'Re: [oss-security] new FFMpeg stuff'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] new FFMpeg stuff
From:       Jean-Baptiste Kempf <jb () videolan ! org>
Date:       2013-07-25 8:52:35
Message-ID: 20130725085235.GA9457 () videolan ! org
[Download RAW message or body]

On 25 Jul, Kurt Seifried wrote :
> Can the VLC security team confirm/correct this as needed so we can
> ensure it's correct before I assign CVEs? thanks.

Why the VLC security team should be involved in that?


> On 07/09/2013 08:14 AM, Michael Niedermayer wrote:
> > Hi
> > 
> > On Tue, Jul 09, 2013 at 06:49:34AM +0200, Moritz Muehlenhoff
> > wrote:
> >> Kurt Seifried wrote:
> >> 
> >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>> 
> >>> https://bugs.gentoo.org/show_bug.cgi?id=476218
> >>> 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=38229362529ed1619d8ebcc81ecde85b23b45895
> >
> >>> 
> > This should have been fixed by
> > b21ba20cc83c80fe56192fee3626a8087f37d806 in ffmpeg (Apr 22 2012)
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e30b068ef79f604ff439418da07f7e2efd01d4ea
> >
> >>> 
> > This should have been fixed by
> > 780d45473c32fa356c8ce385c3ea4692567c3228 in ffmpeg (Sep 24 2011)
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=6765ee7b9cba46818a45b051438b2552f0a1b70a
> >
> >>> 
> > This seems listed as buffer overflow but as far as i can tell it
> > fixes just a null pointer dereference. If you want to assign CVEs
> > to all null pointer dereferences and out of array reads that got
> > fixed then quiete a few more CVEs are needed.
> > 
> > Also see: a9456c7c5ca883b5a3947e59a9fba5587e18e119
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b36e1893ef3430f039c1eaddeedcbb378f9c4444
> >
> >>> 
> > This was fixed in 4b35ee0b7c0c4cbac3541a25a5e8c00b657c8f95 in
> > ffmpeg (Dec 28 2011)
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7388c0c58601477db076e2e74e8b11f8a644384a
> >
> >>> 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=95a57d26d8653d21f0dab1aff3558ee944853dbf
> >
> >>> 
> > This was fixed in c49d94487c6135325930cbc4a8cd96d38ef6653e in
> > ffmpeg (Jun 6 2013) Note, this issue shouldnt affect any ffmpeg
> > releases as the code was added more recently
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b564784a207b1395d2b5a41e580539df04651096
> >
> >>> 
> > Same as above jpeg2000dec.c wasnt in any releases yet as of today, 
> > what was in the releases was j2kdec.c but that was marked as 
> > experimental
> > 
> > 
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=78962d3df49afe5011b572656ecfe940bd5fbf2e
> >>>
> >>> 
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=cf04af2086be105ff86088357b83d672d38417d9
> >>> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eae63e3c156f784ee0612422f0c95131ea913c14
> >>>
> >>> 
> http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fd54dd028bc9f7bfb80ebf823a533dc84b73f936
> > 
> > Same as above
> > 
> > 
> > 
> >>> 
> >>> Correct me if I'm wrong but most of these seem to deserve CVEs
> >>> and none have been assigned, correct?
> >>> 
> >>> http://ffmpeg.org/security.html
> >> 
> >> These appear to be new, but I'm not sure how previous CVE IDs
> >> were assigned for ffmpeg/libav. E.g. CVE-2013-0878 seems to be
> >> from a Google CNA, right? (At least CVE-2013-0879 is for Chrome)
> >> 
> >> All these issues (and all the ones in previous rounds) were found
> >> through fuzzing done at Google by Mateusz "j00ru" Jurczyk and
> >> Gynvael Coldwind.
> > 
> > I dont know about the libav side, for the ffmpeg side CVEs where 
> > provided by "google" for all serious issues that where found.
> > Which issues where serious could in general only be assesed after
> > the issues where fixed so values where available only after the
> > fixes where commited.
> > 
> > 
> >> 
> >> It would be very, very welcome if CVE assignments from either
> >> ffmpeg or libav for any such issues would have a reference to the
> >> filename of the fuzzed file triggering the problem.
> >> 
> > 
> >> With the diverging code bases between ffmpeg and libav [1] it
> >> becomes very complicated to properly track down if one of the two
> >> is affected.
> > 
> > yes, its a big headache for us as well. Especialy for me as iam
> > always merging all improvments and fixes from libav into ffmpeg
> > ...
> > 
> > [...]
> > 
> > Thanks
> > 
> 
> 
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJR8OZpAAoJEBYNRVNeJnmTKiIQAKKJ7n2IDcEqzM2fjw1uglU7
> EBGubJYkMCGgmpuT1NdtLs8l0QKDx+IxYr+OyB70DWuITVdZQY1onwl8pd7LXTnp
> Q2ymemb5KqtJlopSJWTAF78/I87M1gyt4739b2YmZ/QiCBkZO2CBVO4rcOf0F09T
> QhL2MgRYbSGL6K0FbrmfEF9DvwNi40IWeV+8R86txWbJsNdxUvtf6USFhbyREHZV
> 01BopGXA6YVYregRKjgH1yyfJzDamwXpXPDEx4gJOJNYLBroBLON0uEoentlVIhs
> q+5pQPL4AKSYbgAz3yBkVlmvn+JHtSg821Jl9viAIKCj4qLI+ujUXV2UihZCH2/T
> EeevJAQdN+gFDo85OsaXQs8JleyL14qbUcO0gpo+/xefKeRXJiwVE4TPl/K7cxd9
> fss0Rh5ZYP3PuNm0ULFjgNhierDt0afewWmWWzW+YY8vyKO/X8aPdpd7MSnJOsbn
> 0kc8dkus6d/uu3+NDWEtUr9ookpRogFToipvs87uP0Cp29TyySY02syWZItiFtIt
> AK3wpasLw5lLiQv1faMt3hM9Cvvl2+xUUv4fkjmCwbF4J6GxNPQg85DaqhVRb2e5
> vxZpSr08HAX7RMCmnBXl/2NcpbYWgNswuShzU

-- 
Best regards,

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic