First Last Prev Next    This bug is not in your last search results.
Bug 1022920 - (CVE-2016-10190) VUL-0: CVE-2016-10190: ffmpeg: remote exploitaion results code execution [ 1 - libavformat/http.c ]
(CVE-2016-10190)
VUL-0: CVE-2016-10190: ffmpeg: remote exploitaion results code execution [ 1 ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.2
: P3 - Medium : Normal
: unspecified
Assigned To: Dave Plater
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-01 00:04 UTC by Mikhail Kasimov
Modified: 2021-09-11 02:35 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-01 00:04:57 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/245
===================================================
This letter is a result of research made by Emil Lerner <neex.emil () gmail com <mailto:neex.emil () gmail com>> and 
Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs msu su>> and it is supposed to disclosed 
multiple issues we managed to find and exploit in FFmpeg software. Despite that all vulnerabilities have been 
successfully patched by FFmpeg developers this letter is supposed to clarify all these issues and show that they are 
exploitable.

--[ 1 - libavformat/http.c  ]

After executing of http_read_stream we read each http header, where we pass "Transfer-Encoding: chunked” header, and we 
come into http_buf_read function [1]. Due to incorrect use of strtoll function and integer sizes (chunk_size in 
int64_t)[2], it was possible to pass negative chunk_size in chunk encoding, so after computing final size using FFMIN 
function later on it would be passed as argument to avio_read function. This results a heap-overflow which we found out 
to be exploitable, because overflowed buffer is allocated right next to the AVIOContext structure[3]. Overflowing 
function pointer in this structure immediately results rip control and then code execution.

* [1] - https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/http.c#L1166 

* [2] - https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/http.c#L1259 

* [3] - https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/aviobuf.c#L899

This issue was fixed in https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa 
===================================================

Comment on Ref: http://seclists.org/oss-sec/2017/q1/251
===================================================
In case anyone else is curious, here are the corresponding commits
reachable from the n3.2.2 release tag:

https://github.com/FFmpeg/FFmpeg/commit/0e0a413725e0221e1a9d0b7595e22bf57e23a09c
===================================================

(open-)SUSE: https://software.opensuse.org/package/ffmpeg

TW: 3.2.22
42.2: 3.2
42.1: 2.8.8
Comment 1 Swamp Workflow Management 2017-02-01 23:00:49 UTC 
bugbot adjusting priority
Comment 2 Dave Plater 2017-03-24 17:14:36 UTC 
Which version of ffmpeg first had this bug?
see sr#481434
Comment 3 Dave Plater 2017-03-25 08:16:45 UTC 
Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote web servers to execute arbitrary code via a negative chunk size in an HTTP response.
+------------+------------+------------+------------+------------+------------+
|  package   | obs://open | obs://open | obs://open | obs://open | obs://open |
|            | SUSE:Leap: | SUSE:Leap: | SUSE:Backp | SUSE:Leap: | SUSE:Backp |
|            |    42.3    | 42.2:Updat | orts:SLE-1 | 42.1:Updat | orts:SLE-1 |
|            |            |     e      |   2-SP2    |     e      |   2-SP1    |
+============+============+============+============+============+============+
| ffmpeg     | 3.2        | 3.2        | 3.1.3      | 2.8.8      | 2.8.8      |
+------------+------------+------------+------------+------------+------------+

So Leaps 42.3 should get latest ffmpeg, Leap:42.2 needs at least 3.2.2 but might as well get latest 3.2.4. Leap:42.1 needs 2.8.10, Backports's SLE-12-SP2 gets 3.1.6, SP1 gets 2.8.10. ffmpeg-3.2.4 doesn't build for SLE-12-SP2 because sdl1 support was removed and sdl2 is required since 3.2, so 3.2.4 is out of the question.
Is this correct?
Comment 4 Dave Plater 2017-03-25 08:36:11 UTC 
Meanwhile created sr#482632 to openSUSE:Leap:42.3 which has the same version as 42.2.
Comment 5 Bernhard Wiedemann 2017-03-25 09:00:25 UTC 
This is an autogenerated message for OBS integration:
This bug (1022920) was mentioned in
https://build.opensuse.org/request/show/482632 42.3 / ffmpeg
Comment 6 Bernhard Wiedemann 2017-03-26 08:00:45 UTC 
This is an autogenerated message for OBS integration:
This bug (1022920) was mentioned in
https://build.opensuse.org/request/show/482691 42.1+42.2+Backports:SLE-12-SP1+Backports:SLE-12-SP2 / ffmpeg
Comment 7 Dave Plater 2017-03-26 08:05:49 UTC 
created mr#482691
Comment 8 Benjamin Brunner 2017-03-27 08:49:26 UTC 
After this is an security-issue, I changed the needinfo to our security-team.
Comment 9 Johannes Segitz 2017-03-29 14:47:05 UTC 
(In reply to Dave Plater from comment #3)
Seems correct.
Comment 10 Andreas Stieger 2017-03-31 12:53:13 UTC 
Dave, on Leap 42.1 we initially shipped ffmpeg and later ffmpeg3. This was for Chromium (bug 1022049).

openSUSE:Leap:42.1:Update/ffmpeg3 needs to be updated as well.
And for openSUSE:Leap:42.1:Update/ffmpeg, we get test failures due to obsoleting binaries:

INSTALL ffmpeg-2.8.8-22.1.x86_64
INSTALL ffmpeg-devel-2.8.8-22.1.x86_64
INSTALL libavcodec-devel-3.2.2-2.1.x86_64
INSTALL libavcodec56-2.8.8-22.1.x86_64
INSTALL libavcodec56-32bit-2.8.8-22.1.x86_64
INSTALL libavdevice-devel-3.2.2-2.1.x86_64
INSTALL libavdevice56-2.8.8-22.1.x86_64
INSTALL libavdevice56-32bit-2.8.8-22.1.x86_64
INSTALL libavfilter-devel-3.2.2-2.1.x86_64
INSTALL libavfilter5-2.8.8-22.1.x86_64
INSTALL libavfilter5-32bit-2.8.8-22.1.x86_64
INSTALL libavformat-devel-3.2.2-2.1.x86_64
INSTALL libavformat56-2.8.8-22.1.x86_64
INSTALL libavformat56-32bit-2.8.8-22.1.x86_64
INSTALL libavresample-devel-3.2.2-2.1.x86_64
INSTALL libavresample2-2.8.8-22.1.x86_64
INSTALL libavresample2-32bit-2.8.8-22.1.x86_64
INSTALL libavutil-devel-3.2.2-2.1.x86_64
INSTALL libavutil54-2.8.8-22.1.x86_64
INSTALL libavutil54-32bit-2.8.8-22.1.x86_64
INSTALL libpostproc-devel-3.2.2-2.1.x86_64
INSTALL libpostproc53-2.8.8-22.1.x86_64
INSTALL libpostproc53-32bit-2.8.8-22.1.x86_64
INSTALL libswresample-devel-3.2.2-2.1.x86_64
INSTALL libswresample1-2.8.8-22.1.x86_64
INSTALL libswresample1-32bit-2.8.8-22.1.x86_64
INSTALL libswscale-devel-3.2.2-2.1.x86_64
INSTALL libswscale3-2.8.8-22.1.x86_64
INSTALL libswscale3-32bit-2.8.8-22.1.x86_64
+++ PROBLEMS: +++
package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64
  + solution
    - do not ask to install libavdevice-devel-3.2.2-2.1.x86_64
PCBS 'libavdevice-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavcodec-devel-3.2.2-2.1.x86_64
PCBS 'libavcodec-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavfilter-devel-3.2.2-2.1.x86_64
PCBS 'libavfilter-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavformat-devel-3.2.2-2.1.x86_64
PCBS 'libavformat-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavutil-devel-3.2.2-2.1.x86_64
PCBS 'libavutil-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libpostproc-devel-3.2.2-2.1.x86_64
PCBS 'libpostproc-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libswresample-devel-3.2.2-2.1.x86_64
PCBS 'libswresample-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libswscale-devel-3.2.2-2.1.x86_64
PCBS 'libswscale-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavresample-devel-3.2.2-2.1.x86_64
PCBS 'libavresample-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
  + solution
    - do not ask to install ffmpeg-devel-2.8.8-22.1.x86_64
PCBS 'ffmpeg-devel-2.8.8-22.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'


I split out the 42.1 maintenance update for now and progressing the rest.
Comment 11 Dave Plater 2017-03-31 17:58:12 UTC 
I'll make a maintenance update for ffmpeg3 to resolve the conflict. Is this package specifically for use by chromium? If so it should have been changed from the old factory version it was copied from. I simply updated the 42.1 ffmpeg package so as to not interfere with other dependent packages. I'll possibly have to change chromium as well.
Comment 12 Dave Plater 2017-04-01 06:57:07 UTC 
(In reply to Andreas Stieger from comment #10)
> Dave, on Leap 42.1 we initially shipped ffmpeg and later ffmpeg3. This was
> for Chromium (bug 1022049).
> 
> openSUSE:Leap:42.1:Update/ffmpeg3 needs to be updated as well.
> And for openSUSE:Leap:42.1:Update/ffmpeg, we get test failures due to
> obsoleting binaries:
> 
> INSTALL ffmpeg-2.8.8-22.1.x86_64
> INSTALL ffmpeg-devel-2.8.8-22.1.x86_64
> INSTALL libavcodec-devel-3.2.2-2.1.x86_64
> INSTALL libavcodec56-2.8.8-22.1.x86_64
> INSTALL libavcodec56-32bit-2.8.8-22.1.x86_64
> INSTALL libavdevice-devel-3.2.2-2.1.x86_64
> INSTALL libavdevice56-2.8.8-22.1.x86_64
> INSTALL libavdevice56-32bit-2.8.8-22.1.x86_64
> INSTALL libavfilter-devel-3.2.2-2.1.x86_64
> INSTALL libavfilter5-2.8.8-22.1.x86_64
> INSTALL libavfilter5-32bit-2.8.8-22.1.x86_64
> INSTALL libavformat-devel-3.2.2-2.1.x86_64
> INSTALL libavformat56-2.8.8-22.1.x86_64
> INSTALL libavformat56-32bit-2.8.8-22.1.x86_64
> INSTALL libavresample-devel-3.2.2-2.1.x86_64
> INSTALL libavresample2-2.8.8-22.1.x86_64
> INSTALL libavresample2-32bit-2.8.8-22.1.x86_64
> INSTALL libavutil-devel-3.2.2-2.1.x86_64
> INSTALL libavutil54-2.8.8-22.1.x86_64
> INSTALL libavutil54-32bit-2.8.8-22.1.x86_64
> INSTALL libpostproc-devel-3.2.2-2.1.x86_64
> INSTALL libpostproc53-2.8.8-22.1.x86_64
> INSTALL libpostproc53-32bit-2.8.8-22.1.x86_64
> INSTALL libswresample-devel-3.2.2-2.1.x86_64
> INSTALL libswresample1-2.8.8-22.1.x86_64
> INSTALL libswresample1-32bit-2.8.8-22.1.x86_64
> INSTALL libswscale-devel-3.2.2-2.1.x86_64
> INSTALL libswscale3-2.8.8-22.1.x86_64
> INSTALL libswscale3-32bit-2.8.8-22.1.x86_64
> +++ PROBLEMS: +++
> package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2
> provided by ffmpeg-devel-2.8.8-22.1.x86_64
>   + solution
>     - do not ask to install libavdevice-devel-3.2.2-2.1.x86_64
> PCBS 'libavdevice-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libavcodec-devel-3.2.2-2.1.x86_64
> PCBS 'libavcodec-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libavfilter-devel-3.2.2-2.1.x86_64
> PCBS 'libavfilter-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libavformat-devel-3.2.2-2.1.x86_64
> PCBS 'libavformat-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libavutil-devel-3.2.2-2.1.x86_64
> PCBS 'libavutil-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libpostproc-devel-3.2.2-2.1.x86_64
> PCBS 'libpostproc-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libswresample-devel-3.2.2-2.1.x86_64
> PCBS 'libswresample-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libswscale-devel-3.2.2-2.1.x86_64
> PCBS 'libswscale-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>     - do not ask to install libavresample-devel-3.2.2-2.1.x86_64
> PCBS 'libavresample-devel-3.2.2-2.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
>   + solution
>     - do not ask to install ffmpeg-devel-2.8.8-22.1.x86_64
> PCBS 'ffmpeg-devel-2.8.8-22.1.x86_64': 'package
> libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided
> by ffmpeg-devel-2.8.8-22.1.x86_64'
> 
> 
> I split out the 42.1 maintenance update for now and progressing the rest.

I can't mess with ffmpeg-2.8.10 because that may affect a host of packages. if any package in 42.1 still requires ffmpeg-devel removing it from 2.8.10 will cause a problem at a later stage in the same way as ffmpeg3 with it's obsolete.
I see that chromium only build requires a specific version of libavformat so I've made ffmpeg3's libavformat-devel require the specific versions of libavcodec-devel, libavfilter-devel and libavutil-devel and simply provided ffmpeg-devel
I wouldn't like to cause future build failures with packages that aren't compatible with the ffmpeg3 abi so conflicts are necessary in the package. I'm inclined to rename all the devel packages and alter chromium to buildrequire the specific packages. Need a second opinion.
Comment 13 Dave Plater 2017-04-01 07:00:52 UTC 
@jan I need your opinion on the 42.1 ffmpeg and ffmpeg3 dilemma.
Comment 14 Jan Engelhardt 2017-04-01 07:51:40 UTC 
Package tags like Obsoletes/Provides/Conflicts is a thing that is doable.
I am more worried about the SONAME change between 2.8.8 and 2.8.11.
Comment 15 Dave Plater 2017-04-01 08:15:38 UTC 
(In reply to Jan Engelhardt from comment #14)
> Package tags like Obsoletes/Provides/Conflicts is a thing that is doable.
> I am more worried about the SONAME change between 2.8.8 and 2.8.11.
It's 2.8.10 which has the CVE fix. See comment #3

ffmpeg normally has very good backward compatibility for the same major group so I can't forsee any problems there. I'm just worried about random 42.1 Update packages failing to build against ffmpeg3 when they should have pulled in ffmpeg.
I've been updating ffmpeg regularly for years and have never had a problem.
Comment 16 Dave Plater 2017-04-01 08:42:53 UTC 
What I really need a second opinion on is the problem with the Leap:42.1 Update, which is held up due to the problem in comment #10 :
Dave, on Leap 42.1 we initially shipped ffmpeg and later ffmpeg3. This was for Chromium (bug 1022049).

openSUSE:Leap:42.1:Update/ffmpeg3 needs to be updated as well.
And for openSUSE:Leap:42.1:Update/ffmpeg, we get test failures due to obsoleting binaries:

INSTALL ffmpeg-2.8.8-22.1.x86_64
INSTALL ffmpeg-devel-2.8.8-22.1.x86_64
INSTALL libavcodec-devel-3.2.2-2.1.x86_64
INSTALL libavcodec56-2.8.8-22.1.x86_64
INSTALL libavcodec56-32bit-2.8.8-22.1.x86_64
INSTALL libavdevice-devel-3.2.2-2.1.x86_64
INSTALL libavdevice56-2.8.8-22.1.x86_64
INSTALL libavdevice56-32bit-2.8.8-22.1.x86_64
INSTALL libavfilter-devel-3.2.2-2.1.x86_64
INSTALL libavfilter5-2.8.8-22.1.x86_64
INSTALL libavfilter5-32bit-2.8.8-22.1.x86_64
INSTALL libavformat-devel-3.2.2-2.1.x86_64
INSTALL libavformat56-2.8.8-22.1.x86_64
INSTALL libavformat56-32bit-2.8.8-22.1.x86_64
INSTALL libavresample-devel-3.2.2-2.1.x86_64
INSTALL libavresample2-2.8.8-22.1.x86_64
INSTALL libavresample2-32bit-2.8.8-22.1.x86_64
INSTALL libavutil-devel-3.2.2-2.1.x86_64
INSTALL libavutil54-2.8.8-22.1.x86_64
INSTALL libavutil54-32bit-2.8.8-22.1.x86_64
INSTALL libpostproc-devel-3.2.2-2.1.x86_64
INSTALL libpostproc53-2.8.8-22.1.x86_64
INSTALL libpostproc53-32bit-2.8.8-22.1.x86_64
INSTALL libswresample-devel-3.2.2-2.1.x86_64
INSTALL libswresample1-2.8.8-22.1.x86_64
INSTALL libswresample1-32bit-2.8.8-22.1.x86_64
INSTALL libswscale-devel-3.2.2-2.1.x86_64
INSTALL libswscale3-2.8.8-22.1.x86_64
INSTALL libswscale3-32bit-2.8.8-22.1.x86_64
+++ PROBLEMS: +++
package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64
  + solution
    - do not ask to install libavdevice-devel-3.2.2-2.1.x86_64
PCBS 'libavdevice-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavcodec-devel-3.2.2-2.1.x86_64
PCBS 'libavcodec-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavfilter-devel-3.2.2-2.1.x86_64
PCBS 'libavfilter-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavformat-devel-3.2.2-2.1.x86_64
PCBS 'libavformat-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavutil-devel-3.2.2-2.1.x86_64
PCBS 'libavutil-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libpostproc-devel-3.2.2-2.1.x86_64
PCBS 'libpostproc-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libswresample-devel-3.2.2-2.1.x86_64
PCBS 'libswresample-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libswscale-devel-3.2.2-2.1.x86_64
PCBS 'libswscale-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
    - do not ask to install libavresample-devel-3.2.2-2.1.x86_64
PCBS 'libavresample-devel-3.2.2-2.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
  + solution
    - do not ask to install ffmpeg-devel-2.8.8-22.1.x86_64
PCBS 'ffmpeg-devel-2.8.8-22.1.x86_64': 'package libavdevice-devel-3.2.2-2.1.x86_64 obsoletes ffmpeg-devel < 3.2.2 provided by ffmpeg-devel-2.8.8-22.1.x86_64'
Comment 17 Dave Plater 2017-04-01 12:43:03 UTC 
created mr#484338 for ffmpeg3, I've copied the multimedia:libs/ffmpeg2 method and replaced the individual devel packages with ffmpeg3-devel.
Comment 18 Bernhard Wiedemann 2017-04-01 14:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (1022920) was mentioned in
https://build.opensuse.org/request/show/484338 42.1 / ffmpeg3
Comment 19 Dave Plater 2017-04-03 08:41:06 UTC 
created mr#484338 for ffmpeg3
Comment 20 Swamp Workflow Management 2017-04-07 13:09:32 UTC 
openSUSE-SU-2017:0958-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1022920
CVE References: CVE-2016-10190
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg-3.2.4-6.3.1
Comment 21 Swamp Workflow Management 2017-04-07 13:11:01 UTC 
openSUSE-SU-2017:0961-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1022920
CVE References: CVE-2016-10190
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    ffmpeg-2.8.10-9.1, ffmpeg-3.1.6-5.1
Comment 22 Bernhard Wiedemann 2017-04-18 16:00:53 UTC 
This is an autogenerated message for OBS integration:
This bug (1022920) was mentioned in
https://build.opensuse.org/request/show/489106 42.2 / ffmpeg
Comment 23 Bernhard Wiedemann 2017-04-18 18:01:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1022920) was mentioned in
https://build.opensuse.org/request/show/489155 42.1 / ffmpeg
Comment 24 Swamp Workflow Management 2017-04-28 10:08:50 UTC 
openSUSE-SU-2017:1121-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022920,1022921,1022922,1034176,1034177,1034179,1034181,1034183
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2017-7859,CVE-2017-7862,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg-3.3-6.6.1
Comment 25 Benjamin Brunner 2017-05-10 15:15:51 UTC 
Removing needinfo and closing as resolved fixed after the update has already been released.
Comment 26 Swamp Workflow Management 2017-05-29 16:09:29 UTC 
openSUSE-SU-2017:1433-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.2 (src):    ffmpeg2-2.8.11-25.3.1
Comment 27 Swamp Workflow Management 2017-09-15 22:12:59 UTC 
openSUSE-SU-2017:2502-1: An update that solves 20 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1015120,1022920,1022921,1022922,1034176,1034177,1034179,1046211,1049095,1056760,1056761,1056762,1056763,1056765,1056766,1057536,1057537,1057539,1058018,1058019,1058020
CVE References: CVE-2016-10190,CVE-2016-10191,CVE-2016-10192,CVE-2016-9561,CVE-2017-11399,CVE-2017-14054,CVE-2017-14055,CVE-2017-14056,CVE-2017-14057,CVE-2017-14058,CVE-2017-14059,CVE-2017-14169,CVE-2017-14170,CVE-2017-14171,CVE-2017-14222,CVE-2017-14223,CVE-2017-14225,CVE-2017-7863,CVE-2017-7865,CVE-2017-7866
Sources used:
openSUSE Leap 42.3 (src):    ffmpeg-3.3.4-7.1, ffmpeg2-2.8.13-32.1, lame-3.99.5-2.1, twolame-0.3.13-2.1
Comment 28 Swamp Workflow Management 2018-07-18 14:40:17 UTC 
This is an autogenerated message for OBS integration:
This bug (1022920) was mentioned in
https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq
First Last Prev Next    This bug is not in your last search results.