[Bug 1436296] Re: FFmpeg security fixes March 2015

Iain Lane iain at orangesquash.org.uk
Thu Apr 16 12:28:02 UTC 2015 

Why did you build 2.6.1 instead of 2.5.5 as the bug requests?

I don't think that would require an exception.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1436296

Title:
  FFmpeg security fixes March 2015

Status in ffmpeg package in Ubuntu:
  Confirmed

Bug description:
  FFmpeg 2.5.5 fixing a number of crashes and other potentially security relevant issues was released.
  From the upstream Changelog:

  version 2.5.5:
  - vp9: make above buffer pointer 32-byte aligned.
  - avcodec/dnxhddec: Check that the frame is interlaced before using cur_field
  - avformat/mov: Disallow ".." in dref unless use_absolute_path is set
  - avformat/mov: Check for string truncation in mov_open_dref()
  - avformat/mov: Use sizeof(filename) instead of a literal number
  - eac3dec: fix scaling
  - ac3_fixed: fix computation of spx_noise_blend
  - ac3_fixed: fix out-of-bound read
  - ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext
  - avcodec/012v: redesign main loop
  - avcodec/012v: Check dimensions more completely
  - asfenc: fix leaking asf->index_ptr on error
  - avcodec/options_table: remove extradata_size from the AVOptions table
  - ffmdec: limit the backward seek to the last resync position
  - ffmdec: make sure the time base is valid
  - ffmdec: fix infinite loop at EOF
  - ffmdec: initialize f_cprv, f_stvi and f_stau
  - avformat/rm: limit packet size
  - avcodec/webp: validate the distance prefix code
  - avcodec/rv10: check size of s->mb_width * s->mb_height
  - eamad: check for out of bounds read
  - mdec: check for out of bounds read
  - arm: Suppress tags about used cpu arch and extensions
  - aic: Fix decoding files with odd dimensions
  - avcodec/tiff: move bpp check to after "end:"
  - mxfdec: Fix the error handling for when strftime fails
  - avcodec/opusdec: Fix delayed sample value
  - avcodec/opusdec: Clear out pointers per packet
  - avcodec/utils: Align YUV411 by as much as the other YUV variants
  - vp9: fix segmentation map retention with threading enabled.
  - webp: ensure that each transform is only used once
  - doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds
  - fix VP9 packet decoder returning 0 instead of the used data size
  - avformat/flvenc: check that the codec_tag fits in the available bits
  - avcodec/utils: use correct printf specifier in ff_set_sar
  - avutil/imgutils: correctly check for negative SAR components
  - swscale/utils: clear formatConvBuffer on allocation
  - avformat/bit: only accept the g729 codec and 1 channel
  - avformat/bit: check that pkt->size is 10 in write_packet
  - avformat/adxdec: check avctx->channels for invalid values
  - avformat/adxdec: set avctx->channels in adx_read_header
  - Fix buffer_size argument to init_put_bits() in multiple encoders.
  - mips/acelp_filters: fix incorrect register constraint
  - avcodec/hevc_ps: Sanity checks for some log2_* values
  - avcodec/zmbv: Check len before reading in decode_frame()
  - avcodec/h264: Only reinit quant tables if a new PPS is allowed
  - avcodec/snowdec: Fix ref value check
  - swscale/utils: More carefully merge and clear coefficients outside the input
  - avcodec/a64multienc: Assert that the Packet size does not grow
  - avcodec/a64multienc: simplify frame handling code
  - avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop
  - avcodec/a64multienc: initialize mc_meta_charset to zero
  - avcodec/a64multienc: don't set incorrect packet size
  - avcodec/a64multienc: use av_frame_ref instead of copying the frame
  - avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()
  - h264: initialize H264Context.avctx in init_thread_copy
  - wtvdec: fix integer overflow resulting in errors with large files
  - avcodec/gif: fix off by one in column offsetting finding

  
  Since Debian has already the next major upstream version 2.6.1, syncing is probably incompatible with the vivid freeze.
  Thus I've created a vivid branch in the git repository on Alioth [1], where I imported 2.5.5.
  I'm attaching the debdiff.

  I've tested the resulting package using the autopkgtests from 2.6.1-1
  and only 2 failures remain of the 4 failures and 7 crashes with 2.5.4.

  1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1436296/+subscriptions

More information about the Ubuntu-sponsors mailing list