--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package ffmpeg.
[ Reason ]
New CVEs (out-of-band reads caused by malicious files and a buffer
overflow) have been reported for ffmpeg.
[ Impact ]
Some CVEs remain unpatched. If this upload is not unblocked, they will
likely be fixed when pushing the next stable release of the 4.3.x series
via DSA to bullseye.
[ Tests ]
ffmpeg's and the reverse dependencies' autopkgtests have all succeeded.
[ Risks ]
Low as the patches can be reverted in case of regressions.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
ffmpeg is a key package and requires an unblock.
unblock ffmpeg/7:4.3.2-0+deb11u2
Cheers
--
Sebastian Ramacher
diff -Nru ffmpeg-4.3.2/debian/changelog ffmpeg-4.3.2/debian/changelog
--- ffmpeg-4.3.2/debian/changelog 2021-02-21 22:19:57.000000000 +0100
+++ ffmpeg-4.3.2/debian/changelog 2021-06-04 22:34:50.000000000 +0200
@@ -1,3 +1,13 @@
+ffmpeg (7:4.3.2-0+deb11u2) unstable; urgency=medium
+
+ * debian/patches: Apply upstream patches for CVEs (Closes: #989439)
+ - avfilter/vf_vmafmotion: Fix out-of-bounds access (CVE-2020-22019, CVE-2020-22033)
+ - avfilter/vf_yadif: Fix out-of-bounds access (CVE-2020-22021)
+ - avformat/movenc: Fix out-of-bounds access (CVE-2020-22015)
+ - avcodec/pngen: Fix buffer overflow (CVE-2020-21041)
+
+ -- Sebastian Ramacher <sramacher@debian.org> Fri, 04 Jun 2021 22:34:50 +0200
+
ffmpeg (7:4.3.2-0+deb11u1) unstable; urgency=medium
* New upstream release
diff -Nru ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch
--- ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch 1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch 2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,29 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 09:58:31 +0200
+Subject: avfilter/vf_vmafmotion: Check dimensions
+
+Fixes: out of array access
+Fixes: Ticket8241
+Fixes: Ticket8246
+Fixes: CVE-2020-22019
+Fixes: CVE-2020-22033
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/vf_vmafmotion.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c
+index 88d0b35..0730147 100644
+--- a/libavfilter/vf_vmafmotion.c
++++ b/libavfilter/vf_vmafmotion.c
+@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s,
+ int i;
+ const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt);
+
++ if (w < 3 || h < 3)
++ return AVERROR(EINVAL);
++
+ s->width = w;
+ s->height = h;
+ s->stride = FFALIGN(w * sizeof(uint16_t), 32);
diff -Nru ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch
--- ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch 1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch 2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,78 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 11:17:35 +0200
+Subject: avfilter/vf_yadif: Fix handing of tiny images
+
+Fixes: out of array access
+Fixes: Ticket8240
+Fixes: CVE-2020-22021
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/vf_yadif.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c
+index 43dea67..06fd24e 100644
+--- a/libavfilter/vf_yadif.c
++++ b/libavfilter/vf_yadif.c
+@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
+ uint8_t *next2 = parity ? cur : next;
+
+ const int edge = MAX_ALIGN - 1;
++ int offset = FFMAX(w - edge, 3);
+
+ /* Only edge pixels need to be processed here. A constant value of false
+ * for is_not_edge should let the compiler ignore the whole branch. */
+- FILTER(0, 3, 0)
++ FILTER(0, FFMIN(3, w), 0)
+
+- dst = (uint8_t*)dst1 + w - edge;
+- prev = (uint8_t*)prev1 + w - edge;
+- cur = (uint8_t*)cur1 + w - edge;
+- next = (uint8_t*)next1 + w - edge;
++ dst = (uint8_t*)dst1 + offset;
++ prev = (uint8_t*)prev1 + offset;
++ cur = (uint8_t*)cur1 + offset;
++ next = (uint8_t*)next1 + offset;
+ prev2 = (uint8_t*)(parity ? prev : cur);
+ next2 = (uint8_t*)(parity ? cur : next);
+
+- FILTER(w - edge, w - 3, 1)
+- FILTER(w - 3, w, 0)
++ FILTER(offset, w - 3, 1)
++ offset = FFMAX(offset, w - 3);
++ FILTER(offset, w, 0)
+ }
+
+
+@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
+ uint16_t *next2 = parity ? cur : next;
+
+ const int edge = MAX_ALIGN / 2 - 1;
++ int offset = FFMAX(w - edge, 3);
+
+ mrefs /= 2;
+ prefs /= 2;
+
+- FILTER(0, 3, 0)
++ FILTER(0, FFMIN(3, w), 0)
+
+- dst = (uint16_t*)dst1 + w - edge;
+- prev = (uint16_t*)prev1 + w - edge;
+- cur = (uint16_t*)cur1 + w - edge;
+- next = (uint16_t*)next1 + w - edge;
++ dst = (uint16_t*)dst1 + offset;
++ prev = (uint16_t*)prev1 + offset;
++ cur = (uint16_t*)cur1 + offset;
++ next = (uint16_t*)next1 + offset;
+ prev2 = (uint16_t*)(parity ? prev : cur);
+ next2 = (uint16_t*)(parity ? cur : next);
+
+- FILTER(w - edge, w - 3, 1)
+- FILTER(w - 3, w, 0)
++ FILTER(offset, w - 3, 1)
++ offset = FFMAX(offset, w - 3);
++ FILTER(offset, w, 0)
+ }
+
+ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
diff -Nru ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch
--- ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch 1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch 2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,34 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 09:22:27 +0200
+Subject: avformat/movenc: Check pal_size before use
+
+Fixes: assertion failure
+Fixes: out of array read
+Fixes: Ticket8190
+Fixes: CVE-2020-22015
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/movenc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/movenc.c b/libavformat/movenc.c
+index 5d8dc4f..5c1bb18 100644
+--- a/libavformat/movenc.c
++++ b/libavformat/movenc.c
+@@ -2090,11 +2090,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex
+ avio_wb16(pb, 0x18); /* Reserved */
+
+ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) {
+- int pal_size = 1 << track->par->bits_per_coded_sample;
+- int i;
++ int pal_size, i;
+ avio_wb16(pb, 0); /* Color table ID */
+ avio_wb32(pb, 0); /* Color table seed */
+ avio_wb16(pb, 0x8000); /* Color table flags */
++ if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8)
++ return AVERROR(EINVAL);
++ pal_size = 1 << track->par->bits_per_coded_sample;
+ avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */
+ for (i = 0; i < pal_size; i++) {
+ uint32_t rgb = track->palette[i];
diff -Nru ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch
--- ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch 1970-01-01 01:00:00.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch 2021-06-04 22:34:04.000000000 +0200
@@ -0,0 +1,25 @@
+From: Paul B Mahol <onemda@gmail.com>
+Date: Sun, 14 Feb 2021 17:20:03 +0100
+Subject: avcodec/pngenc: remove monowhite from apng formats
+
+Monowhite pixel format is not supported, and it does not make sense
+to add support for it.
+
+Fixes #7989
+---
+ libavcodec/pngenc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
+index efcae8c..eebb164 100644
+--- a/libavcodec/pngenc.c
++++ b/libavcodec/pngenc.c
+@@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = {
+ AV_PIX_FMT_PAL8,
+ AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A,
+ AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE,
+- AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE
++ AV_PIX_FMT_NONE
+ },
+ .priv_class = &apngenc_class,
+ };
diff -Nru ffmpeg-4.3.2/debian/patches/series ffmpeg-4.3.2/debian/patches/series
--- ffmpeg-4.3.2/debian/patches/series 2021-02-21 22:19:21.000000000 +0100
+++ ffmpeg-4.3.2/debian/patches/series 2021-06-04 22:34:04.000000000 +0200
@@ -1,3 +1,7 @@
0001-avcodec-arm-sbcenc-avoid-callee-preserved-vfp-regist.patch
0002-avcodec-exr-skip-bottom-clearing-loop-when-its-outsi.patch
0003-Fix-build-on-powerpc-and-ppc64.patch
+0004-avfilter-vf_vmafmotion-Check-dimensions.patch
+0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch
+0006-avformat-movenc-Check-pal_size-before-use.patch
+0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch
--- End Message ---