity ? prev : cur);
+     next2 = (uint8_t*)(parity ? cur  : next);
+ 
+-    FILTER(w - edge, w - 3, 1)
+-    FILTER(w - 3, w, 0)
++    FILTER(offset, w - 3, 1)
++    offset = FFMAX(offset, w - 3);
++    FILTER(offset, w, 0)
+ }
+ 
+ 
+@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
+     uint16_t *next2 = parity ? cur  : next;
+ 
+     const int edge = MAX_ALIGN / 2 - 1;
++    int offset = FFMAX(w - edge, 3);
+ 
+     mrefs /= 2;
+     prefs /= 2;
+ 
+-    FILTER(0, 3, 0)
++    FILTER(0,  FFMIN(3, w), 0)
+ 
+-    dst   = (uint16_t*)dst1  + w - edge;
+-    prev  = (uint16_t*)prev1 + w - edge;
+-    cur   = (uint16_t*)cur1  + w - edge;
+-    next  = (uint16_t*)next1 + w - edge;
++    dst   = (uint16_t*)dst1  + offset;
++    prev  = (uint16_t*)prev1 + offset;
++    cur   = (uint16_t*)cur1  + offset;
++    next  = (uint16_t*)next1 + offset;
+     prev2 = (uint16_t*)(parity ? prev : cur);
+     next2 = (uint16_t*)(parity ? cur  : next);
+ 
+-    FILTER(w - edge, w - 3, 1)
+-    FILTER(w - 3, w, 0)
++    FILTER(offset, w - 3, 1)
++    offset = FFMAX(offset, w - 3);
++    FILTER(offset, w, 0)
+ }
+ 
+ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
diff -Nru ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch
--- ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch	1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch	2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,34 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 09:22:27 +0200
+Subject: avformat/movenc: Check pal_size before use
+
+Fixes: assertion failure
+Fixes: out of array read
+Fixes: Ticket8190
+Fixes: CVE-2020-22015
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/movenc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/movenc.c b/libavformat/movenc.c
+index 5d8dc4f..5c1bb18 100644
+--- a/libavformat/movenc.c
++++ b/libavformat/movenc.c
+@@ -2090,11 +2090,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex
+         avio_wb16(pb, 0x18); /* Reserved */
+ 
+     if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) {
+-        int pal_size = 1 << track->par->bits_per_coded_sample;
+-        int i;
++        int pal_size, i;
+         avio_wb16(pb, 0);             /* Color table ID */
+         avio_wb32(pb, 0);             /* Color table seed */
+         avio_wb16(pb, 0x8000);        /* Color table flags */
++        if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8)
++            return AVERROR(EINVAL);
++        pal_size = 1 << track->par->bits_per_coded_sample;
+         avio_wb16(pb, pal_size - 1);  /* Color table size (zero-relative) */
+         for (i = 0; i < pal_size; i++) {
+             uint32_t rgb = track->palette[i];
diff -Nru ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch
--- ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch	1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch	2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,25 @@
+From: Paul B Mahol <onemda@gmail.com>
+Date: Sun, 14 Feb 2021 17:20:03 +0100
+Subject: avcodec/pngenc: remove monowhite from apng formats
+
+Monowhite pixel format is not supported, and it does not make sense
+to add support for it.
+
+Fixes #7989
+---
+ libavcodec/pngenc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
+index efcae8c..eebb164 100644
+--- a/libavcodec/pngenc.c
++++ b/libavcodec/pngenc.c
+@@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = {
+         AV_PIX_FMT_PAL8,
+         AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A,
+         AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE,
+-        AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE
++        AV_PIX_FMT_NONE
+     },
+     .priv_class     = &apngenc_class,
+ };
diff -Nru ffmpeg-4.3.2/debian/patches/series ffmpeg-4.3.2/debian/patches/series
--- ffmpeg-4.3.2/debian/patches/series	2021-02-21 22:19:21.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/series	2021-06-04 22:34:04.000000000 +0200
@@ -1,3 +1,7 @@
 0001-avcodec-arm-sbcenc-avoid-callee-preserved-vfp-regist.patch
 0002-avcodec-exr-skip-bottom-clearing-loop-when-its-outsi.patch
 0003-Fix-build-on-powerpc-and-ppc64.patch
+0004-avfilter-vf_vmafmotion-Check-dimensions.patch
+0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch
+0006-avformat-movenc-Check-pal_size-before-use.patch
+0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch
Reply to: