Debian Bug report logs - #610550
[CVE-2011-0480] memory corruptions in the ffmpeg Vorbis codec

Package: ffmpeg; Maintainer for ffmpeg is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for ffmpeg is src:ffmpeg (PTS, buildd, popcon).

Reported by: Luciano Bello <luciano@debian.org>

Date: Wed, 19 Jan 2011 19:57:01 UTC

Severity: important

Tags: patch, security

Done: Reinhard Tartler <siretart@tauware.de>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#610550; Package ffmpeg. (Wed, 19 Jan 2011 19:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 19 Jan 2011 19:57:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: [CVE-2011-0480] memory corruptions in the ffmpeg Vorbis codec
Date: Wed, 19 Jan 2011 16:48:35 -0300
Package: ffmpeg
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ffmpeg.

CVE-2011-0480[0]:
| Multiple buffer overflows in the Vorbis decoder in Google Chrome
| before 8.0.552.237 and Chrome OS before 8.0.552.344 allow remote
| attackers to cause a denial of service or possibly have unspecified
| other impact via unknown vectors.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

In upstream the report is [1]. The proposed patch is [2].

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0480
    http://security-tracker.debian.org/tracker/CVE-2011-0480

[1] http://roundup.ffmpeg.org/issue2548

[2] 
http://git.ffmpeg.org/?p=ffmpeg.git;a=blobdiff;f=libavcodec/vorbis_dec.c;h=c2bde812efca51ef09ed893a8a03f9bc0df2aa26;hp=749e9a939681cec052a63f3540f5a690af989cfd;hb=13184036a6b1b1d4b61c91118c0896e9ad4634c3;hpb=03ec42aa1ce738761130335e6e6f5ef5d0d1eadf




Added tag(s) unreproducible. Request was from Reinhard Tartler <siretart@tauware.de> to control@bugs.debian.org. (Sat, 22 Jan 2011 22:30:13 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#610550; Package ffmpeg. (Sat, 22 Jan 2011 23:06:03 GMT) (full text, mbox, link).


Acknowledgement sent to Reinhard Tartler <siretart@tauware.de>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 22 Jan 2011 23:06:03 GMT) (full text, mbox, link).


Message #12 received at 610550@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>
To: Luciano Bello <luciano@debian.org>
Cc: 610550@bugs.debian.org
Subject: Re: Bug#610550: [CVE-2011-0480] memory corruptions in the ffmpeg Vorbis codec
Date: Sat, 22 Jan 2011 23:28:21 +0100
tags 610550 unreproducible
stop

Hi,

On Wed, Jan 19, 2011 at 20:48:35 (CET), Luciano Bello wrote:

> Package: ffmpeg
> Severity: important
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for ffmpeg.
>
> CVE-2011-0480[0]:
> | Multiple buffer overflows in the Vorbis decoder in Google Chrome
> | before 8.0.552.237 and Chrome OS before 8.0.552.344 allow remote
> | attackers to cause a denial of service or possibly have unspecified
> | other impact via unknown vectors.


The report is against Chrome and Chrome OS. I've failed to reproduce the
reported crashes with debian's version of ffmpeg; I get error messages
about corrupted vorbis headers, but no crash. Can you please provide a
testcase that applies to the debian copy of ffmpeg?

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4




Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#610550; Package ffmpeg. (Tue, 25 Jan 2011 02:03:06 GMT) (full text, mbox, link).


Acknowledgement sent to Luciano Bello <luciano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 25 Jan 2011 02:03:06 GMT) (full text, mbox, link).


Message #17 received at 610550@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: 610550@bugs.debian.org
Subject: Re: Bug#610550: [CVE-2011-0480] memory corruptions in the ffmpeg Vorbis codec
Date: Mon, 24 Jan 2011 22:50:23 -0300
[Message part 1 (text/plain, inline)]
test case out.webm.139771.2965 :
''''''''''''''''''''''''''''''''
luciano@mybox:/tmp$ ffmpeg -i out.webm.139771.2965 -f null -
FFmpeg version SVN-r25838, Copyright (c) 2000-2010 the FFmpeg developers
  built on Nov 29 2010 15:39:30 with gcc 4.4.5
  configuration: --enable-libdc1394 --prefix=/usr --extra-cflags='-Wall -g ' --
cc='ccache cc' --enable-shared --enable-libmp3lame --enable-gpl --enable-
libvorbis --enable-pthreads --enable-libfaac --enable-libxvid --enable-postproc 
--enable-x11grab --enable-libgsm --enable-libtheora --enable-libopencore-amrnb 
--enable-libopencore-amrwb --enable-libx264 --enable-libspeex --enable-nonfree 
--disable-stripping --enable-avfilter --enable-libdirac --disable-
decoder=libdirac --enable-libschroedinger --disable-encoder=libschroedinger --
enable-version3 --enable-libopenjpeg --enable-libvpx --enable-librtmp --extra-
libs=-lgcrypt --disable-altivec --disable-armv5te --disable-armv6 --disable-vis
  libavutil     50.33. 0 / 50.33. 0
  libavcore      0.14. 0 /  0.14. 0
  libavcodec    52.97. 2 / 52.97. 2
  libavformat   52.87. 1 / 52.87. 1
  libavdevice   52. 2. 2 / 52. 2. 2
  libavfilter    1.65. 0 /  1.65. 0
  libswscale     0.12. 0 /  0.12. 0
  libpostproc   51. 2. 0 / 51. 2. 0
[matroska,webm @ 0x22b97a0] Invalid track number 2050
[matroska,webm @ 0x22b97a0] Invalid stream 2050 or size 18378                                                                               
[matroska,webm @ 0x22b97a0] Estimating duration from bitrate, this may be 
inaccurate
Input #0, matroska,webm, from 'out.webm.139771.2965':                                                                                       
  Duration: 00:00:01.17, start: 0.000000, bitrate: N/A
    Stream #0.0: Audio: vorbis, 44100 Hz, stereo, s16
    Stream #0.1: Video: vp8, yuv420p, 200x600, PAR 1:1 DAR 1:3, 25 fps, 25 tbr, 
1k tbn, 25 tbc
[buffer @ 0x234fc00] w:200 h:600 pixfmt:yuv420p
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf52.87.1
    Stream #0.0: Video: rawvideo, yuv420p, 200x600 [PAR 1:1 DAR 1:3], q=2-31, 
200 kb/s, 90k tbn, 25 tbc
    Stream #0.1: Audio: pcm_s16le, 44100 Hz, stereo, s16, 1411 kb/s
Stream mapping:
  Stream #0.1 -> #0.0
  Stream #0.0 -> #0.1
Press [q] to stop encoding
[vp8 @ 0x22c0560] Invalid start code 0xde019d
Error while decoding stream #0.1                                                                                                            
[vp8 @ 0x22c0560] Discarding interframe without a prior keyframe!
Error while decoding stream #0.1                                                                                                            
Error while decoding stream #0.1s
Segmentation fault


test case out.webm.68798.1929:
''''''''''''''''''''''''''''''
luciano@mybox:/tmp$ ffmpeg -i out.webm.68798.1929 -f null -
out.webm.139771.2965  out.webm.68798.1929   
luciano@mybox:/tmp$ ffmpeg -i out.webm.139771.2965 -f null -
FFmpeg version SVN-r25838, Copyright (c) 2000-2010 the FFmpeg developers
  built on Nov 29 2010 15:39:30 with gcc 4.4.5
  configuration: --enable-libdc1394 --prefix=/usr --extra-cflags='-Wall -g ' --
cc='ccache cc' --enable-shared --enable-libmp3lame --enable-gpl --enable-
libvorbis --enable-pthreads --enable-libfaac --enable-libxvid --enable-postproc 
--enable-x11grab --enable-libgsm --enable-libtheora --enable-libopencore-amrnb 
--enable-libopencore-amrwb --enable-libx264 --enable-libspeex --enable-nonfree 
--disable-stripping --enable-avfilter --enable-libdirac --disable-
decoder=libdirac --enable-libschroedinger --disable-encoder=libschroedinger --
enable-version3 --enable-libopenjpeg --enable-libvpx --enable-librtmp --extra-
libs=-lgcrypt --disable-altivec --disable-armv5te --disable-armv6 --disable-vis
  libavutil     50.33. 0 / 50.33. 0
  libavcore      0.14. 0 /  0.14. 0
  libavcodec    52.97. 2 / 52.97. 2
  libavformat   52.87. 1 / 52.87. 1
  libavdevice   52. 2. 2 / 52. 2. 2
  libavfilter    1.65. 0 /  1.65. 0
  libswscale     0.12. 0 /  0.12. 0
  libpostproc   51. 2. 0 / 51. 2. 0
[matroska,webm @ 0x22b97a0] Invalid track number 2050
[matroska,webm @ 0x22b97a0] Invalid stream 2050 or size 18378                                                                               
[matroska,webm @ 0x22b97a0] Estimating duration from bitrate, this may be 
inaccurate
Input #0, matroska,webm, from 'out.webm.139771.2965':                                                                                       
  Duration: 00:00:01.17, start: 0.000000, bitrate: N/A
    Stream #0.0: Audio: vorbis, 44100 Hz, stereo, s16
    Stream #0.1: Video: vp8, yuv420p, 200x600, PAR 1:1 DAR 1:3, 25 fps, 25 tbr, 
1k tbn, 25 tbc
[buffer @ 0x234fc00] w:200 h:600 pixfmt:yuv420p
Output #0, null, to 'pipe:':
  Metadata:
    encoder         : Lavf52.87.1
    Stream #0.0: Video: rawvideo, yuv420p, 200x600 [PAR 1:1 DAR 1:3], q=2-31, 
200 kb/s, 90k tbn, 25 tbc
    Stream #0.1: Audio: pcm_s16le, 44100 Hz, stereo, s16, 1411 kb/s
Stream mapping:
  Stream #0.1 -> #0.0
  Stream #0.0 -> #0.1
Press [q] to stop encoding
[vp8 @ 0x22c0560] Invalid start code 0xde019d
Error while decoding stream #0.1                                                                                                            
[vp8 @ 0x22c0560] Discarding interframe without a prior keyframe!
Error while decoding stream #0.1                                                                                                            
Error while decoding stream #0.1s
Segmentation fault

[out.webm.68798.1929 (video/webm, attachment)]
[out.webm.139771.2965 (video/webm, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#610550; Package ffmpeg. (Tue, 01 Feb 2011 02:18:06 GMT) (full text, mbox, link).


Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 01 Feb 2011 02:18:06 GMT) (full text, mbox, link).


Message #22 received at 610550@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: control <control@bugs.debian.org>, 610550@bugs.debian.org, 610550-submitter@bugs.debian.org
Subject: re: [CVE-2011-0480] memory corruptions in the ffmpeg Vorbis codec
Date: Mon, 31 Jan 2011 21:15:33 -0500
notfound 610550 4:0.5.2-6
tag 610550 -unreproducible
thanks

it looks like you're using a newer svn version of ffmpeg.  at least
0.5.2 in unstable doesn't yet support webm, so it isn't affected.  i
haven't checked 0.6.1 in experimental.

best wishes,
mike




Removed tag(s) unreproducible. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 01 Feb 2011 02:18:08 GMT) (full text, mbox, link).


Message sent on to Luciano Bello <luciano@debian.org>:
Bug#610550. (Tue, 01 Feb 2011 02:18:10 GMT) (full text, mbox, link).


Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility. (Tue, 01 Feb 2011 06:45:03 GMT) (full text, mbox, link).


Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Tue, 01 Feb 2011 06:45:03 GMT) (full text, mbox, link).


Message #32 received at 610550-done@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 610550-submitter@bugs.debian.org, 610550-done@bugs.debian.org
Subject: Re: Bug#610550: [CVE-2011-0480] memory corruptions in the ffmpeg Vorbis codec
Date: Tue, 01 Feb 2011 07:40:58 +0100
On Tue, Feb 01, 2011 at 03:15:33 (CET), Michael Gilbert wrote:

> notfound 610550 4:0.5.2-6
> tag 610550 -unreproducible
> thanks
>
> it looks like you're using a newer svn version of ffmpeg.  at least
> 0.5.2 in unstable doesn't yet support webm, so it isn't affected.  i
> haven't checked 0.6.1 in experimental.

I did and it doesn't crash for me.

With this rationale, I'm closing this bug for now, but by all means,
please reopen it as soon as you have a testcase for me.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4




Message sent on to Luciano Bello <luciano@debian.org>:
Bug#610550. (Tue, 01 Feb 2011 06:45:05 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 01 Mar 2011 07:33:26 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:53:40 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.