Your message dated Tue, 20 Jan 2009 00:53:33 +0100
with message-id <[email protected]>
and subject line Re: ffmpeg-debian: vulnerable to denial-of-service attack
(CVE-2008-3230)
has caused the Debian Bug report #498764,
regarding ffmpeg-debian: vulnerable to denial-of-service attack (CVE-2008-3230)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
498764: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498764
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ffmpeg-debian
Version: 0.svn20080206-12
Severity: grave
Tags: security
Justification: user security hole
according to the debian security tracker [1], ffmpeg is known to be
vulnerable to a denial-of-service attack [2]. the description of the
CVE is
The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial
of service (application crash) via a crafted GIF file, possibly related
to gstreamer, as demonstrated by lol-giftopnm.gif.
i'm reporting this here to make you aware of the issue, and so the issue
can be tracked as release-critical for etch. this affects stable, testing,
and unstable.
thanks for the hard work.
[1] http://security-tracker.debian.net/tracker/CVE-2008-3230
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3230
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Version: 3:0.svn20090110-1
Michael Gilbert <[email protected]> writes:
>
> according to the debian security tracker [1], ffmpeg is known to be
> vulnerable to a denial-of-service attack [2]. the description of the
> CVE is
>
> The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial
> of service (application crash) via a crafted GIF file, possibly related
> to gstreamer, as demonstrated by lol-giftopnm.gif.
according to https://roundup.mplayerhq.hu/roundup/ffmpeg/issue530, this
was fixed by removing the gif demuxer and this patch:
>> svn log -c 14214
------------------------------------------------------------------------
r14214 | reimar | 2008-07-13 22:03:57 +0200 (So, 13. Jul 2008) | 2 lines
check that csize in ff_lzw_decode_init is < LZW_MAXBITS, <= is not
enough and
might read outside the prefix array
------------------------------------------------------------------------
Index: libavcodec/lzw.c
===================================================================
--- libavcodec/lzw.c (Revision 14213)
+++ libavcodec/lzw.c (Revision 14214)
@@ -131,7 +131,7 @@
{
struct LZWState *s = (struct LZWState *)p;
- if(csize < 1 || csize > LZW_MAXBITS)
+ if(csize < 1 || csize >= LZW_MAXBITS)
return -1;
/* read buffer */
s->pbuf = buf;
experimental is new enough, lenny and etch probably need to be patched.
additionally to this patch, in etch and lenny, the gif demuxer can be
(probably) disabled by in the file libavformat/allformats.c. I've pushed
the patch here:
http://git.debian.org/?p=pkg-multimedia/ffmpeg-debian.git;a=blob;f=debian/patches/050_CVE-2008-3230.patch;h=bc7b80f54a128cea26f59e7c22ae3f68369a596d;hb=a7ad29bf1c56dcb07b81fdddf95005ab0dcdda88
probably it applies to etch as well.
does this patch warrant a quick upload?
do we have other changes for lenny pending?
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--- End Message ---
