Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162

To: debian-security-tracker@lists.debian.org
Cc: jmm@debian.org
Subject: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
From: Reinhard Tartler <siretart@debian.org>
Date: Sat, 06 Aug 2011 21:26:05 +0200
Message-id: <87fwlefik2.fsf@faui43f.informatik.uni-erlangen.de>
References: <1309183108.5105.19.camel@vougeot> <20110729101613.GA17796@pisco.westfalen.local>

On Fr, Jul 29, 2011 at 12:16:13 (CEST), Moritz Mühlenhoff wrote:

> On Mon, Jun 27, 2011 at 03:58:28PM +0200, Laurent Bonnaud wrote:
>> Hi,
>> 
>> I am looking at those 3 security issues:
>> 
>>   http://security-tracker.debian.org/tracker/CVE-2011-2160
>>   http://security-tracker.debian.org/tracker/CVE-2011-2161
>>   http://security-tracker.debian.org/tracker/CVE-2011-2162
>> 
>> that are marked as not fixed in Debian.  However, when reading bug
>> #628448, Reinhard Tartler, maintainer of the package, says those bugs
>> are fixed in sid:
>> 
>> > With this research, I couldn't find any issue that was not already fixed
>> > in a point release or another, so unstable is fixed TTBOMK.
>> 
>> and therefore in wheezy.  So could someone please update the pages in
>> the Debian security tracker ?
>
> Which version of ffmpeg fixed it?

Currently, the security tracker lists the following issues for libav:

CVE-2010-3908

allows remote attackers to cause a denial of service (memory corruption
and application crash) or possibly execute arbitrary code via a
malformed WMV file.

Fixed in 0.5.4

CVE-2011-0722

Real Media decoder bug, fixed in 0.5.4

CVE-2011-0723

VC-1 decoder bug, fixed in 0.5.4

CVE-2011-1196

oggdec, heap corruption bug.

fixed in 0.7.1 but the patch does not apply 0.5, and I failed to reproduce. If
someone can, please get in touch with me.

CVE-2011-1198

ffmpeg-mt specific bug with mp4 files, Unreproducible with libav:
http://thread.gmane.org/gmane.comp.video.libav.devel/8507

CVE-2011-2160

extremly vague, no useful references given

CVE-2011-2161

APE decoder bug, fixed in 0.5.4

CVE-2011-2162

description on mitre is way too vague, the referenced madriva source
package does not contain any relevant patch to this issue.


All issues above are fixed in the 0.6 and 0.7 based packages in debian
unstable and experimental.

I have uploaded 0.5.4-1 to stable-security on March 6, with the
following changelog entry:

ffmpeg (4:0.5.4-1) stable-security; urgency=low

  * New upstream release. New releases fixes:
    - Fix memory corruption in WMV parsing
      (addresses CVE-2010-3908, LP: #690169)
    - Fix heap corruption crashes (addresses CVE-2011-0722)
    - Fix crashes in Vorbis decoding found by zzuf (addresses CVE-2010-4704,
      Closes: #611495)
    - Fix another crash in Vorbis decoding (addresses CVE-2011-0480,
      Chrome issue 68115)
    - Fix invalid reads in VC-1 decoding (related to CVE-2011-0723)
    - Do not attempt to decode APE file with no frames (fixes DoS)
  * drop fix-CVE-2010-3429.patch, applied upstream
  
 -- Reinhard Tartler <siretart@tauware.de>  Sun, 06 Mar 2011 18:02:34 +0100

Can someone from the security team please check what's the problem with
the upload?


-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Reply to:

Follow-Ups:
- Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
  - From: Reinhard Tartler <siretart@debian.org>

Prev by Date: Re: apt-cacher: TEMP-0000000-62D57E
Next by Date: Re: syslog-ng: dos / TEMP-0000000-0999A8
Previous by thread: Re: apt-cacher: TEMP-0000000-62D57E
Next by thread: Re: CVE-2011-2160, CVE-2011-2161 and CVE-2011-2162
Index(es):
- Date
- Thread