Bug 635775 (CVE-2010-3429)

Summary: CVE-2010-3429 ffmpeg: arbitrary offset dereference vulnerability in flic video codec (oCERT-2010-004)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rh-bugzilla, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-16 22:21:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 638265    
Bug Blocks:    
Attachments:
Description Flags
patch from upstream to correct the issue none

Description Vincent Danen 2010-09-20 17:01:12 UTC 
oCERT reported a vulnerability that affects the flic video codec support in ffmpeg.  Quoting:

"The MPlayer package [1] is vulnerable to an arbitrary offset dereference
vulnerability, which could be exploited by malicious remote attacker. The
vulnerability is caused by the MPlayer's flic codec (flicvideo.c) on 8 bits
per pixel videos because the codec does not check received values. This could
be exploited jumping to arbitrary code by opening a specially crafted file."

They were particularly concerned about the ffmpeg inclusion in mplayer.  The affected file (flicvideo.c) is also present in libextractor as provided by Fedora 12.  It looks as though the only thing using libextractor in Fedora is doodle (local search program, like Spotlight).  This would mean a user would have to download a specially crafted file and store it locally, and be using doodle to index files.  I don't know whether or not doodle would be problematic here, i.e. if it's just reading metadata it might not cause any problems at all.

Later versions of libextractor have removed the embedded ffmpeg sources.
Comment 1 Vincent Danen 2010-09-20 17:08:32 UTC 
Created attachment 448516 [details]
patch from upstream to correct the issue
Comment 2 Vincent Danen 2010-09-20 17:09:13 UTC 
This will be fixed as part of ffmpeg 0.6.1.
Comment 4 Vincent Danen 2010-09-28 15:50:54 UTC 
This is now public:

http://www.ocert.org/advisories/ocert-2010-004.html

Neither ffmpeg nor mplayer are shipped in any supported products, however libextractor in Fedora 12 does contain embedded ffmpeg.  Later versions of libextractor have removed embedded ffmpeg; not sure if it is possible to update libextractor in Fedora 12 to the version in Fedora 13; if not, it should be patched to correct the flaw.

The patch to correct the flaw is here:

http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=16c592155f117ccd7b86006c45aacc692a81c23b
Comment 5 Vincent Danen 2010-09-28 15:51:31 UTC 
Created libextractor tracking bugs for this issue

Affects: fedora-12 [bug 638265]
Comment 6 Enrico Scholz 2010-09-29 08:03:23 UTC 
ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is not available in fedora:

| checking whether to enable the FFmpeg thumbnail extractor... no
Comment 7 Vincent Danen 2010-09-29 16:56:55 UTC 
(In reply to comment #6)
> ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is
> not available in fedora:
> 
> | checking whether to enable the FFmpeg thumbnail extractor... no

Ok, great, thank you for checking that.  I'll close the Fedora tracker then.