Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ffmpeg. [ Reason ] New CVEs (out-of-band reads caused by malicious files and a buffer overflow) have been reported for ffmpeg. [ Impact ] Some CVEs remain unpatched. If this upload is not unblocked, they will likely be fixed when pushing the next stable release of the 4.3.x series via DSA to bullseye. [ Tests ] ffmpeg's and the reverse dependencies' autopkgtests have all succeeded. [ Risks ] Low as the patches can be reverted in case of regressions. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] ffmpeg is a key package and requires an unblock. unblock ffmpeg/7:4.3.2-0+deb11u2 Cheers -- Sebastian Ramacher
diff -Nru ffmpeg-4.3.2/debian/changelog ffmpeg-4.3.2/debian/changelog --- ffmpeg-4.3.2/debian/changelog 2021-02-21 22:19:57.000000000 +0100 +++ ffmpeg-4.3.2/debian/changelog 2021-06-04 22:34:50.000000000 +0200 @@ -1,3 +1,13 @@ +ffmpeg (7:4.3.2-0+deb11u2) unstable; urgency=medium + + * debian/patches: Apply upstream patches for CVEs (Closes: #989439) + - avfilter/vf_vmafmotion: Fix out-of-bounds access (CVE-2020-22019, CVE-2020-22033) + - avfilter/vf_yadif: Fix out-of-bounds access (CVE-2020-22021) + - avformat/movenc: Fix out-of-bounds access (CVE-2020-22015) + - avcodec/pngen: Fix buffer overflow (CVE-2020-21041) + + -- Sebastian Ramacher <sramac...@debian.org> Fri, 04 Jun 2021 22:34:50 +0200 + ffmpeg (7:4.3.2-0+deb11u1) unstable; urgency=medium * New upstream release diff -Nru ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch --- ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch 1970-01-01 01:00:00.000000000 +0100 +++ ffmpeg-4.3.2/debian/patches/0004-avfilter-vf_vmafmotion-Check-dimensions.patch 2021-06-04 22:34:04.000000000 +0200 @@ -0,0 +1,29 @@ +From: Michael Niedermayer <mich...@niedermayer.cc> +Date: Sat, 29 May 2021 09:58:31 +0200 +Subject: avfilter/vf_vmafmotion: Check dimensions + +Fixes: out of array access +Fixes: Ticket8241 +Fixes: Ticket8246 +Fixes: CVE-2020-22019 +Fixes: CVE-2020-22033 + +Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> +--- + libavfilter/vf_vmafmotion.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +index 88d0b35..0730147 100644 +--- a/libavfilter/vf_vmafmotion.c ++++ b/libavfilter/vf_vmafmotion.c +@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, + int i; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + ++ if (w < 3 || h < 3) ++ return AVERROR(EINVAL); ++ + s->width = w; + s->height = h; + s->stride = FFALIGN(w * sizeof(uint16_t), 32); diff -Nru ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch --- ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch 1970-01-01 01:00:00.000000000 +0100 +++ ffmpeg-4.3.2/debian/patches/0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch 2021-06-04 22:34:04.000000000 +0200 @@ -0,0 +1,78 @@ +From: Michael Niedermayer <mich...@niedermayer.cc> +Date: Sat, 29 May 2021 11:17:35 +0200 +Subject: avfilter/vf_yadif: Fix handing of tiny images + +Fixes: out of array access +Fixes: Ticket8240 +Fixes: CVE-2020-22021 + +Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> +--- + libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +index 43dea67..06fd24e 100644 +--- a/libavfilter/vf_yadif.c ++++ b/libavfilter/vf_yadif.c +@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, + uint8_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN - 1; ++ int offset = FFMAX(w - edge, 3); + + /* Only edge pixels need to be processed here. A constant value of false + * for is_not_edge should let the compiler ignore the whole branch. */ +- FILTER(0, 3, 0) ++ FILTER(0, FFMIN(3, w), 0) + +- dst = (uint8_t*)dst1 + w - edge; +- prev = (uint8_t*)prev1 + w - edge; +- cur = (uint8_t*)cur1 + w - edge; +- next = (uint8_t*)next1 + w - edge; ++ dst = (uint8_t*)dst1 + offset; ++ prev = (uint8_t*)prev1 + offset; ++ cur = (uint8_t*)cur1 + offset; ++ next = (uint8_t*)next1 + offset; + prev2 = (uint8_t*)(parity ? prev : cur); + next2 = (uint8_t*)(parity ? cur : next); + +- FILTER(w - edge, w - 3, 1) +- FILTER(w - 3, w, 0) ++ FILTER(offset, w - 3, 1) ++ offset = FFMAX(offset, w - 3); ++ FILTER(offset, w, 0) + } + + +@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, + uint16_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN / 2 - 1; ++ int offset = FFMAX(w - edge, 3); + + mrefs /= 2; + prefs /= 2; + +- FILTER(0, 3, 0) ++ FILTER(0, FFMIN(3, w), 0) + +- dst = (uint16_t*)dst1 + w - edge; +- prev = (uint16_t*)prev1 + w - edge; +- cur = (uint16_t*)cur1 + w - edge; +- next = (uint16_t*)next1 + w - edge; ++ dst = (uint16_t*)dst1 + offset; ++ prev = (uint16_t*)prev1 + offset; ++ cur = (uint16_t*)cur1 + offset; ++ next = (uint16_t*)next1 + offset; + prev2 = (uint16_t*)(parity ? prev : cur); + next2 = (uint16_t*)(parity ? cur : next); + +- FILTER(w - edge, w - 3, 1) +- FILTER(w - 3, w, 0) ++ FILTER(offset, w - 3, 1) ++ offset = FFMAX(offset, w - 3); ++ FILTER(offset, w, 0) + } + + static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) diff -Nru ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch --- ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch 1970-01-01 01:00:00.000000000 +0100 +++ ffmpeg-4.3.2/debian/patches/0006-avformat-movenc-Check-pal_size-before-use.patch 2021-06-04 22:34:04.000000000 +0200 @@ -0,0 +1,34 @@ +From: Michael Niedermayer <mich...@niedermayer.cc> +Date: Sat, 29 May 2021 09:22:27 +0200 +Subject: avformat/movenc: Check pal_size before use + +Fixes: assertion failure +Fixes: out of array read +Fixes: Ticket8190 +Fixes: CVE-2020-22015 + +Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> +--- + libavformat/movenc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavformat/movenc.c b/libavformat/movenc.c +index 5d8dc4f..5c1bb18 100644 +--- a/libavformat/movenc.c ++++ b/libavformat/movenc.c +@@ -2090,11 +2090,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex + avio_wb16(pb, 0x18); /* Reserved */ + + if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { +- int pal_size = 1 << track->par->bits_per_coded_sample; +- int i; ++ int pal_size, i; + avio_wb16(pb, 0); /* Color table ID */ + avio_wb32(pb, 0); /* Color table seed */ + avio_wb16(pb, 0x8000); /* Color table flags */ ++ if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) ++ return AVERROR(EINVAL); ++ pal_size = 1 << track->par->bits_per_coded_sample; + avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ + for (i = 0; i < pal_size; i++) { + uint32_t rgb = track->palette[i]; diff -Nru ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch --- ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch 1970-01-01 01:00:00.000000000 +0100 +++ ffmpeg-4.3.2/debian/patches/0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch 2021-06-04 22:34:04.000000000 +0200 @@ -0,0 +1,25 @@ +From: Paul B Mahol <one...@gmail.com> +Date: Sun, 14 Feb 2021 17:20:03 +0100 +Subject: avcodec/pngenc: remove monowhite from apng formats + +Monowhite pixel format is not supported, and it does not make sense +to add support for it. + +Fixes #7989 +--- + libavcodec/pngenc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c +index efcae8c..eebb164 100644 +--- a/libavcodec/pngenc.c ++++ b/libavcodec/pngenc.c +@@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { + AV_PIX_FMT_PAL8, + AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, + AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, +- AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE ++ AV_PIX_FMT_NONE + }, + .priv_class = &apngenc_class, + }; diff -Nru ffmpeg-4.3.2/debian/patches/series ffmpeg-4.3.2/debian/patches/series --- ffmpeg-4.3.2/debian/patches/series 2021-02-21 22:19:21.000000000 +0100 +++ ffmpeg-4.3.2/debian/patches/series 2021-06-04 22:34:04.000000000 +0200 @@ -1,3 +1,7 @@ 0001-avcodec-arm-sbcenc-avoid-callee-preserved-vfp-regist.patch 0002-avcodec-exr-skip-bottom-clearing-loop-when-its-outsi.patch 0003-Fix-build-on-powerpc-and-ppc64.patch +0004-avfilter-vf_vmafmotion-Check-dimensions.patch +0005-avfilter-vf_yadif-Fix-handing-of-tiny-images.patch +0006-avformat-movenc-Check-pal_size-before-use.patch +0007-avcodec-pngenc-remove-monowhite-from-apng-formats.patch