known vulnerabilites/CVE/bugs in ffmpeg library 3.3.2 as used in Avidemux 2.7.0

Started by jetpilot, April 05, 2018, 12:00:10 PM

Previous topic - Next topic

jetpilot

i got this hint on issues with avidemux:

"version 2.7.0 (based on FFMPEG version 3.3.2) is affected by CVE-2017-11719 and CVE-2017-11399"

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11719 = out of bounds access might crash application (or might even allow execution of unwanted codes)
https://www.securityfocus.com/bid/100020
first non-vulnerable versions:
* for ffmpeg 3.2 series: 3.2.7
* for ffmpeg 3.3 series: 3.3.3

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11399 = out of bounds access might crash application (or might even allow execution of unwanted codes)
https://www.securityfocus.com/bid/100019
first non-vulnerable versions:
* for ffmpeg 3.2 series: 3.2.7
* for ffmpeg 3.3 series: 3.3.3


latest official release of ffmpeg is 3.4 ("Cantor"). https://www.ffmpeg.org/

for the debian platform an assumed to be simple patch was applied and then got released in an updated version of the ffmpeg package:
"For the stable distribution (stretch), these problems have been fixed in version 7:3.2.7-1~deb9u1."
https://www.debian.org/security/2017/dsa-3957

Any further hints on fixes and re-releases of ffmpeg for all other avidemux platforms (including windows)?
Any hints on fixes and re-releases of avidemux?

jetpilot

as i found out, "mean" has probably already integrated ffmpeg 3.4 in his personal GIT tree "avidemux2"
and previously (as some intermediate step) already had integrated 3.3.3 - so if might have worked out for him nicely.

so if nothing else is critical on the code base right now, using a nightly snapshot might address the item.

of course this could be a reason for triggering the build of a new release candidate or even a new release.
you should not continue offering only an official release that has known security issues built in - just my 2 euro cent.

eumagga0x2a

Nightlies integrate ffmpeg 3.3.6. The next release, which might happen pretty soon, will be based most likely on 3.3.6. The plan is to skip 3.4 and go for 4.0 once it becomes final.

Debian ffmpeg patches are completely irrelevant for Avidemux as it uses its own bundled patched ffmpeg (it requires access to some private interfaces).

eumagga0x2a

At the first glance, Avidemux doesn't use the ffmpeg code which is affected by the monkey audio and DNxHD vulnerabilities because it does not support these formats.

jetpilot

thanks for checking the details and the provided information update.
i am getting a good feeling now.

...looking forward to what comes next as a release...

PS: debian minor patch-release are only hints on what can be done in just a few lines of code for improving and fixing an issue.
it was meant as a reference, where to look for if a fix is applied to a local copy of the vulnerable version of ffmpeg.
you might have meant that line for others just reading here. so do i. :-)