Bug 1013691

Summary: VUL-0: libav: various issues december 5th 2016
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Martin Pluskal <mpluskal>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: matthias.gerstner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2016-12-05 15:35:09 UTC
http://seclists.org/oss-sec/2016/q4/582



    https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer


    libav-11.8/libavcodec/mpegvideo.c:2381:65: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo.c:2382:65: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo.c:2383:65: runtime 
    error: left shift of negative value -1

    Testcase:
    https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo


Use CVE-2016-9819.


    libav-11.8/libavcodec/mpegvideo_motion.c:323:47: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo_motion.c:331:55: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo_motion.c:336:55: runtime 
    error: left shift of negative value -1

    Testcase:
    https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo


Use CVE-2016-9820.


    libav-11.8/libavcodec/mpegvideo_parser.c:91:65: runtime 
    error: signed integer overflow: 28573696 * 400 cannot be represented in type 
    'int'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser


Use CVE-2016-9821.


    libav-11.8/libavcodec/mpeg12dec.c:1401:41: runtime 
    error: signed integer overflow: 28573696 * 400 cannot be represented in type 
    'int'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser


Use CVE-2016-9822.


    libav-11.8/libavcodec/x86/mpegvideo.c:53:18: runtime 
    error: index -1 out of bounds for type 'uint8_t [64]'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00038-libav-uint8_t64-outofbounds-mpegvideo


Use CVE-2016-9823.


    libav-11.8/libswscale/x86/swscale.c:189:64: runtime 
    error: signed integer overflow: 65463 * 65537 cannot be represented in type 
    'int'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00039-libav-signedintoverflow-swscale_c


Use CVE-2016-9824.


    libav-11.8/libswscale/utils.c:340:30: 
    runtime error: left shift of negative value -1
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00040-libav-leftshift-utils_c


Use CVE-2016-9825.


    libav-11.8/libavcodec/ituh263dec.c:645:34: runtime 
    error: left shift of negative value -16
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00041-libav-leftshift-ituh263dec_c


Use CVE-2016-9826.
Comment 1 Swamp Workflow Management 2016-12-05 23:03:21 UTC
bugbot adjusting priority
Comment 2 Martin Pluskal 2017-05-31 13:37:05 UTC
42.1 is out of support and libav was dropped from later releases