openSUSE Security Update: Security update for ffmpeg ______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:2120-1 Rating: moderate References: #955346 #955347 #955348 #955350 Cross-References: CVE-2015-8216 CVE-2015-8217 CVE-2015-8218 CVE-2015-8219 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
The ffmpeg package was updated to version 2.8.2 to fix the following security and non security issues:
- CVE-2015-8216: Fixed the ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c which could cause a denial of service (out-of-bounds array access) (bnc#955346). - CVE-2015-8217: Fixed the ff_hevc_parse_sps function in libavcodec/hevc_ps.c which could cause a denial of service (out-of-bounds array access) (bnc#955347). - CVE-2015-8218: Fixed the decode_uncompressed function in libavcodec/faxcompr.c which could cause a denial of service (out-of-bounds array access) (bnc#955348). - CVE-2015-8219: Fixed the init_tile function in libavcodec/jpeg2000dec.c which could cause a denial of service (out-of-bounds array access) (bnc#955350).
- Update to new upstream release 2.8.2 * various fixes in the aac_fixed decoder * various fixes in softfloat * swresample/resample: increase precision for compensation * lavf/mov: add support for sidx fragment indexes * avformat/mxfenc: Only store user comment related tags when needed * ffmpeg: Don't try and write sdp info if none of the outputs had an rtp format. * apng: use correct size for output buffer * jvdec: avoid unsigned overflow in comparison * avcodec/jpeg2000dec: Clip all tile coordinates * avcodec/microdvddec: Check for string end in 'P' case * avcodec/dirac_parser: Fix undefined memcpy() use * avformat/xmv: Discard remainder of packet on error * avformat/xmv: factor return check out of if/else * avcodec/mpeg12dec: Do not call show_bits() with invalid bits * avcodec/faxcompr: Add missing runs check in decode_uncompressed() * libavutil/channel_layout: Check strtol*() for failure * avformat/mpegts: Only start probing data streams within probe_packets * avcodec/hevc_ps: Check chroma_format_idc * avcodec/ffv1dec: Check for 0 quant tables * avcodec/mjpegdec: Reinitialize IDCT on BPP changes * avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it * avcodec/h264_slice: Disable slice threads if there are multiple access units in a packet * avformat/hls: update cookies on setcookie response * opusdec: Don't run vector_fmul_scalar on zero length arrays * avcodec/opusdec: Fix extra samples read index * avcodec/ffv1: Initialize vlc_state on allocation * avcodec/ffv1dec: update progress in case of broken pointer chains * avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons * rtsp: Allow $ as interleaved packet indicator before a complete response header * videodsp: don't overread edges in vfix3 emu_edge. * avformat/mp3dec: improve junk skipping heuristic * concatdec: fix file_start_time calculation regression * avcodec: loongson optimize h264dsp idct and loop filter with mmi * avcodec/jpeg2000dec: Clear properties in jpeg2000_dec_cleanup() too * avformat/hls: add support for EXT-X-MAP * avformat/hls: fix segment selection regression on track changes of live streams * configure: Require libkvazaar < 0.7. * avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup - Drop ffmpeg-mov-sidx-fragment.patch, fixed upstream.
- Update to new upstream release 2.8.1 * Minor bugfix release * Includes all changes from. Ffmpeg-mt, libav master of 2015-08-28, libav 11 as of 2015-08-28 - Add ffmpeg-mov-sidx-fragment.patch to add sidx fragment indexes. Needed for new mpv release.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2015-821=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.1 (i586 x86_64):
ffmpeg-2.8.2-3.1 ffmpeg-debuginfo-2.8.2-3.1 ffmpeg-debugsource-2.8.2-3.1 ffmpeg-devel-2.8.2-3.1 libavcodec-devel-2.8.2-3.1 libavcodec56-2.8.2-3.1 libavcodec56-debuginfo-2.8.2-3.1 libavdevice-devel-2.8.2-3.1 libavdevice56-2.8.2-3.1 libavdevice56-debuginfo-2.8.2-3.1 libavfilter-devel-2.8.2-3.1 libavfilter5-2.8.2-3.1 libavfilter5-debuginfo-2.8.2-3.1 libavformat-devel-2.8.2-3.1 libavformat56-2.8.2-3.1 libavformat56-debuginfo-2.8.2-3.1 libavresample-devel-2.8.2-3.1 libavresample2-2.8.2-3.1 libavresample2-debuginfo-2.8.2-3.1 libavutil-devel-2.8.2-3.1 libavutil54-2.8.2-3.1 libavutil54-debuginfo-2.8.2-3.1 libpostproc-devel-2.8.2-3.1 libpostproc53-2.8.2-3.1 libpostproc53-debuginfo-2.8.2-3.1 libswresample-devel-2.8.2-3.1 libswresample1-2.8.2-3.1 libswresample1-debuginfo-2.8.2-3.1 libswscale-devel-2.8.2-3.1 libswscale3-2.8.2-3.1 libswscale3-debuginfo-2.8.2-3.1
- openSUSE Leap 42.1 (x86_64):
libavcodec56-32bit-2.8.2-3.1 libavcodec56-debuginfo-32bit-2.8.2-3.1 libavdevice56-32bit-2.8.2-3.1 libavdevice56-debuginfo-32bit-2.8.2-3.1 libavfilter5-32bit-2.8.2-3.1 libavfilter5-debuginfo-32bit-2.8.2-3.1 libavformat56-32bit-2.8.2-3.1 libavformat56-debuginfo-32bit-2.8.2-3.1 libavresample2-32bit-2.8.2-3.1 libavresample2-debuginfo-32bit-2.8.2-3.1 libavutil54-32bit-2.8.2-3.1 libavutil54-debuginfo-32bit-2.8.2-3.1 libpostproc53-32bit-2.8.2-3.1 libpostproc53-debuginfo-32bit-2.8.2-3.1 libswresample1-32bit-2.8.2-3.1 libswresample1-debuginfo-32bit-2.8.2-3.1 libswscale3-32bit-2.8.2-3.1 libswscale3-debuginfo-32bit-2.8.2-3.1
References:
https://www.suse.com/security/cve/CVE-2015-8216.html https://www.suse.com/security/cve/CVE-2015-8217.html https://www.suse.com/security/cve/CVE-2015-8218.html https://www.suse.com/security/cve/CVE-2015-8219.html https://bugzilla.suse.com/955346 https://bugzilla.suse.com/955347 https://bugzilla.suse.com/955348 https://bugzilla.suse.com/955350