Bug 1013691 - VUL-0: libav: various issues december 5th 2016
VUL-0: libav: various issues december 5th 2016
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Martin Pluskal
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-05 15:35 UTC by Marcus Meissner
Modified: 2017-05-31 13:37 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-12-05 15:35:09 UTC
http://seclists.org/oss-sec/2016/q4/582



    https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer


    libav-11.8/libavcodec/mpegvideo.c:2381:65: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo.c:2382:65: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo.c:2383:65: runtime 
    error: left shift of negative value -1

    Testcase:
    https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo


Use CVE-2016-9819.


    libav-11.8/libavcodec/mpegvideo_motion.c:323:47: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo_motion.c:331:55: runtime 
    error: left shift of negative value -1

    libav-11.8/libavcodec/mpegvideo_motion.c:336:55: runtime 
    error: left shift of negative value -1

    Testcase:
    https://github.com/asarubbo/poc/blob/master/00036-libav-leftshift-mpegvideo


Use CVE-2016-9820.


    libav-11.8/libavcodec/mpegvideo_parser.c:91:65: runtime 
    error: signed integer overflow: 28573696 * 400 cannot be represented in type 
    'int'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser


Use CVE-2016-9821.


    libav-11.8/libavcodec/mpeg12dec.c:1401:41: runtime 
    error: signed integer overflow: 28573696 * 400 cannot be represented in type 
    'int'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00037-libav-signedintoverflow-mpegvideo_parser


Use CVE-2016-9822.


    libav-11.8/libavcodec/x86/mpegvideo.c:53:18: runtime 
    error: index -1 out of bounds for type 'uint8_t [64]'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00038-libav-uint8_t64-outofbounds-mpegvideo


Use CVE-2016-9823.


    libav-11.8/libswscale/x86/swscale.c:189:64: runtime 
    error: signed integer overflow: 65463 * 65537 cannot be represented in type 
    'int'
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00039-libav-signedintoverflow-swscale_c


Use CVE-2016-9824.


    libav-11.8/libswscale/utils.c:340:30: 
    runtime error: left shift of negative value -1
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00040-libav-leftshift-utils_c


Use CVE-2016-9825.


    libav-11.8/libavcodec/ituh263dec.c:645:34: runtime 
    error: left shift of negative value -16
    Testcase:
    https://github.com/asarubbo/poc/blob/master/00041-libav-leftshift-ituh263dec_c


Use CVE-2016-9826.
Comment 1 Swamp Workflow Management 2016-12-05 23:03:21 UTC
bugbot adjusting priority
Comment 2 Martin Pluskal 2017-05-31 13:37:05 UTC
42.1 is out of support and libav was dropped from later releases