From owner-freebsd-multimedia@FreeBSD.ORG Sun Mar 8 21:30:01 2009 Return-Path: Delivered-To: multimedia@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 399331065693; Sun, 8 Mar 2009 21:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 144108FC19; Sun, 8 Mar 2009 21:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n28LU0Bp060600; Sun, 8 Mar 2009 21:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n28LU0BD060599; Sun, 8 Mar 2009 21:30:00 GMT (envelope-from gnats) Resent-Date: Sun, 8 Mar 2009 21:30:00 GMT Resent-Message-Id: <200903082130.n28LU0BD060599@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: multimedia@freebsd.org, ahze@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8364106566B for ; Sun, 8 Mar 2009 21:21:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 5C1A68FC16 for ; Sun, 8 Mar 2009 21:21:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp85-141-67-181.pppoe.mtu-net.ru [85.141.67.181]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1LgQQc-0008Dm-Rm for FreeBSD-gnats-submit@freebsd.org; Mon, 09 Mar 2009 00:20:59 +0300 Message-Id: <20090308212058.0376DB806B@phoenix.codelabs.ru> Date: Mon, 9 Mar 2009 00:20:58 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: multimedia@freebsd.org, ahze@freebsd.org Cc: Subject: ports/132434: [vuxml] [patch] multimedia/ffmpeg: fix TKADV2009-004, user-controlled memory overwrite X-BeenThere: freebsd-multimedia@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Multimedia discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 21:30:02 -0000 >Number: 132434 >Category: ports >Synopsis: [vuxml] [patch] multimedia/ffmpeg: fix TKADV2009-004, user-controlled memory overwrite >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 08 21:30:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-STABLE amd64 >Description: Tobias Klein from TrapKit found that FFmpeg's 4X movied decoder is prone to the user-controlled memory overwrite vulnerablity. >How-To-Repeat: http://trapkit.de/advisories/TKADV2009-004.txt >Fix: The following patch adds almost-upstream patch for FFmpeg (modulo trivial modifications since snapshot from 2008-07-27). Works fine for my setup when FFmpeg is used as the movie transcoder. --- fix-tkadv2009-004.diff begins here --- >From 1d8af9e70b4060787039c00464341aa8e6cc1c5c Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sun, 8 Mar 2009 23:42:20 +0300 overwrite possibility Signed-off-by: Eygene Ryabinkin --- multimedia/ffmpeg/Makefile | 2 +- multimedia/ffmpeg/files/patch-tkadv2009-004 | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletions(-) create mode 100644 multimedia/ffmpeg/files/patch-tkadv2009-004 diff --git a/multimedia/ffmpeg/Makefile b/multimedia/ffmpeg/Makefile index 75a5f06..0b6fadb 100644 --- a/multimedia/ffmpeg/Makefile +++ b/multimedia/ffmpeg/Makefile @@ -7,7 +7,7 @@ PORTNAME= ffmpeg DISTVERSION= 2008-07-27 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= multimedia audio ipv6 net MASTER_SITES= ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= ahze diff --git a/multimedia/ffmpeg/files/patch-tkadv2009-004 b/multimedia/ffmpeg/files/patch-tkadv2009-004 new file mode 100644 index 0000000..27e4d5c --- /dev/null +++ b/multimedia/ffmpeg/files/patch-tkadv2009-004 @@ -0,0 +1,22 @@ +Patch for TKADV2009-004, type conversion vulnerability in 4X +movie parser + +Modified version of: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17#patch1 + +--- libavformat/4xm.c.orig 2008-06-03 20:20:54.000000000 +0400 ++++ libavformat/4xm.c 2009-03-08 23:38:44.000000000 +0300 +@@ -163,10 +163,12 @@ + return AVERROR_INVALIDDATA; + } + current_track = AV_RL32(&header[i + 8]); ++ if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){ ++ av_log(s, AV_LOG_ERROR, "current_track too large\n"); ++ return -1; ++ } + if (current_track + 1 > fourxm->track_count) { + fourxm->track_count = current_track + 1; +- if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)) +- return -1; + fourxm->tracks = av_realloc(fourxm->tracks, + fourxm->track_count * sizeof(AudioTrack)); + if (!fourxm->tracks) { -- 1.6.1.3 --- fix-tkadv2009-004.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- ffmpeg -- attacker-controlled memory overwrite vulnerability in 4X movie parser ffmpeg 2008.07.27_9

Tobias Klein reports:

FFmpeg contains a type conversion vulnerability while parsing malformed 4X movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of FFmpeg or an application using the FFmpeg library.

 CVE-2009-0385 33502 http://trapkit.de/advisories/TKADV2009-004.txt 2009-01-28 TODAY --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: