Bug#550442: ffmpeg: deluge of crashes due to missing input sanitization

Reinhard Tartler siretart at tauware.de
Thu Oct 15 11:03:39 UTC 2009

Hello Security Teams,

Michael Gilbert reported in debian bug #550442 that ffmpeg in debian and
ubuntu contained "a deluge of crashes". I have backported a bunch of
fixes from ffmpeg trunk, which now need review, validation and
eventually publishing.

Affected are all distros that ship ffmpeg 0.5, this includes

 - lenny
 - squeeze
 - sid
 - jaunty
 - karmic

earlier version of ffmpeg might be affected as well.

Michael Gilbert <michael.s.gilbert at gmail.com> writes:

> On Tue, 13 Oct 2009 19:23:26 +0200, Reinhard Tartler wrote:
>> As for this bug, I'm inclined to close this bug with the upload of
>> [2]. The reason is that this report is way to inprecise. This report
>> currently reads "the package has been found crashers that might
>> compromise the system". Sorry, this is just not helpful. We'd really
>> need at least a list of concrete issues, ideally with reference to the
>> relevant svn commits (so that commit messages can be reviewed) that can
>> be processed and backported.
> in an ideal world every security issue would come with a complete
> prescription and regiment to make it all better.  however, we do not
> live in such a place.  the best we can do is track the issue at hand,
> follow work being done elsewhere, and potentially spend our own
> precious time testing and writing fixes.  obviously this is a lot of
> work, but it is the price we pay since there are nefarious peoples
> about.  
> i would recommend working with the security team to request cve's on
> oss-sec for specific issues once they are well-defined, and address each
> of them in turn; while keeping this bug open to track the meta-issue
> (potentially downgrading to important as to not impede transitions).
> note that any of these crashers that show signs of memory corruption
> are very much cause for concern (see recent pdf jbig2 decoder issues).
> the others can probably be safely discarded.  by "may enable remote
> compromise," i mean via user-assisted (social engineered) attack
> vectors (i.e. downloading and viewing a malicious video file).  this
> is a very legitimate concern since most users are very trusting of
> untrustworthy data.

I've worked on the packaging branch for karmic. The relevant backports
that I produced so far can be found here:


Most of these patches have been proposed by the chromium developers,
that collect patches for upstream here:


most of the patches got further polishing by upstream before
applying. In many cases, the chromium developers did rather fix
symptoms, upstream prefers real fixes. Anyway, I went through the list
of chromium patches and managed to locate most patches in ffmpeg trunk

Patches that I couldn't find upstream include:


They probably need further investigation.

Michael, could you please check if and what patches I might have missed?

I'd like to ask you (both security teams) to review my patches so far
and if and to what security queues the should be uploaded or not.

Reinhard Tartler, KeyID 945348A4

More information about the pkg-multimedia-maintainers mailing list