[OE-core] [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches
Paul Eggleton
paul.eggleton at linux.intel.com
Mon May 19 09:58:00 UTC 2014
On Monday 19 May 2014 09:32:57 Rongqing Li wrote:
> On 05/16/2014 07:09 PM, Paul Eggleton wrote:
> > Hi Roy,
> >
> > On Friday 16 May 2014 10:12:08 rongqing.li at windriver.com wrote:
> >> From: Roy Li <rongqing.li at windriver.com>
> >>
> >> Diff with V1: use ffmpeg as prefix of commit header
> >>
> >> The following changes since commit
e273301efa0037a13c3a60b4414140364d9c9873:
> >> gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
> >>
> >> are available in the git repository at:
> >> git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
> >> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
> >>
> >> Yue Tao (12):
> >> ffmpeg: fix for Security Advisory CVE-2014-2263
> >> ffmpeg: fix for Security Advisory CVE-2013-0865
> >> ffmpeg: fix for Security Advisory CVE-2014-2099
> >> ffmpeg: fix for Security Advisory CVE-2013-0868
> >> ffmpeg: fix for Security Advisory CVE-2013-0845
> >> ffmpeg: fix for Security Advisory CVE-2013-0852
> >> ffmpeg: fix for Security Advisory CVE-2013-0858
> >> ffmpeg: fix for Security Advisory CVE-2013-0851
> >> ffmpeg: fix for Security Advisory CVE-2013-0854
> >> ffmpeg: fix for Security Advisory CVE-2013-0856
> >> ffmpeg: fix for Security Advisory CVE-2013-0850
> >> ffmpeg: fix for Security Advisory CVE-2013-0849
> >
> > This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since
> > that's the recipe being modified.
>
> Ok, I update it
>
> =====================
> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
>
> gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
>
> Yue Tao (12):
> gst-ffmpeg: fix for Security Advisory CVE-2014-2263
> gst-ffmpeg: fix for Security Advisory CVE-2013-0865
> gst-ffmpeg: fix for Security Advisory CVE-2014-2099
> gst-ffmpeg: fix for Security Advisory CVE-2013-0868
> gst-ffmpeg: fix for Security Advisory CVE-2013-0845
> gst-ffmpeg: fix for Security Advisory CVE-2013-0852
> gst-ffmpeg: fix for Security Advisory CVE-2013-0858
> gst-ffmpeg: fix for Security Advisory CVE-2013-0851
> gst-ffmpeg: fix for Security Advisory CVE-2013-0854
> gst-ffmpeg: fix for Security Advisory CVE-2013-0856
> gst-ffmpeg: fix for Security Advisory CVE-2013-0850
> gst-ffmpeg: fix for Security Advisory CVE-2013-0849
>
> .../0001-alac-fix-nb_samples-order-case.patch | 30 +++++++
> .../0001-alsdec-check-block-length.patch | 61 ++++++++++++++
> ...ac3dec-Check-coding-mode-against-channels.patch | 37 +++++++++
> ...le-use-av_image_get_linesize-to-calculate.patch | 50 +++++++++++
> ...egtsenc-Check-data-array-size-in-mpegts_w.patch | 69 ++++++++++++++++
> .../0001-eamad-fix-out-of-array-accesses.patch | 29 +++++++
> ...t-ref-count-check-and-limit-fix-out-of-ar.patch | 29 +++++++
> ...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87
> ++++++++++++++++++++
> .../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
> .../0001-mjpegdec-check-SE.patch | 32 +++++++
> ...heck-RLE-size-before-copying.-Fix-out-of-.patch | 34 ++++++++
> ...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++
> ...o-check-chunk-sizes-before-reading-chunks.patch | 51 ++++++++++++
> .../gstreamer/gst-ffmpeg_0.10.13.bb | 13 +++
> 14 files changed, 617 insertions(+)
> create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_sample
> s-order-case.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block
> -length.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-co
> ding-mode-against-channels.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-
> av_image_get_linesize-to-calculate.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc
> -Check-data-array-size-in-mpegts_w.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-a
> rray-accesses.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-c
> ount-check-and-limit-fix-out-of-ar.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-i
> nit_vlc-return-codes.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-le
> n-0-cases.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.
> patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RL
> E-size-before-copying.-Fix-out-of-.patch
> > Also, I'm not sure if you got my message yesterday (since there was a
> > problem>
> > with the email transmission) however I'll repeat it here just in case:
> >> Note that whilst we should apply these patches, they won't actually have
> >> any effect on unmodified builds because we do not use gst-ffmpeg's
> >> internal copy of ffmpeg, we use libav instead. So if any of these fixes
> >> apply to libav (or if there are equivalent fixes) we will need to apply
> >> them to libav.
> >
> > Would you be able to take care of the corresponding patches to libav?
>
> I did not see the CVE patches on libav
If they are applicable to the built-in copy of ffmpeg, at least some of them
should be applicable to libav.
Actually I've noticed we're a couple of releases behind on libav 0.8 upgrades
(libav 0.8 is the version we are using with gst-ffmpeg), and we also need to do
a libav 9 upgrade. I will take care of at least doing the upgrades, but we
should double-check that these fixes are either not applicable or already
applied after that is done.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list