Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Feb 2012 14:56:19 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Requests for FFmpeg 0.9.1

================================================
HEAP buffer overflows (10): (write)
ae21776207e8a2bbe268e7c9e203f7599dd87ddb lavfi: add missing check in
avfilter_filter_samples()
    Simple case of missing check, there wasnt much using the audio
filters so
    this probably is not practically exploitable

5257743aee0c3982f0079e6553aabc6aa39401d2 ws_snd1: Fix wrong samples
count and crash.
    Simple case of amount written and check mismatching

1f99939a6361e2e6d6788494dd7c682b051c6c34 j2kdec: Fix integer overflow
leading to a segfault

http://ffmpeg.org/trac/ffmpeg/ticket/776
    The check missed negative values, j2k is marked as experimental
though so
    depending on the user app this may require the user to enable it.

944f5b2779e4aa63f7624df6cd4de832a53db81b aacsbr: Fix memory corruption.

http://ffmpeg.org/trac/ffmpeg/ticket/760
    v_off becoming negative and writes based on this overwriting various
fields
    of the struct which valgrind didnt detect.

7fff64e00d886fde11d61958888c82b461cf99b9 h264: check chroma_format_idc
range.

http://ffmpeg.org/trac/ffmpeg/ticket/758

608708009f69ba4cecebf05120c696167494c897 adpcm: Fix crash

http://ffmpeg.org/trac/ffmpeg/ticket/794
    Allocation for X channels, write for 2, this adds a X!=2 check

9af6abdc17deb95c9b1f1d9242ba49b8b5e0b016 atrac3: Fix crash in tonal
component decoding.

http://ffmpeg.org/trac/ffmpeg/ticket/780
    Simple case of index becoming bigger than array without checks

6d8e6fe9dbc365f50521cf0c4a5ffee97c970cb5 CODEC_ID_SOL_DPCM: Fix used
write buffer.
    Wrong pointer being used to write after recent audio API change.

3eedf9f716733b3b4c5205726d2c1ca52b3d3d78 j2kdec: Check curtileno for
validity
    Simple missing check for index and array size. j2k is marked as
experimental though so
    depending on the user app this may require the user to enable it.

21270cffaeab2f67a613907516b2b0cd6c9eacf4 h263dec: Fix regression / crash
with lowres.

http://ffmpeg.org/trac/ffmpeg/ticket/757
    memset of the full size in a reduced size buffer, this requires the user
    to enable lowres

================================================
	
HEAP+possible STACK buffer overflow (1): (write)
282bb02839b1ce73963c8e3ee46804f1ade8b12a j2kdec: Fix crash in get_qcx
    Simple missing check for index and array size. j2k is marked as
experimental though so
    depending on the user app this may require the user to enable it.

================================================

Things that didnt fit in above (2):
18bcfc912e48bf77a5202a0e24a3b884b9b2ff2c shorten: Fix invalid free()
    Adding a offset after realloc() but not undoing that before a possible
    2nd realloc()


6fcf2bb8af0e7d6bb179e71e67e5fab8ef0d2ec2 vorbis: Fix last quarter of
CVE-2011-3893
    This fixes a apparently forgoten case in the original patchset from
google
    Ive reproduced this by setting multiplier to the maximal value that
it could
    reach

================================================
So for all the interesting vulns:

HEAP buffer overflows (10): (write)
HEAP+possible STACK buffer overflow (1): (write)
Things that didnt fit in above (4): (just the first two)

that's 15 CVE's, the rest like Steve said do not quality for CVEs.
Steve, ok if I go ahead with these 13?


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ