On Sa, Feb 20, 2010 at 22:02:51 (CET), Michael Gilbert wrote: > package: ffmpeg > version: 0.svn20080206-18 > severity: serious > tags: security > > hi, i have just tested the latest ffmpeg update against the original > proof of concepts [0] reported in bug #550442 [1]. many of them are > still effective. there is some good news though; i've found that > upstream has addressed all of the problems in their latest svn version. > attached are my findings. > > reference [2] may be useful to track down the other needed patches; or > it may be easier to just upgrade to a new svn (however, the patches > still need to be determined for stable).
Okay, disregarding the dos only crashers, here is my analysis so far: *** dv/smclockdv.avi.2.0: vulnerable / fixed in upstream svn20100220 unreproducable in 0.5: smclockdv.avi.2.0: Error while opening file *** huffyuv/*: all vulnerable / all fixed in upstream svn20100220 http://roundup.ffmpeg.org/issue1237 confirmed in smclockhuffyuv.avi.1.0 fixed by backporting r19322, committed to 0.5 *** ogv all fixed by backporting these two patches: First commit: Make decode_init fail if the huffman tables are invalid and thus init_vlc fails. Otherwise this will crash during decoding because the vlc tables are NULL. Partially fixes ogv/smclock.ogv.1.101.ogv from issue 1240. backport r19355 by reimar Second commit: Add extra validation checks to ff_vorbis_len2vlc. They should not be necessary, but it seems like a reasonable precaution. r19374 by reimar **** ogv/smclock.ogv.1.0.ogv: vulnerable / fixed in upstream svn20100220 **** ogv/smclock.ogv.1.842.ogv: vulnerable / fixed in upstream svn20100220 **** ogv/smclock.ogv.1.181.ogv: vulnerable / fixed in upstream svn20100220 **** ogv/smclock.ogv.2.164.ogv: vulnerable / fixed in upstream svn20100220 *** vp62/smclockvp62hsp.avi.3.118: vulnerable / fixed in upstream svn20100220 unreproducable in 0.5: [avi @ 0x9253a60]Something went wrong during header parsing, I will ignore it and try to continue anyway. [avi @ 0x9253a60]Could not find codec parameters (Invalid Codec type -1) vp62/smclockvp62hsp.avi.3.118: could not find codec parameters *** wmv division by zero erros: fixed in 0.5, backported r19330 *** wmv7/smclockv7.wmv.1.0: vulnerable / fixed in upstream svn20100220 *** wmv8/smclockv8.wmv.1.0: vulnerable / fixed in upstream svn20100220 *** wmv9/smclockv9.wmv.1.0: vulnerable / fixed in upstream svn20100220 I imagine that these revision apply to the version in lenny as well. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
