Bug 635775 - (CVE-2010-3429) CVE-2010-3429 ffmpeg: arbitrary offset dereference vulnerability in flic video codec (oCERT-2010-004)
CVE-2010-3429 ffmpeg: arbitrary offset dereference vulnerability in flic vide...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100927,reported=20100913,sou...
: Security
Depends On: 638265
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-20 13:01 EDT by Vincent Danen
Modified: 2015-08-19 04:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-16 18:21:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch from upstream to correct the issue (4.49 KB, patch)
2010-09-20 13:08 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2010-09-20 13:01:12 EDT
oCERT reported a vulnerability that affects the flic video codec support in ffmpeg.  Quoting:

"The MPlayer package [1] is vulnerable to an arbitrary offset dereference
vulnerability, which could be exploited by malicious remote attacker. The
vulnerability is caused by the MPlayer's flic codec (flicvideo.c) on 8 bits
per pixel videos because the codec does not check received values. This could
be exploited jumping to arbitrary code by opening a specially crafted file."

They were particularly concerned about the ffmpeg inclusion in mplayer.  The affected file (flicvideo.c) is also present in libextractor as provided by Fedora 12.  It looks as though the only thing using libextractor in Fedora is doodle (local search program, like Spotlight).  This would mean a user would have to download a specially crafted file and store it locally, and be using doodle to index files.  I don't know whether or not doodle would be problematic here, i.e. if it's just reading metadata it might not cause any problems at all.

Later versions of libextractor have removed the embedded ffmpeg sources.
Comment 1 Vincent Danen 2010-09-20 13:08:32 EDT
Created attachment 448516 [details]
patch from upstream to correct the issue
Comment 2 Vincent Danen 2010-09-20 13:09:13 EDT
This will be fixed as part of ffmpeg 0.6.1.
Comment 4 Vincent Danen 2010-09-28 11:50:54 EDT
This is now public:

http://www.ocert.org/advisories/ocert-2010-004.html

Neither ffmpeg nor mplayer are shipped in any supported products, however libextractor in Fedora 12 does contain embedded ffmpeg.  Later versions of libextractor have removed embedded ffmpeg; not sure if it is possible to update libextractor in Fedora 12 to the version in Fedora 13; if not, it should be patched to correct the flaw.

The patch to correct the flaw is here:

http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=16c592155f117ccd7b86006c45aacc692a81c23b
Comment 5 Vincent Danen 2010-09-28 11:51:31 EDT
Created libextractor tracking bugs for this issue

Affects: fedora-12 [bug 638265]
Comment 6 Enrico Scholz 2010-09-29 04:03:23 EDT
ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is not available in fedora:

| checking whether to enable the FFmpeg thumbnail extractor... no
Comment 7 Vincent Danen 2010-09-29 12:56:55 EDT
(In reply to comment #6)
> ffmpeg support in libextractor is disabled because 'mpeg2dec' requirement is
> not available in fedora:
> 
> | checking whether to enable the FFmpeg thumbnail extractor... no

Ok, great, thank you for checking that.  I'll close the Fedora tracker then.

Note You need to log in before you can comment on or make changes to this bug.