Hello community, here is the log from the commit of package ffmpeg for openSUSE:Factory checked in at 2018-02-15 13:19:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg (Old) and /work/SRC/openSUSE:Factory/.ffmpeg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg" Thu Feb 15 13:19:46 2018 rev:39 rq:575798 version:3.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg/ffmpeg.changes 2017-12-19 10:45:15.375673983 +0100 +++ /work/SRC/openSUSE:Factory/.ffmpeg.new/ffmpeg.changes 2018-02-15 13:19:55.408137837 +0100 @@ -1,0 +2,14 @@ +Mon Feb 12 11:55:47 UTC 2018 - jeng...@inai.de + +- Update to new bugfix release 3.4.2 + * Fix integer overflows, multiplication overflows, undefined + shifts, and verify buffer lengths. + * avfilter/vf_transpose: Fix used plane count + [boo#1078488, CVE-2018-6392] + * avcodec/utvideodec: Fix bytes left check in decode_frame() + [boo#1079368, CVE-2018-6621] +- Enable use of libzvbi for displaying teletext subtitles. +- Fixed a DoS in swri_audio_convert(), added cve-2017-17555.diff + [boo#1072366, CVE-2017-17555]. + +------------------------------------------------------------------- @@ -5,0 +20,3 @@ + * Fixed the gmc_mmx function which failed to validate width + and height [boo#1070762, CVE-2017-17081] + * Fixed out-of-bounds in VC-2 encoder [boo#1069407, CVE-2017-16840] @@ -54,0 +72,2 @@ +- Fixed a double free in huffyuv [boo#1064577, CVE-2017-15186] +- Fixed an out-of-bounds in ffv1dec [boo#1066428, CVE-2017-15672] Old: ---- ffmpeg-3.4.1.tar.xz ffmpeg-3.4.1.tar.xz.asc New: ---- cve-2017-17555.diff ffmpeg-3.4.2.tar.xz ffmpeg-3.4.2.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg.spec ++++++ --- /var/tmp/diff_new_pack.AxdkYx/_old 2018-02-15 13:19:57.368066800 +0100 +++ /var/tmp/diff_new_pack.AxdkYx/_new 2018-02-15 13:19:57.372066655 +0100 @@ -1,7 +1,7 @@ # # spec file for package ffmpeg # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,7 @@ %bcond_with opencore Name: ffmpeg -Version: 3.4.1 +Version: 3.4.2 Release: 0 Summary: Library for working with various multimedia formats License: LGPL-2.1+ and GPL-2.0+ @@ -47,8 +47,9 @@ Source99: baselibs.conf Patch1: ffmpeg-libcdio_cdda-pkgconfig.patch Patch2: ffmpeg-arm6l.diff -Patch4: ffmpeg-new-coder-errors.diff -Patch5: ffmpeg-codec-choice.diff +Patch3: ffmpeg-new-coder-errors.diff +Patch4: ffmpeg-codec-choice.diff +Patch5: cve-2017-17555.diff BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel @@ -92,6 +93,7 @@ BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xfixes) BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(zvbi-0.2) %if 0%{?BUILD_ORIG} %if %{with fdk_aac} BuildRequires: pkgconfig(fdk-aac) @@ -390,7 +392,7 @@ %prep %setup -q -%patch -P 1 -P 2 -P 4 -P 5 -p1 +%patch -P 1 -P 2 -P 3 -P 4 -P 5 -p1 %build perl -i -pe 's{__TIME__|__DATE__}{"$&"}g' *.c @@ -430,6 +432,7 @@ --enable-libvorbis \ --enable-libvpx \ --enable-libwebp \ + --enable-libzvbi \ --enable-vaapi \ --enable-vdpau \ %if 0%{?BUILD_ORIG} ++++++ cve-2017-17555.diff ++++++ From: Jan Engelhardt <jeng...@inai.de> Date: 2018-02-12 13:30:29.256158366 +0100 References: https://bugzilla.suse.com/show_bug.cgi?id=1072366 References: CVE-2017-17555 diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c index 96ce84ac44..a2dae9c82d 100644 --- a/libswresample/audioconvert.c +++ b/libswresample/audioconvert.c @@ -239,7 +239,7 @@ int swri_audio_convert(AudioConvert *ctx, AudioData *out, AudioData *in, int len const uint8_t *pi= ich < 0 ? ctx->silence : in->ch[ich]; uint8_t *po= out->ch[ch]; uint8_t *end= po + os*len; - if(!po) + if (!pi || !po) continue; ctx->conv_f(po+off*os, pi+off*is, is, os, end); } ++++++ ffmpeg-3.4.1.tar.xz -> ffmpeg-3.4.2.tar.xz ++++++ /work/SRC/openSUSE:Factory/ffmpeg/ffmpeg-3.4.1.tar.xz /work/SRC/openSUSE:Factory/.ffmpeg.new/ffmpeg-3.4.2.tar.xz differ: char 27, line 1