Your message dated Wed, 29 Nov 2023 18:47:19 +0000 with message-id <e1r8pah-0038mz...@fasolo.debian.org> and subject line Bug#1055019: Removed package(s) from unstable has caused the Debian Bug report #881139, regarding ffmpeg2theora: heap buffer overflow while running ffmpeg2theora to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881139 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ffmpeg2theora Version: 0.30-1+b2 Severity: important Tags: security heap buffer overflow running ffmpeg2theora with "poc" option Running 'ffmpeg2theora poc' with the attached file raises null pointer dereference which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow ------------------------------------------- june@yuweol:~/poc/ffmpeg2theora/crash7$ ffmpeg2theora poc [h263 @ 0x5642844b4840] Format h263 detected only with low score of 25, misdetection possible! [h263 @ 0x5642844b5d60] Independent Segment Decoding not supported Input #0, h263, from 'poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 tbr, 1200k tbn, 599.40 tbc Pixel Aspect Ratio: 1.00/1 Frame Aspect Ratio: 0.02/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x5642844b5880] Independent Segment Decoding not supported [h263 @ 0x5642844b5880] warning: first frame is no keyframe [h263 @ 0x5642844b5880] illegal ac vlc code at 0x0 [h263 @ 0x5642844b5880] Error at MB: 0 [h263 @ 0x5642844b5880] concealing 327 DC, 327 AC, 327 MV errors in P frame [h263 @ 0x5642844b5880] warning: first frame is no keyframe [h263 @ 0x5642844b5880] illegal ac vlc code at 7x0 [h263 @ 0x5642844b5880] Error at MB: 7 [h263 @ 0x5642844b5880] concealing 396 DC, 396 AC, 396 MV errors in P frame Segmentation fault ------------------------------------------- [h263 @ 0x61b000000080] Format h263 detected only with low score of 25, misdetection possible! [h263 @ 0x619000000580] Independent Segment Decoding not supported Input #0, h263, from '/home/june/poc/ffmpeg2theora/crash7/poc': Duration: N/A, bitrate: N/A Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 tbr, 1200k tbn, 599.40 tbc Pixel Aspect Ratio: 1.00/1 Frame Aspect Ratio: 0.02/1 WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track. [h263 @ 0x619000000080] Independent Segment Decoding not supported [h263 @ 0x619000000080] warning: first frame is no keyframe [h263 @ 0x619000000080] illegal ac vlc code at 0x0 [h263 @ 0x619000000080] Error at MB: 0 [h263 @ 0x619000000080] concealing 327 DC, 327 AC, 327 MV errors in P frame [h263 @ 0x619000000080] warning: first frame is no keyframe [h263 @ 0x619000000080] illegal ac vlc code at 7x0 [h263 @ 0x619000000080] Error at MB: 7 [h263 @ 0x619000000080] concealing 396 DC, 396 AC, 396 MV errors in P frame ================================================================= ==11538==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000a7980 at pc 0x7fb5ce7046c2 bp 0x7ffcb5580080 sp 0x7ffcb557f830 READ of size 40 at 0x6330000a7980 thread T0 #0 0x7fb5ce7046c1 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1) #1 0x7fb5ca6d9c8d in image_copy_plane libavutil/imgutils.c:317 #2 0x7fb5ca6d9c8d in image_copy libavutil/imgutils.c:379 #3 0x7fb5ca6d9c8d in av_image_copy libavutil/imgutils.c:398 #4 0x7fb5cb5879ee in av_picture_copy libavcodec/avpicture.c:78 #5 0x55d20da5cbbf in ff2theora_output src/ffmpeg2theora.c:1538 #6 0x55d20da65ad8 in main src/ffmpeg2theora.c:3095 #7 0x7fb5c9e182e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #8 0x55d20da4ee79 in _start (/home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora+0x15e79) 0x6330000a7980 is located 337 bytes to the right of 110639-byte region [0x63300008c800,0x6330000a782f) allocated by thread T0 here: #0 0x7fb5ce768758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758) #1 0x7fb5ca6de2b6 in av_malloc libavutil/mem.c:87 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1) Shadow bytes around the buggy address: 0x0c668000cee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c668000cef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c668000cf00: 00 00 00 00 00 07 fa fa fa fa fa fa fa fa fa fa 0x0c668000cf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c668000cf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c668000cf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11538==ABORTING ------------------------------------------- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ffmpeg2theora depends on: ii libavcodec57 7:3.3.4-2+b2 ii libavdevice57 7:3.3.4-2+b2 ii libavfilter6 7:3.3.4-2+b2 ii libavformat57 7:3.3.4-2+b2 ii libavutil55 7:3.3.4-2+b2 ii libc6 2.24-17 ii libkate1 0.4.1-7+b1 ii libogg0 1.3.2-1+b1 ii liboggkate1 0.4.1-7+b1 ii libpostproc54 7:3.3.4-2+b2 ii libswresample2 7:3.3.4-2+b2 ii libswscale4 7:3.3.4-2+b2 ii libtheora0 1.1.1+dfsg.1-14+b1 ii libvorbis0a 1.3.5-4 ii libvorbisenc2 1.3.5-4 ffmpeg2theora recommends no packages. ffmpeg2theora suggests no packages. -- no debconf informationpoc
Description: Binary data
--- End Message ---
--- Begin Message ---Version: 0.30-2+rm Dear submitter, as the package ffmpeg2theora has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1055019 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---