request fix for ffmpeg 4.0 CVE-2019-17542

[hartb]

The Anaconda distribution currently includes ffmpeg v4.0, with support for the VQA decoder enabled:

(ffmpeg) $ conda search ffmpeg
Loading channels: done
# Name                       Version           Build  Channel
ffmpeg                           3.4      h7985aa0_0  pkgs/main
ffmpeg                           4.0      h04d0a96_0  pkgs/main
ffmpeg                           4.0      hcdf2ecd_0  pkgs/main

(ffmpeg) $ conda list ffmpeg
# packages in environment at /opt/anaconda3/envs/ffmpeg:
#
# Name                    Version                   Build  Channel
ffmpeg                    4.0                  hcdf2ecd_0

(ffmpeg) $ ffmpeg -codecs
ffmpeg version 4.0 Copyright (c) 2000-2018 the FFmpeg developers
  built with gcc 7.2.0 (crosstool-NG 4127998)
  configuration: --prefix=/opt/anaconda3/envs/ffmpeg --cc=/opt/conda/conda-bld/ffmpeg_1531089424151/_build_env/bin/powerpc64le-conda_cos7-linux-gnu-cc --disable-doc --enable-shared --enable-static --enable-zlib --enable-pic --enable-gpl --enable-version3 --disable-nonfree --enable-hardcoded-tables --enable-avresample --enable-libfreetype --disable-openssl --disable-gnutls --enable-libvpx --enable-pthreads --enable-libopus --enable-postproc --disable-libx264
  libavutil      56. 14.100 / 56. 14.100
  libavcodec     58. 18.100 / 58. 18.100
[...]
Codecs:
 D..... = Decoding supported
 .E.... = Encoding supported
 ..V... = Video codec
 ..A... = Audio codec
 ..S... = Subtitle codec
 ...I.. = Intra frame-only codec
 ....L. = Lossy compression
 .....S = Lossless compression
 -------
[...]
 D.V.L. ws_vqa               Westwood Studios VQA (Vector Quantized Animation) video (decoders: vqavideo )
[...]

The VQA decoder in ffmpeg 4.0 is the subject of a recent security disclosure:

https://nvd.nist.gov/vuln/detail/CVE-2019-17542

The exposure is fixed upstream in ffmpeg 4.2 by this change:

https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2

conda-forge is currently building ffmpeg 4.2:

https://github.com/conda-forge/ffmpeg-feedstock

Can you please update Anaconda's ffmpeg package to close this exposure? Possible solutions from least to most disruptive are probably:

• backport the fix to 4.0 (it cherry-picks cleanly, at least)
• rebuild 4.0 without VQA support (--disable-decoder=vqa)
• update to 4.2

Anaconda or Miniconda version:

2019.07

Operating System:

Any x86 or ppc64le linux

conda info

Any conda version

conda list --show-channel-urls

See above; ffmpeg package comes from main

[hartb]

The existing ffmpeg 4.0 package is also exposed to a second CVE:

https://nvd.nist.gov/vuln/detail/CVE-2019-17539

Which is also fixed upstream in ffmpeg 4.2, but by a different commit / patch:

https://github.com/FFmpeg/FFmpeg/commit/8df6884832ec413cf032dfaa45c23b1c7876670c

That pack does not cherry-pick cleanly to 4.0 unless this commit is picked/applied first:

https://github.com/FFmpeg/FFmpeg/commit/b1febda061955c6f4bfbc1a75918b5e75e7d7f80

So a combined backport fix for CVEs CVE-2019-17542 and CVE-2019-17539) might require 3 patches.

Building without VQA support will not address this second CVE.

[jayfurmanek]

It looks like forge has their recipe at 4.2 now. It might be an easy enough update. https://github.com/conda-forge/ffmpeg-feedstock

[hartb]

[Comment was incorrect / likely to confuse; removing. Will post corrected version soon.]

[hartb]

I see that ffmpeg 4.2 is available from Anaconda now. Thank you!

The ffmpeg 4.2 source tarball being used for the build seems to correspond to the n4.2 tag, and does include fixes for the two vulnerabilities mentioned above:

• CVE-2019-17539 is fixed by 8df6884832 avcodec/utils: Check close before calling it
• CVE-2019-17542 is fixed by 06688a8cc5 avcodec/vqavideo: Set video size

However, we've become aware of a third ffmpeg vulnerability which is not fixed in the base 4.2 release:

• CVE-2019-15942 is fixed by c1dc4d2d50 avcodec/h2645_parse: zero initialize the rbsp buffer

$ git log --oneline --graph --decorate origin/release/4.2
* 192d1d34eb (tag: n4.2.2, origin/release/4.2) Update for FFmpeg 4.2.2
...
* 1529dfb73a (tag: n4.2.1) Update for 4.2.1
...
* c1dc4d2d50 avcodec/h2645_parse: zero initialize the rbsp buffer
...
* 75384bc464 (tag: n4.2) configure: cuda_llvm: fix include path for MSYS2
...
* 06688a8cc5 avcodec/vqavideo: Set video size
...
* 8df6884832 avcodec/utils: Check close before calling it

The 15942-fixing commit (c1dc4d2d50) picks cleanly back to n4.2, so would be easy to add as a patch in the recipe. Or moving forward to the n4.2.1 tag would also pull in the fix (and ffmpeg does publish a source tarball for that at https://ffmpeg.org/releases/ffmpeg-4.2.1.tar.gz).