[scarthgap,03/37] ffmpeg: fix CVE-2024-31578

Message ID	bd9fe64c40f7f4e1d18b5d33a9a366e95c2ddd2d.1722258106.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.169, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/37] ffmpeg: fix CVE-2024-31578 Date: Mon, 29 Jul 2024 06:12:13 -0700 Message-Id: <bd9fe64c40f7f4e1d18b5d33a9a366e95c2ddd2d.1722258106.git.steve@sakoman.com> In-Reply-To: <cover.1722258106.git.steve@sakoman.com> References: <cover.1722258106.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/37] ofono: fix CVE-2023-2794 \| expand [scarthgap,01/37] ofono: fix CVE-2023-2794 [scarthgap,02/37] ffmpeg: fix CVE-2023-49502 [scarthgap,03/37] ffmpeg: fix CVE-2024-31578 [scarthgap,04/37] pam: Fix for CVE-2024-22365 [scarthgap,05/37] cve-check: Introduce CVE_CHECK_MANIFEST_JSON_SUFFIX [scarthgap,06/37] weston: upgrade 13.0.0 -> 13.0.1 [scarthgap,07/37] python3-idna: upgrade 3.6 -> 3.7 [scarthgap,08/37] oeqa/runtime: make minidebuginfo test work with coreutils [scarthgap,09/37] wic: bootimg-efi: fix error handling [scarthgap,10/37] multilib.bbclass: replace deprecated e.data with d [scarthgap,11/37] gawk: update patch status [scarthgap,12/37] maintainers.inc: update self e-mail address [scarthgap,13/37] cmake-qemu.bbclass: fix if criterion [scarthgap,14/37] iptables: fix save/restore symlinks with libnftnl PACKAGECONFIG enabled [scarthgap,15/37] selftest: add Upstream-Status to .patch files [scarthgap,16/37] grub,grub-efi: Remove -mfpmath=sse on x86 [scarthgap,17/37] python3: Treat UID/GID overflow as failure [scarthgap,18/37] python3: skip test_concurrent_futures/test_deadlock [scarthgap,19/37] python3: skip test_multiprocessing/test_active_children test [scarthgap,20/37] oeqa/sdk/case: Ensure DL_DIR is populated with artefacts if used [scarthgap,21/37] gawk: Remove References to /usr/local/bin/gawk [scarthgap,22/37] archiver.bbclass: Fix work-shared checking for kernel recipes [scarthgap,23/37] classes/kernel: No symlink in postinst without KERNEL_IMAGETYPE_SYMLINK [scarthgap,24/37] oeqa/runtime: fix race-condition in minidebuginfo test [scarthgap,25/37] python3: submit deterministic_imports.patch upstream as a ticket [scarthgap,26/37] glib-networking: submit eagain.patch upstream [scarthgap,27/37] glslang: mark 0001-generate-glslang-pkg-config.patch as Inappropriate [scarthgap,28/37] tcp-wrappers: mark all patches as inactive-upstream [scarthgap,29/37] automake: mark new_rt_path_for_test-driver.patch as Inappropriate [scarthgap,30/37] settings-daemon: submit addsoundkeys.patch upstream and update to a revision that… [scarthgap,31/37] dpkg: mark patches adding custom non-debian architectures as inappropriate for up… [scarthgap,32/37] libacpi: mark patches as inactive-upstream [scarthgap,33/37] python3-attrs: drop python3-ctypes from RDEPENDS [scarthgap,34/37] oeqa/runtime/scp: requires openssh-sftp-server [scarthgap,35/37] openssh: drop rejected patch fixed in 8.6p1 release [scarthgap,36/37] openssh: systemd sd-notify patch was rejected upstream [scarthgap,37/37] openssh: systemd notification was implemented upstream

Message ID

bd9fe64c40f7f4e1d18b5d33a9a366e95c2ddd2d.1722258106.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/37] ffmpeg: fix CVE-2024-31578
Date: Mon, 29 Jul 2024 06:12:13 -0700
Message-Id: 
 <bd9fe64c40f7f4e1d18b5d33a9a366e95c2ddd2d.1722258106.git.steve@sakoman.com>
In-Reply-To: <cover.1722258106.git.steve@sakoman.com>
References: <cover.1722258106.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/37] ofono: fix CVE-2023-2794 | expand

Commit Message

Steve Sakoman July 29, 2024, 1:12 p.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-31578.patch        | 49 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
new file mode 100644
index 0000000000..f8e7e1283b
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
@@ -0,0 +1,49 @@ 
+From edeeb35cecb5bc0d433b14dd0e544ae826b7ece5 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Tue, 20 Feb 2024 20:08:55 +0800
+Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
+
+Fix heap use after free when vulkan_frames_init failed.
+
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+
+CVE: CVE-2024-31578
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavutil/hwcontext.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
+index 3650d46..0ef3479 100644
+--- a/libavutil/hwcontext.c
++++ b/libavutil/hwcontext.c
+@@ -363,7 +363,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->internal->hw_type->frames_init) {
+         ret = ctx->internal->hw_type->frames_init(ctx);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+
+     if (ctx->internal->pool_internal && !ctx->pool)
+@@ -373,14 +373,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->initial_pool_size > 0) {
+         ret = hwframe_pool_prealloc(ref);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+
+     return 0;
+-fail:
+-    if (ctx->internal->hw_type->frames_uninit)
+-        ctx->internal->hw_type->frames_uninit(ctx);
+-    return ret;
+ }
+
+ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
index 90c15782d1..06bd36e2e2 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -28,6 +28,7 @@  SRC_URI = " \
     file://vulkan_av1_stable_API.patch \
     file://vulkan_fix_gcc14.patch \
     file://CVE-2023-49502.patch \
+    file://CVE-2024-31578.patch \
 "
 
 SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"

[scarthgap,03/37] ffmpeg: fix CVE-2024-31578

Commit Message

Patch