Bug 861223 - (CVE-2012-2774) CVE-2012-2774 ffmpeg-spice: possible denial of service via memory corruption in mpeg video handling
CVE-2012-2774 ffmpeg-spice: possible denial of service via memory corruption ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 861224
  Show dependency treegraph
Reported: 2012-09-27 17:06 EDT by Vincent Danen
Modified: 2014-06-13 13:38 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 13:38:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-09-27 17:06:15 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2774 to
the following vulnerability:

Name: CVE-2012-2774
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2774
Assigned: 20120519
Reference: http://www.openwall.com/lists/oss-security/2012/08/31/3
Reference: http://www.openwall.com/lists/oss-security/2012/09/02/4
Reference: http://ffmpeg.org/security.html
Reference: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f
Reference: http://www.securityfocus.com/bid/55355
Reference: SECUNIA:50468
Reference: http://secunia.com/advisories/50468

The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg
before 0.11 allows remote attackers to cause a denial of service
(memory corruption) via unspecified vectors, relate to starting "a
frame outside SETUP state."

NOTE: I'm not sure this actually affects us; I'm not familiar enough with the code to make this call.  While we don't have the ff_MPV_frame_start() function, we do have a (quite similar) MPV_frame_start() function.  The upstream git commit refers to this fix as:

"This fixes race conditions that ultimately lead to memory corruption."

From the look of the patch, it looks like it implements some thread handling, but my impression is that our use of mpeg streaming here is single-threaded in that encoder.  In light of that, I don't believe this is a flaw for ffmpeg-spice due to how it is used, but it should be checked by a developer familiar with the code.
Comment 2 Josh Bressers 2014-06-13 13:38:02 EDT
According to the comments above, this isn't really a security issue in RHEL6.

Note You need to log in before you can comment on or make changes to this bug.