Bug 861223 (CVE-2012-2774)

Summary: CVE-2012-2774 ffmpeg-spice: possible denial of service via memory corruption in mpeg video handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acathrow, bressers, pmatouse, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 17:38:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 861224    

Description Vincent Danen 2012-09-27 21:06:15 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2774 to
the following vulnerability:

Name: CVE-2012-2774
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2774
Assigned: 20120519
Reference: http://www.openwall.com/lists/oss-security/2012/08/31/3
Reference: http://www.openwall.com/lists/oss-security/2012/09/02/4
Reference: http://ffmpeg.org/security.html
Reference: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f
Reference: http://www.securityfocus.com/bid/55355
Reference: SECUNIA:50468
Reference: http://secunia.com/advisories/50468

The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg
before 0.11 allows remote attackers to cause a denial of service
(memory corruption) via unspecified vectors, relate to starting "a
frame outside SETUP state."


NOTE: I'm not sure this actually affects us; I'm not familiar enough with the code to make this call.  While we don't have the ff_MPV_frame_start() function, we do have a (quite similar) MPV_frame_start() function.  The upstream git commit refers to this fix as:

"This fixes race conditions that ultimately lead to memory corruption."

From the look of the patch, it looks like it implements some thread handling, but my impression is that our use of mpeg streaming here is single-threaded in that encoder.  In light of that, I don't believe this is a flaw for ffmpeg-spice due to how it is used, but it should be checked by a developer familiar with the code.

Comment 2 Josh Bressers 2014-06-13 17:38:02 UTC
According to the comments above, this isn't really a security issue in RHEL6.