Bug 635775 (CVE-2010-3429) - CVE-2010-3429 ffmpeg: arbitrary offset dereference vulnerability in flic video codec (oCERT-2010-004)
Summary: CVE-2010-3429 ffmpeg: arbitrary offset dereference vulnerability in flic vide...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-3429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 638265
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-20 17:01 UTC by Vincent Danen
Modified: 2019-09-29 12:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-16 22:21:06 UTC
Embargoed:


Attachments (Terms of Use)
patch from upstream to correct the issue (4.49 KB, patch)
2010-09-20 17:08 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2010-09-20 17:01:12 UTC
oCERT reported a vulnerability that affects the flic video codec support in ffmpeg.  Quoting:

"The MPlayer package [1] is vulnerable to an arbitrary offset dereference
vulnerability, which could be exploited by malicious remote attacker. The
vulnerability is caused by the MPlayer's flic codec (flicvideo.c) on 8 bits
per pixel videos because the codec does not check received values. This could
be exploited jumping to arbitrary code by opening a specially crafted file."

They were particularly concerned about the ffmpeg inclusion in mplayer.  The affected file (flicvideo.c) is also present in libextractor as provided by Fedora 12.  It looks as though the only thing using libextractor in Fedora is doodle (local search program, like Spotlight).  This would mean a user would have to download a specially crafted file and store it locally, and be using doodle to index files.  I don't know whether or not doodle would be problematic here, i.e. if it's just reading metadata it might not cause any problems at all.

Later versions of libextractor have removed the embedded ffmpeg sources.

Comment 1 Vincent Danen 2010-09-20 17:08:32 UTC
Created attachment 448516 [details]
patch from upstream to correct the issue

Comment 2 Vincent Danen 2010-09-20 17:09:13 UTC
This will be fixed as part of ffmpeg 0.6.1.

Comment 4 Vincent Danen 2010-09-28 15:50:54 UTC
This is now public:

http://www.ocert.org/advisories/ocert-2010-004.html

Neither ffmpeg nor mplayer are shipped in any supported products, however libextractor in Fedora 12 does contain embedded ffmpeg.  Later versions of libextractor have removed embedded ffmpeg; not sure if it is possible to update libextractor in Fedora 12 to the version in Fedora 13; if not, it should be patched to correct the flaw.

The patch to correct the flaw is here:

http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=16c592155f117ccd7b86006c45aacc692a81c23b

Comment 5 Vincent Danen 2010-09-28 15:51:31 UTC
Created libextractor tracking bugs for this issue

Affects: fedora-12 [bug 638265]

Comment 6 Enrico Scholz 2010-09-29 08:03:23 UTC
ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is not available in fedora:

| checking whether to enable the FFmpeg thumbnail extractor... no

Comment 7 Vincent Danen 2010-09-29 16:56:55 UTC
(In reply to comment #6)
> ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is
> not available in fedora:
> 
> | checking whether to enable the FFmpeg thumbnail extractor... no

Ok, great, thank you for checking that.  I'll close the Fedora tracker then.


Note You need to log in before you can comment on or make changes to this bug.