ESB-2018.3944.2 - UPDATE [Win][UNIX/Linux][Debian] libav: Multiple vulnerabilities 2019-01-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3944.2
                    [DLA 1611-1] libav security update
                              2 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libav
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-10191 CVE-2016-10190 CVE-2015-8663
                   CVE-2015-8662 CVE-2015-8661 CVE-2015-8364
                   CVE-2015-8363 CVE-2015-8217 CVE-2015-8216
                   CVE-2015-6826 CVE-2015-6825 CVE-2015-6824
                   CVE-2015-6823 CVE-2015-6822 CVE-2015-6821
                   CVE-2015-6820 CVE-2015-6818 CVE-2015-6761
                   CVE-2014-9317  

Reference:         ESB-2015.2651
                   ESB-2015.2619

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libav check for an updated version of the software for their
         operating system.

Revision History:  January   2 2019: Two more security issues have been 
				     corrected
                   December 21 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : libav
Version        : 6:11.12-1~deb8u3
CVE ID         : CVE-2015-6822 CVE-2015-6823 CVE-2015-6824


Two more security issues have been corrected in the libav multimedia library. 
This is a follow-up announcement for DLA-1611-1.

CVE-2015-6823

    The allocate_buffers function in libavcodec/alac.c did not initialize
    certain context data, which allowed remote attackers to cause a
    denial of service (segmentation violation) or possibly have
    unspecified other impact via crafted Apple Lossless Audio Codec
    (ALAC) data. This issues has now been addressed by clearing pointers
    in avcodec/alac.c's allocate_buffers().

    Other than stated in debian/changelog of upload 6:11.12-1~deb8u2,
    this issue only now got fixed with upload of 6:11.12-1~deb8u3.

CVE-2015-6824

    The sws_init_context function in libswscale/utils.c did not
    initialize certain pixbuf data structures, which allowed remote
    attackers to cause a denial of service (segmentation violation) or
    possibly have unspecified other impact via crafted video data. In
    swscale/utils.c now these pix buffers get cleared which fixes use of
    uninitialized memory.

    Other than stated in debian/changelog of upload 6:11.12-1~deb8u2,
    this issue only now got fixed with upload of 6:11.12-1~deb8u3.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u3.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- ---

Package        : libav
Version        : 6:11.12-1~deb8u2
CVE ID         : CVE-2014-9317 CVE-2015-6761 CVE-2015-6818 CVE-2015-6820=20
                 CVE-2015-6821 CVE-2015-6822
                 CVE-2015-6825 CVE-2015-6826 CVE-2015-8216 CVE-2015-8217=20
                 CVE-2015-8363 CVE-2015-8364 CVE-2015-8661 CVE-2015-8662=20
                 CVE-2015-8663 CVE-2016-10190 CVE-2016-10191


Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library.

CVE-2014-9317

    The decode_ihdr_chunk function in libavcodec/pngdec.c allowed remote
    attackers to cause a denial of service (out-of-bounds heap access)
    and possibly had other unspecified impact via an IDAT before an IHDR
    in a PNG file. The issue got addressed by checking IHDR/IDAT order.

CVE-2015-6761

    The update_dimensions function in libavcodec/vp8.c in libav relies on
    a coefficient-partition count during multi-threaded operation, which
    allowed remote attackers to cause a denial of service (race condition
    and memory corruption) or possibly have unspecified other impact via
    a crafted WebM file. This issue has been resolved by using
    num_coeff_partitions in thread/buffer setup. The variable is not a
    constant and can lead to race conditions.

CVE-2015-6818

    The decode_ihdr_chunk function in libavcodec/pngdec.c did not enforce
    uniqueness of the IHDR (aka image header) chunk in a PNG image, which
    allowed remote attackers to cause a denial of service (out-of-bounds
    array access) or possibly have unspecified other impact via a crafted
    image with two or more of these chunks. This has now been fixed by
    only allowing one IHDR chunk. Multiple IHDR chunks are forbidden in
    PNG.

CVE-2015-6820

    The ff_sbr_apply function in libavcodec/aacsbr.c did not check for a
    matching AAC frame syntax element before proceeding with Spectral
    Band Replication calculations, which allowed remote attackers to
    cause a denial of service (out-of-bounds array access) or possibly
    have unspecified other impact via crafted AAC data. This has now been
    fixed by checking that the element type matches before applying SBR.

CVE-2015-6821

    The ff_mpv_common_init function in libavcodec/mpegvideo.c did not
    properly maintain the encoding context, which allowed remote
    attackers to cause a denial of service (invalid pointer access) or
    possibly have unspecified other impact via crafted MPEG data. The
    issue has been resolved by clearing pointers in ff_mpv_common_init().
    This ensures that no stale pointers leak through on any path.

CVE-2015-6822

    The destroy_buffers function in libavcodec/sanm.c did not properly
    maintain height and width values in the video context, which allowed
    remote attackers to cause a denial of service (segmentation violation
    and application crash) or possibly have unspecified other impact via
    crafted LucasArts Smush video data. The solution to this was to reset
    sizes in destroy_buffers() in avcodec/sanm.c.

CVE-2015-6823

    Other than stated in the debian/changelog file, this issue
    has not yet been fixed for libav in Debian jessie LTS.

CVE-2015-6824

    Other than stated in the debian/changelog file, this issue
    has not yet been fixed for libav in Debian jessie LTS.

CVE-2015-6825

    The ff_frame_thread_init function in libavcodec/pthread_frame.c
    mishandled certain memory-allocation failures, which allowed remote
    attackers to cause a denial of service (invalid pointer access) or
    possibly have unspecified other impact via a crafted file, as
    demonstrated by an AVI file. Clearing priv_data in
    avcodec/pthread_frame.c has resolved this and now avoids stale
    pointer in error case.

CVE-2015-6826

    The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c did
    not initialize certain structure members, which allowed remote
    attackers to cause a denial of service (invalid pointer access) or
    possibly have unspecified other impact via crafted (1) RV30 or (2)
    RV40 RealVideo data. This issue got addressed by clearing pointers in
    ff_rv34_decode_init_thread_copy() in avcodec/rv34.c, which avoids
    leaving stale pointers.

CVE-2015-8216

    The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg
    omitted certain width and height checks, which allowed remote
    attackers to cause a denial of service (out-of-bounds array access)
    or possibly have unspecified other impact via crafted MJPEG data. The
    issues have been fixed by adding a check for index to
    avcodec/mjpegdec.c in ljpeg_decode_yuv_scan() before using it, which
    fixes an out of array access.

CVE-2015-8217

    The ff_hevc_parse_sps function in libavcodec/hevc_ps.c did not
    validate the Chroma Format Indicator, which allowed remote attackers
    to cause a denial of service (out-of-bounds array access) or possibly
    have unspecified other impact via crafted High Efficiency Video
    Coding (HEVC) data. A check of chroma_format_idc in avcodec/hevc_ps.c
    has now been added to fix this out of array access.

CVE-2015-8363

    The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c
    did not enforce uniqueness of the SIZ marker in a JPEG 2000 image,
    which allowed remote attackers to cause a denial of service
    (out-of-bounds heap-memory access) or possibly have unspecified other
    impact via a crafted image with two or more of these markers. In
    avcodec/jpeg2000dec.c a check for duplicate SIZ marker has been added
    to fix this.

CVE-2015-8364

    Integer overflow in the ff_ivi_init_planes function in
    libavcodec/ivi.c allowed remote attackers to cause a denial of
    service (out-of-bounds heap-memory access) or possibly have
    unspecified other impact via crafted image dimensions in Indeo Video
    Interactive data. A check of image dimensions has been added to the
    code (in avcodec/ivi.c) that fixes this integer overflow now.

CVE-2015-8661

    The h264_slice_header_init function in libavcodec/h264_slice.c did
    not validate the relationship between the number of threads and the
    number of slices, which allowed remote attackers to cause a denial of
    service (out-of-bounds array access) or possibly have unspecified
    other impact via crafted H.264 data. In avcodec/h264_slice.c now
    max_contexts gets limited when slice_context_count is initialized.
    This avoids an out of array access.

CVE-2015-8662

    The ff_dwt_decode function in libavcodec/jpeg2000dwt.c did not
    validate the number of decomposition levels before proceeding with
    Discrete Wavelet Transform decoding, which allowed remote attackers
    to cause a denial of service (out-of-bounds array access) or possibly
    have unspecified other impact via crafted JPEG 2000 data. In
    avcodec/jpeg2000dwt.c a check of ndeclevels has been added before
    calling dwt_decode*(). This fixes an out of array access.

CVE-2015-8663

    The ff_get_buffer function in libavcodec/utils.c preserved width and
    height values after a failure, which allowed remote attackers to
    cause a denial of service (out-of-bounds array access) or possibly
    have unspecified other impact via a crafted .mov file. Now,
    dimensions get cleared in ff_get_buffer() on failure, which fixes
    the cause for an out of array access.

CVE-2016-10190

    A heap-based buffer overflow in libavformat/http.c allowed remote web
    servers to execute arbitrary code via a negative chunk size in an
    HTTP response. In libavformat/http.c the length/offset-related
    variables have been made unsigned. This fix required inclusion of
    two other changes ported from ffmpeg upstream Git (commits 3668701f
    and 362c17e6).

CVE-2016-10191

    Another heap-based buffer overflow in libavformat/rtmppkt.c allowed
    remote attackers to execute arbitrary code by leveraging failure to
    check for RTMP packet size mismatches. By checking for packet size
    mismatched, this out of array access has been resolved.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u2.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXCv+cmaOgq3Tt24GAQjAZg//VdgEu8DNSZLhKHmYz22h/Q8qQTMVjXDL
R6+g2sNd8V87CfJ+w+M+/EvQiq+8Ey75fR4IDrgxLbGNdwHi587/ksCnBEXLb8uK
Id0Tz1hb02jpkHFo+QT1FT15YaQd4yqpSOxVO5wmrwjs7DqxkTKOTKzSGbwD+0C+
YomGTq4HwSuBnT/5kgmSKhkAkjSGZTjg4zzRb03D2C2yKB3ySn9YPqTQkChn3YMf
so6OsXfT8DfZi3f6GnkAgZ6QBl3GSuQEhp2QfIf+rLAZVkvmncutVy/7QlGyPVIz
IFKrZcgtygbnrNht71hk4wNSnLxIaTyZQCap1duqEOE4kMCanIQWj9K7CalgjkJP
6Xh9DPtbjQiUc3CW5Wr71oPe5fRRwRHJf5Su4Ol7jZvLpfV7GciAp5TBlEZ8+/o3
STNEXi+pz1ozN842qk6FBnKaPr/1PwmmG5NZK+gTyebhpxEqUhKAexdR+S4zsqIt
/is8iYWFEuXy6nfrcKpob4QTWxDUlu43DnhHudZnZROyx04+hbrXuolPBOl5BYhM
03tl62G5Hakm/4t3y9j5u5iM8g5Woye7MyAdXVvppA3IQ0ar6Tfc6YXfZVElbcHM
Uwk8S30JBgf+3qpXduZZ2LkRYk8hf3nbx1PGpw464EdSY5fXPf2c9OSm7tWcqsWa
ghTVLZ3Jvvo=
=Cbds
-----END PGP SIGNATURE-----

« Back to bulletins