Hello Security Teams, Michael Gilbert reported in debian bug #550442 that ffmpeg in debian and ubuntu contained "a deluge of crashes". I have backported a bunch of fixes from ffmpeg trunk, which now need review, validation and eventually publishing.
Affected are all distros that ship ffmpeg 0.5, this includes - lenny - squeeze - sid - jaunty - karmic earlier version of ffmpeg might be affected as well. Michael Gilbert <michael.s.gilb...@gmail.com> writes: > On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote: >> As for this bug, I'm inclined to close this bug with the upload of >> [2]. The reason is that this report is way to inprecise. This report >> currently reads "the package has been found crashers that might >> compromise the system". Sorry, this is just not helpful. We'd really >> need at least a list of concrete issues, ideally with reference to the >> relevant svn commits (so that commit messages can be reviewed) that can >> be processed and backported. > > in an ideal world every security issue would come with a complete > prescription and regiment to make it all better. however, we do not > live in such a place. the best we can do is track the issue at hand, > follow work being done elsewhere, and potentially spend our own > precious time testing and writing fixes. obviously this is a lot of > work, but it is the price we pay since there are nefarious peoples > about. > > i would recommend working with the security team to request cve's on > oss-sec for specific issues once they are well-defined, and address each > of them in turn; while keeping this bug open to track the meta-issue > (potentially downgrading to important as to not impede transitions). > > note that any of these crashers that show signs of memory corruption > are very much cause for concern (see recent pdf jbig2 decoder issues). > the others can probably be safely discarded. by "may enable remote > compromise," i mean via user-assisted (social engineered) attack > vectors (i.e. downloading and viewing a malicious video file). this > is a very legitimate concern since most users are very trusting of > untrustworthy data. I've worked on the packaging branch for karmic. The relevant backports that I produced so far can be found here: http://git.debian.org/?p=pkg-multimedia/ffmpeg.git;a=tree;f=debian/patches/security;hb=ubuntu.karmic Most of these patches have been proposed by the chromium developers, that collect patches for upstream here: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/ffmpeg/patches/to_upstream/ most of the patches got further polishing by upstream before applying. In many cases, the chromium developers did rather fix symptoms, upstream prefers real fixes. Anyway, I went through the list of chromium patches and managed to locate most patches in ffmpeg trunk Patches that I couldn't find upstream include: 09_mov_stsz_int_oflow.patch 32_mov_stream_index.patch 35_mov_bad_timings.patch 40_ogg_missing_header.patch They probably need further investigation. Michael, could you please check if and what patches I might have missed? I'd like to ask you (both security teams) to review my patches so far and if and to what security queues the should be uploaded or not. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
