Debian Security Advisory

DLA-1611-1 libav -- LTS security update

Date Reported:
20 Dec 2018
Affected Packages:
libav
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-9317, CVE-2015-6761, CVE-2015-6818, CVE-2015-6820, CVE-2015-6821, CVE-2015-6822, CVE-2015-6825, CVE-2015-6826, CVE-2015-8216, CVE-2015-8217, CVE-2015-8363, CVE-2015-8364, CVE-2015-8661, CVE-2015-8662, CVE-2015-8663, CVE-2016-10190, CVE-2016-10191.
More information:

Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library.

  • CVE-2014-9317

    The decode_ihdr_chunk function in libavcodec/pngdec.c allowed remote attackers to cause a denial of service (out-of-bounds heap access) and possibly had other unspecified impact via an IDAT before an IHDR in a PNG file. The issue got addressed by checking IHDR/IDAT order.

  • CVE-2015-6761

    The update_dimensions function in libavcodec/vp8.c in libav relies on a coefficient-partition count during multi-threaded operation, which allowed remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file. This issue has been resolved by using num_coeff_partitions in thread/buffer setup. The variable is not a constant and can lead to race conditions.

  • CVE-2015-6818

    The decode_ihdr_chunk function in libavcodec/pngdec.c did not enforce uniqueness of the IHDR (aka image header) chunk in a PNG image, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted image with two or more of these chunks. This has now been fixed by only allowing one IHDR chunk. Multiple IHDR chunks are forbidden in PNG.

  • CVE-2015-6820

    The ff_sbr_apply function in libavcodec/aacsbr.c did not check for a matching AAC frame syntax element before proceeding with Spectral Band Replication calculations, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted AAC data. This has now been fixed by checking that the element type matches before applying SBR.

  • CVE-2015-6821

    The ff_mpv_common_init function in libavcodec/mpegvideo.c did not properly maintain the encoding context, which allowed remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted MPEG data. The issue has been resolved by clearing pointers in ff_mpv_common_init(). This ensures that no stale pointers leak through on any path.

  • CVE-2015-6822

    The destroy_buffers function in libavcodec/sanm.c did not properly maintain height and width values in the video context, which allowed remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via crafted LucasArts Smush video data. The solution to this was to reset sizes in destroy_buffers() in avcodec/sanm.c.

  • CVE-2015-6823

    Other than stated in the debian/changelog file, this issue has not yet been fixed for libav in Debian jessie LTS.

  • CVE-2015-6824

    Other than stated in the debian/changelog file, this issue has not yet been fixed for libav in Debian jessie LTS.

  • CVE-2015-6825

    The ff_frame_thread_init function in libavcodec/pthread_frame.c mishandled certain memory-allocation failures, which allowed remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via a crafted file, as demonstrated by an AVI file. Clearing priv_data in avcodec/pthread_frame.c has resolved this and now avoids stale pointer in error case.

  • CVE-2015-6826

    The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c did not initialize certain structure members, which allowed remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted (1) RV30 or (2) RV40 RealVideo data. This issue got addressed by clearing pointers in ff_rv34_decode_init_thread_copy() in avcodec/rv34.c, which avoids leaving stale pointers.

  • CVE-2015-8216

    The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg omitted certain width and height checks, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data. The issues have been fixed by adding a check for index to avcodec/mjpegdec.c in ljpeg_decode_yuv_scan() before using it, which fixes an out of array access.

  • CVE-2015-8217

    The ff_hevc_parse_sps function in libavcodec/hevc_ps.c did not validate the Chroma Format Indicator, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted High Efficiency Video Coding (HEVC) data. A check of chroma_format_idc in avcodec/hevc_ps.c has now been added to fix this out of array access.

  • CVE-2015-8363

    The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c did not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allowed remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers. In avcodec/jpeg2000dec.c a check for duplicate SIZ marker has been added to fix this.

  • CVE-2015-8364

    Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c allowed remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data. A check of image dimensions has been added to the code (in avcodec/ivi.c) that fixes this integer overflow now.

  • CVE-2015-8661

    The h264_slice_header_init function in libavcodec/h264_slice.c did not validate the relationship between the number of threads and the number of slices, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted H.264 data. In avcodec/h264_slice.c now max_contexts gets limited when slice_context_count is initialized. This avoids an out of array access.

  • CVE-2015-8662

    The ff_dwt_decode function in libavcodec/jpeg2000dwt.c did not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data. In avcodec/jpeg2000dwt.c a check of ndeclevels has been added before calling dwt_decode*(). This fixes an out of array access.

  • CVE-2015-8663

    The ff_get_buffer function in libavcodec/utils.c preserved width and height values after a failure, which allowed remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file. Now, dimensions get cleared in ff_get_buffer() on failure, which fixes the cause for an out of array access.

  • CVE-2016-10190

    A heap-based buffer overflow in libavformat/http.c allowed remote web servers to execute arbitrary code via a negative chunk size in an HTTP response. In libavformat/http.c the length/offset-related variables have been made unsigned. This fix required inclusion of two other changes ported from ffmpeg upstream Git (commits 3668701f and 362c17e6).

  • CVE-2016-10191

    Another heap-based buffer overflow in libavformat/rtmppkt.c allowed remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches. By checking for packet size mismatched, this out of array access has been resolved.

For Debian 8 Jessie, these problems have been fixed in version 6:11.12-1~deb8u2.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS