[SECURITY] [DLA 1611-1] libav security update

Package : libav
Version : 6:11.12-1~deb8u2
CVE ID : CVE-2014-9317 CVE-2015-6761 CVE-2015-6818 CVE-2015-6820
CVE-2015-6821 CVE-2015-6822
CVE-2015-6825 CVE-2015-6826 CVE-2015-8216 CVE-2015-8217
CVE-2015-8363 CVE-2015-8364 CVE-2015-8661 CVE-2015-8662
CVE-2015-8663 CVE-2016-10190 CVE-2016-10191

Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library.

CVE-2014-9317

The decode_ihdr_chunk function in libavcodec/pngdec.c allowed remote
attackers to cause a denial of service (out-of-bounds heap access)
and possibly had other unspecified impact via an IDAT before an IHDR
in a PNG file. The issue got addressed by checking IHDR/IDAT order.

CVE-2015-6761

The update_dimensions function in libavcodec/vp8.c in libav relies on
a coefficient-partition count during multi-threaded operation, which
allowed remote attackers to cause a denial of service (race condition
and memory corruption) or possibly have unspecified other impact via
a crafted WebM file. This issue has been resolved by using
num_coeff_partitions in thread/buffer setup. The variable is not a
constant and can lead to race conditions.

CVE-2015-6818

The decode_ihdr_chunk function in libavcodec/pngdec.c did not enforce
uniqueness of the IHDR (aka image header) chunk in a PNG image, which
allowed remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via a crafted
image with two or more of these chunks. This has now been fixed by
only allowing one IHDR chunk. Multiple IHDR chunks are forbidden in
PNG.

CVE-2015-6820

The ff_sbr_apply function in libavcodec/aacsbr.c did not check for a
matching AAC frame syntax element before proceeding with Spectral
Band Replication calculations, which allowed remote attackers to
cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted AAC data. This has now been
fixed by checking that the element type matches before applying SBR.

CVE-2015-6821

The ff_mpv_common_init function in libavcodec/mpegvideo.c did not
properly maintain the encoding context, which allowed remote
attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted MPEG data. The
issue has been resolved by clearing pointers in ff_mpv_common_init().
This ensures that no stale pointers leak through on any path.

CVE-2015-6822

The destroy_buffers function in libavcodec/sanm.c did not properly
maintain height and width values in the video context, which allowed
remote attackers to cause a denial of service (segmentation violation
and application crash) or possibly have unspecified other impact via
crafted LucasArts Smush video data. The solution to this was to reset
sizes in destroy_buffers() in avcodec/sanm.c.

CVE-2015-6823

Other than stated in the debian/changelog file, this issue
has not yet been fixed for libav in Debian jessie LTS.

CVE-2015-6824

Other than stated in the debian/changelog file, this issue
has not yet been fixed for libav in Debian jessie LTS.

CVE-2015-6825

The ff_frame_thread_init function in libavcodec/pthread_frame.c
mishandled certain memory-allocation failures, which allowed remote
attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via a crafted file, as
demonstrated by an AVI file. Clearing priv_data in
avcodec/pthread_frame.c has resolved this and now avoids stale
pointer in error case.

CVE-2015-6826

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c did
not initialize certain structure members, which allowed remote
attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted (1) RV30 or (2)
RV40 RealVideo data. This issue got addressed by clearing pointers in
ff_rv34_decode_init_thread_copy() in avcodec/rv34.c, which avoids
leaving stale pointers.

CVE-2015-8216

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg
omitted certain width and height checks, which allowed remote
attackers to cause a denial of service (out-of-bounds array access)
or possibly have unspecified other impact via crafted MJPEG data. The
issues have been fixed by adding a check for index to
avcodec/mjpegdec.c in ljpeg_decode_yuv_scan() before using it, which
fixes an out of array access.

CVE-2015-8217

The ff_hevc_parse_sps function in libavcodec/hevc_ps.c did not
validate the Chroma Format Indicator, which allowed remote attackers
to cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted High Efficiency Video
Coding (HEVC) data. A check of chroma_format_idc in avcodec/hevc_ps.c
has now been added to fix this out of array access.

CVE-2015-8363

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c
did not enforce uniqueness of the SIZ marker in a JPEG 2000 image,
which allowed remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have unspecified other
impact via a crafted image with two or more of these markers. In
avcodec/jpeg2000dec.c a check for duplicate SIZ marker has been added
to fix this.

CVE-2015-8364

Integer overflow in the ff_ivi_init_planes function in
libavcodec/ivi.c allowed remote attackers to cause a denial of
service (out-of-bounds heap-memory access) or possibly have
unspecified other impact via crafted image dimensions in Indeo Video
Interactive data. A check of image dimensions has been added to the
code (in avcodec/ivi.c) that fixes this integer overflow now.

CVE-2015-8661

The h264_slice_header_init function in libavcodec/h264_slice.c did
not validate the relationship between the number of threads and the
number of slices, which allowed remote attackers to cause a denial of
service (out-of-bounds array access) or possibly have unspecified
other impact via crafted H.264 data. In avcodec/h264_slice.c now
max_contexts gets limited when slice_context_count is initialized.
This avoids an out of array access.

CVE-2015-8662

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c did not
validate the number of decomposition levels before proceeding with
Discrete Wavelet Transform decoding, which allowed remote attackers
to cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted JPEG 2000 data. In
avcodec/jpeg2000dwt.c a check of ndeclevels has been added before
calling dwt_decode*(). This fixes an out of array access.

CVE-2015-8663

The ff_get_buffer function in libavcodec/utils.c preserved width and
height values after a failure, which allowed remote attackers to
cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via a crafted .mov file. Now,
dimensions get cleared in ff_get_buffer() on failure, which fixes
the cause for an out of array access.

CVE-2016-10190

A heap-based buffer overflow in libavformat/http.c allowed remote web
servers to execute arbitrary code via a negative chunk size in an
HTTP response. In libavformat/http.c the length/offset-related
variables have been made unsigned. This fix required inclusion of
two other changes ported from ffmpeg upstream Git (commits 3668701f
and 362c17e6).

CVE-2016-10191

Another heap-based buffer overflow in libavformat/rtmppkt.c allowed
remote attackers to execute arbitrary code by leveraging failure to
check for RTMP packet size mismatches. By checking for packet size
mismatched, this out of array access has been resolved.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u2.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net

Attachment:
signature.asc
Description: PGP signature