[Bug 1436296] [NEW] FFmpeg security fixes March 2015

Launchpad Bug Tracker 1436296 at bugs.launchpad.net
Wed Mar 25 11:44:02 UTC 2015 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Andreas Cadhalpun (andreas-cadhalpun):

FFmpeg 2.5.5 fixing a number of crashes and other potentially security relevant issues was released.
>From the upstream Changelog:

version 2.5.5:
- vp9: make above buffer pointer 32-byte aligned.
- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field
- avformat/mov: Disallow ".." in dref unless use_absolute_path is set
- avformat/mov: Check for string truncation in mov_open_dref()
- avformat/mov: Use sizeof(filename) instead of a literal number
- eac3dec: fix scaling
- ac3_fixed: fix computation of spx_noise_blend
- ac3_fixed: fix out-of-bound read
- ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext
- avcodec/012v: redesign main loop
- avcodec/012v: Check dimensions more completely
- asfenc: fix leaking asf->index_ptr on error
- avcodec/options_table: remove extradata_size from the AVOptions table
- ffmdec: limit the backward seek to the last resync position
- ffmdec: make sure the time base is valid
- ffmdec: fix infinite loop at EOF
- ffmdec: initialize f_cprv, f_stvi and f_stau
- avformat/rm: limit packet size
- avcodec/webp: validate the distance prefix code
- avcodec/rv10: check size of s->mb_width * s->mb_height
- eamad: check for out of bounds read
- mdec: check for out of bounds read
- arm: Suppress tags about used cpu arch and extensions
- aic: Fix decoding files with odd dimensions
- avcodec/tiff: move bpp check to after "end:"
- mxfdec: Fix the error handling for when strftime fails
- avcodec/opusdec: Fix delayed sample value
- avcodec/opusdec: Clear out pointers per packet
- avcodec/utils: Align YUV411 by as much as the other YUV variants
- vp9: fix segmentation map retention with threading enabled.
- webp: ensure that each transform is only used once
- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds
- fix VP9 packet decoder returning 0 instead of the used data size
- avformat/flvenc: check that the codec_tag fits in the available bits
- avcodec/utils: use correct printf specifier in ff_set_sar
- avutil/imgutils: correctly check for negative SAR components
- swscale/utils: clear formatConvBuffer on allocation
- avformat/bit: only accept the g729 codec and 1 channel
- avformat/bit: check that pkt->size is 10 in write_packet
- avformat/adxdec: check avctx->channels for invalid values
- avformat/adxdec: set avctx->channels in adx_read_header
- Fix buffer_size argument to init_put_bits() in multiple encoders.
- mips/acelp_filters: fix incorrect register constraint
- avcodec/hevc_ps: Sanity checks for some log2_* values
- avcodec/zmbv: Check len before reading in decode_frame()
- avcodec/h264: Only reinit quant tables if a new PPS is allowed
- avcodec/snowdec: Fix ref value check
- swscale/utils: More carefully merge and clear coefficients outside the input
- avcodec/a64multienc: Assert that the Packet size does not grow
- avcodec/a64multienc: simplify frame handling code
- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop
- avcodec/a64multienc: initialize mc_meta_charset to zero
- avcodec/a64multienc: don't set incorrect packet size
- avcodec/a64multienc: use av_frame_ref instead of copying the frame
- avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86()
- h264: initialize H264Context.avctx in init_thread_copy
- wtvdec: fix integer overflow resulting in errors with large files
- avcodec/gif: fix off by one in column offsetting finding


Since Debian has already the next major upstream version 2.6.1, syncing is probably incompatible with the vivid freeze.
Thus I've created a vivid branch in the git repository on Alioth [1], where I imported 2.5.5.
I'm attaching the debdiff.

I've tested the resulting package using the autopkgtests from 2.6.1-1
and only 2 failures remain of the 4 failures and 7 crashes with 2.5.4.

1: https://anonscm.debian.org/cgit/collab-maint/ffmpeg.git

** Affects: ffmpeg (Ubuntu)
     Importance: Undecided
         Status: New

-- 
FFmpeg security fixes March 2015
https://bugs.launchpad.net/bugs/1436296
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list