Add patches for security bug #231831. -r3 is -r0 with the patch, stable candidate without swscaler. -r20 is -r2 with the patch, with swscaler.

(Portage version: 2.2_rc1/cvs/Linux 2.6.25.7 x86_64)
author: Alexis Ballier <aballier@gentoo.org> 2008-07-17 07:53:58 +0000
committer: Alexis Ballier <aballier@gentoo.org> 2008-07-17 07:53:58 +0000
commit: d82df42633be22dce3824c8308358c4fa3e53da8 (patch)
tree: 8eeca310f490b77b45bd73c3244f7c0b7aa92274 /media-video
parent: Fix up SRC_URI, upstream calls gnu-classpath by just classpath (diff)
download: gentoo-2-d82df42633be22dce3824c8308358c4fa3e53da8.tar.gz
gentoo-2-d82df42633be22dce3824c8308358c4fa3e53da8.tar.bz2
gentoo-2-d82df42633be22dce3824c8308358c4fa3e53da8.zip
4 files changed, 426 insertions, 1 deletions
diff --git a/media-video/ffmpeg/ChangeLog b/media-video/ffmpeg/ChangeLog
index 95898c319551..5fbc3345e3ee 100644
--- a/media-video/ffmpeg/ChangeLog
+++ b/media-video/ffmpeg/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for media-video/ffmpeg
 # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-video/ffmpeg/ChangeLog,v 1.220 2008/07/07 20:39:09 loki_val Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-video/ffmpeg/ChangeLog,v 1.221 2008/07/17 07:53:57 aballier Exp $
+
+*ffmpeg-0.4.9_p20070616-r20 (17 Jul 2008)
+*ffmpeg-0.4.9_p20070616-r3 (17 Jul 2008)
+
+  17 Jul 2008; Alexis Ballier <aballier@gentoo.org>
+  +files/CVE-2008-3162.patch, +ffmpeg-0.4.9_p20070616-r3.ebuild,
+  +ffmpeg-0.4.9_p20070616-r20.ebuild:
+  Add patches for security bug #231831. -r3 is -r0 with the patch, stable
+  candidate without swscaler. -r20 is -r2 with the patch, with swscaler.
 
   07 Jul 2008; Peter Alfredsen <loki_val@gentoo.org>
   ffmpeg-0.4.9_p20080326.ebuild:
diff --git a/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r20.ebuild b/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r20.ebuild
new file mode 100644
index 000000000000..df75af2d69b8
--- /dev/null
+++ b/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r20.ebuild
@@ -0,0 +1,181 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r20.ebuild,v 1.1 2008/07/17 07:53:57 aballier Exp $
+
+inherit eutils flag-o-matic multilib toolchain-funcs
+
+DESCRIPTION="Complete solution to record, convert and stream audio and video.
+Includes libavcodec. SVN revision 9330"
+HOMEPAGE="http://ffmpeg.org/"
+MY_P=${P/_/-}
+S=${WORKDIR}/ffmpeg
+
+SRC_URI="mirror://gentoo/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="aac altivec amr debug doc ieee1394 a52 encode imlib ipv6 mmx ogg vorbis
+	oss test theora threads truetype v4l x264 xvid network zlib sdl X"
+
+RDEPEND="imlib? ( media-libs/imlib2 )
+	truetype? ( >=media-libs/freetype-2 )
+	sdl? ( >=media-libs/libsdl-1.2.10 )
+	encode? ( media-sound/lame
+		vorbis? ( media-libs/libvorbis )
+		theora? ( media-libs/libtheora ) )
+	ogg? ( media-libs/libogg )
+	aac? ( media-libs/faad2 media-libs/faac )
+	a52? ( >=media-libs/a52dec-0.7.4-r4 )
+	xvid? ( >=media-libs/xvid-1.1.0 )
+	zlib? ( sys-libs/zlib )
+	ieee1394? ( =media-libs/libdc1394-1*
+				sys-libs/libraw1394 )
+	x264? ( media-libs/x264 )
+	X? ( x11-libs/libX11 x11-libs/libXext )
+	amr? ( media-libs/amrnb media-libs/amrwb )"
+
+DEPEND="${RDEPEND}
+	doc? ( app-text/texi2html )
+	test? ( net-misc/wget )"
+# Make sure the mmx USE flag is unmasked
+# Remove this once default-linux/amd64/2006.1 is deprecated
+DEPEND="${DEPEND} amd64? ( >=sys-apps/portage-2.1.2 )"
+
+src_unpack() {
+	unpack ${A} || die
+	cd "${S}"
+
+	#Append -DBROKEN_RELOCATIONS to build for bug 179872.
+	#Pretty please fix me if you can.
+	append-flags "-DBROKEN_RELOCATIONS"
+
+	#Append -fomit-frame-pointer to avoid some common issues
+	use debug || append-flags "-fomit-frame-pointer"
+
+	# for some reason it tries to #include <X11/Xlib.h>, but doesn't use it
+	sed -i s:\#define\ HAVE_X11:\#define\ HAVE_LINUX: ffplay.c
+
+	# .pc files contain wrong libdir path
+	epatch ${FILESDIR}/${PN}-libdir-2007.patch
+	sed -i -e "s:GENTOOLIBDIR:$(get_libdir):" configure
+
+	# Make it use pic always since we don't need textrels
+	sed -i -e "s:LIBOBJFLAGS=\"\":LIBOBJFLAGS=\'\$\(PIC\)\':" configure
+
+	# To make sure the ffserver test will work
+	sed -i -e "s:-e debug=off::" tests/server-regression.sh
+
+	# Fix building with altivec for bug 183687
+	sed -i -e "s:TARGET_ALTIVEC:HAVE_ALTIVEC:" libswscale/Makefile
+
+	epatch "${FILESDIR}"/${PN}-arm-pld.patch
+	epatch "${FILESDIR}/${PN}-shared-gcc4.1.patch"
+	# disable non pic safe asm, bug #172877, bug #172845 and dupes
+	# epatch "${FILESDIR}/${PN}-0.4.9_p20070330-asmpic.patch"
+
+	# Security fix, bug #231831
+	epatch "${FILESDIR}/CVE-2008-3162.patch"
+}
+
+src_compile() {
+	replace-flags -O0 -O2
+	#x86, what a wonderful arch....
+	replace-flags -O1 -O2
+	local myconf="${EXTRA_ECONF}"
+
+	#disable mmx accelerated code if not requested, or if PIC is required
+	# as the provided asm decidedly is not PIC.
+	if ( gcc-specs-pie || ! use mmx ) ; then
+		myconf="${myconf} --disable-mmx"
+	fi
+
+	# enabled by default
+	use altivec || myconf="${myconf} --disable-altivec"
+	use debug || myconf="${myconf} --disable-debug"
+	use oss || myconf="${myconf} --disable-audio-oss"
+	use v4l || myconf="${myconf} --disable-v4l --disable-v4l2"
+	use ieee1394 || myconf="${myconf} --disable-dv1394"
+	use zlib || myconf="${myconf} --disable-zlib"
+	use sdl || myconf="${myconf} --disable-ffplay"
+
+	if use network; then
+		use ipv6 || myconf="${myconf} --disable-ipv6"
+	else
+		myconf="${myconf} --disable-network"
+	fi
+
+	myconf="${myconf} --disable-opts"
+
+	# disabled by default
+	if use encode
+	then
+		myconf="${myconf} --enable-libmp3lame"
+		use vorbis && myconf="${myconf} --enable-libvorbis --enable-libogg"
+		use theora && myconf="${myconf} --enable-libtheora --enable-libogg"
+	fi
+	use a52 && myconf="${myconf} --enable-liba52"
+	use ieee1394 && myconf="${myconf} --enable-dc1394"
+	use threads && myconf="${myconf} --enable-pthreads"
+	use xvid && myconf="${myconf} --enable-libxvid"
+	use X && myconf="${myconf} --enable-x11grab"
+	use ogg && myconf="${myconf} --enable-libogg"
+	use x264 && myconf="${myconf} --enable-libx264"
+	use aac && myconf="${myconf} --enable-libfaad --enable-libfaac"
+	use amr && myconf="${myconf} --enable-libamr-nb --enable-libamr-wb"
+
+	myconf="${myconf} --enable-gpl --enable-pp \
+			--enable-swscaler --disable-strip"
+
+	tc-is-cross-compiler && myconf="${myconf} --cross-compile --arch=$(tc-arch-kernel)"
+
+	# Specific workarounds for too-few-registers arch...
+	if [[ $(tc-arch) == "x86" ]]; then
+		filter-flags -fforce-addr -momit-leaf-frame-pointer
+		append-flags -fomit-frame-pointer
+		is-flag -O? || append-flags -O2
+		if (use debug); then
+			# no need to warn about debug if not using debug flag
+			ewarn ""
+			ewarn "Debug information will be almost useless as the frame pointer is omitted."
+			ewarn "This makes debugging harder, so crashes that has no fixed behavior are"
+			ewarn "difficult to fix. Please have that in mind."
+			ewarn ""
+		fi
+	fi
+
+	cd ${S}
+	./configure \
+		--prefix=/usr \
+		--libdir=/usr/$(get_libdir) \
+		--shlibdir=/usr/$(get_libdir) \
+		--mandir=/usr/share/man \
+		--enable-static --enable-shared \
+		"--cc=$(tc-getCC)" \
+		${myconf} || die "configure failed"
+
+	emake -j1 depend || die "depend failed"
+	emake || die "make failed"
+}
+
+src_install() {
+	emake -j1 LDCONFIG=true DESTDIR=${D} install || die "Install Failed"
+
+	use doc && emake -j1 documentation
+	dodoc Changelog README INSTALL
+	dodoc doc/*
+}
+
+# Never die for now...
+src_test() {
+	cd ${S}/tests
+	for t in "codectest libavtest test-server" ; do
+		make ${t} || ewarn "Some tests in ${t} failed"
+	done
+}
+
+pkg_postinst() {
+	ewarn "ffmpeg may have had ABI changes, if ffmpeg based programs"
+	ewarn "like xine-lib or vlc stop working as expected please"
+	ewarn "rebuild them."
+}
diff --git a/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r3.ebuild b/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r3.ebuild
new file mode 100644
index 000000000000..60f048bc4df1
--- /dev/null
+++ b/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r3.ebuild
@@ -0,0 +1,172 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-video/ffmpeg/ffmpeg-0.4.9_p20070616-r3.ebuild,v 1.1 2008/07/17 07:53:57 aballier Exp $
+
+inherit eutils flag-o-matic multilib toolchain-funcs
+
+DESCRIPTION="Complete solution to record, convert and stream audio and video.
+Includes libavcodec. SVN revision 9330"
+HOMEPAGE="http://ffmpeg.org/"
+MY_P=${P/_/-}
+S=${WORKDIR}/ffmpeg
+
+SRC_URI="mirror://gentoo/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="aac altivec amr debug doc ieee1394 a52 encode imlib mmx ogg vorbis oss
+	test theora threads truetype v4l x264 xvid network zlib sdl X"
+
+RDEPEND="imlib? ( media-libs/imlib2 )
+	truetype? ( >=media-libs/freetype-2 )
+	sdl? ( >=media-libs/libsdl-1.2.10 )
+	encode? ( media-sound/lame
+		vorbis? ( media-libs/libvorbis )
+		theora? ( media-libs/libtheora ) )
+	ogg? ( media-libs/libogg )
+	aac? ( media-libs/faad2 media-libs/faac )
+	a52? ( >=media-libs/a52dec-0.7.4-r4 )
+	xvid? ( >=media-libs/xvid-1.1.0 )
+	zlib? ( sys-libs/zlib )
+	ieee1394? ( =media-libs/libdc1394-1*
+				sys-libs/libraw1394 )
+	x264? ( media-libs/x264 )
+	X? ( x11-libs/libX11 x11-libs/libXext )
+	amr? ( media-libs/amrnb media-libs/amrwb )"
+
+DEPEND="${RDEPEND}
+	doc? ( app-text/texi2html )
+	test? ( net-misc/wget )"
+# Make sure the mmx USE flag is unmasked
+# Remove this once default-linux/amd64/2006.1 is deprecated
+DEPEND="${DEPEND} amd64? ( >=sys-apps/portage-2.1.2 )"
+
+src_unpack() {
+	unpack ${A} || die
+	cd ${S}
+
+	#Append -DBROKEN_RELOCATIONS to build for bug 179872.
+	#Pretty please fix me if you can.
+	append-flags "-DBROKEN_RELOCATIONS"
+
+	#Append -fomit-frame-pointer to avoid some common issues
+	use debug || append-flags "-fomit-frame-pointer"
+
+	# for some reason it tries to #include <X11/Xlib.h>, but doesn't use it
+	sed -i s:\#define\ HAVE_X11:\#define\ HAVE_LINUX: ffplay.c
+
+	# .pc files contain wrong libdir path
+	epatch ${FILESDIR}/${PN}-libdir-2007.patch
+	sed -i -e "s:GENTOOLIBDIR:$(get_libdir):" configure
+
+	# Make it use pic always since we don't need textrels
+	sed -i -e "s:LIBOBJFLAGS=\"\":LIBOBJFLAGS=\'\$\(PIC\)\':" configure
+
+	# To make sure the ffserver test will work
+	sed -i -e "s:-e debug=off::" tests/server-regression.sh
+
+	epatch "${FILESDIR}"/${PN}-arm-pld.patch
+	epatch "${FILESDIR}/${PN}-shared-gcc4.1.patch"
+	# disable non pic safe asm, bug #172877, bug #172845 and dupes
+	# epatch "${FILESDIR}/${PN}-0.4.9_p20070330-asmpic.patch"
+
+	# Security fix, bug #231831
+	epatch "${FILESDIR}/CVE-2008-3162.patch"
+}
+
+src_compile() {
+	replace-flags -O0 -O2
+	#x86, what a wonderful arch....
+	replace-flags -O1 -O2
+	local myconf="${EXTRA_ECONF}"
+
+	#disable mmx accelerated code if not requested, or if PIC is required
+	# as the provided asm decidedly is not PIC.
+	if ( gcc-specs-pie || ! use mmx ) ; then
+		myconf="${myconf} --disable-mmx"
+	fi
+
+	# enabled by default
+	use altivec || myconf="${myconf} --disable-altivec"
+	use debug || myconf="${myconf} --disable-debug"
+	use oss || myconf="${myconf} --disable-audio-oss"
+	use v4l || myconf="${myconf} --disable-v4l --disable-v4l2"
+	use ieee1394 || myconf="${myconf} --disable-dv1394"
+	use network || myconf="${myconf} --disable-network"
+	use zlib || myconf="${myconf} --disable-zlib"
+	use sdl || myconf="${myconf} --disable-ffplay"
+
+	myconf="${myconf} --disable-opts"
+
+	# disabled by default
+	if use encode
+	then
+		myconf="${myconf} --enable-libmp3lame"
+		use vorbis && myconf="${myconf} --enable-libvorbis --enable-libogg"
+		use theora && myconf="${myconf} --enable-libtheora --enable-libogg"
+	fi
+	use a52 && myconf="${myconf} --enable-liba52"
+	use ieee1394 && myconf="${myconf} --enable-dc1394"
+	use threads && myconf="${myconf} --enable-pthreads"
+	use xvid && myconf="${myconf} --enable-libxvid"
+	use X && myconf="${myconf} --enable-x11grab"
+	use ogg && myconf="${myconf} --enable-libogg"
+	use x264 && myconf="${myconf} --enable-libx264"
+	use aac && myconf="${myconf} --enable-libfaad --enable-libfaac"
+	use amr && myconf="${myconf} --enable-libamr-nb --enable-libamr-wb"
+
+	myconf="${myconf} --enable-gpl --enable-pp --disable-strip"
+
+	tc-is-cross-compiler && myconf="${myconf} --cross-compile --arch=$(tc-arch-kernel)"
+
+	# Specific workarounds for too-few-registers arch...
+	if [[ $(tc-arch) == "x86" ]]; then
+		filter-flags -fforce-addr -momit-leaf-frame-pointer
+		append-flags -fomit-frame-pointer
+		is-flag -O? || append-flags -O2
+		if (use debug); then
+			# no need to warn about debug if not using debug flag
+			ewarn ""
+			ewarn "Debug information will be almost useless as the frame pointer is omitted."
+			ewarn "This makes debugging harder, so crashes that has no fixed behavior are"
+			ewarn "difficult to fix. Please have that in mind."
+			ewarn ""
+		fi
+	fi
+
+	cd ${S}
+	./configure \
+		--prefix=/usr \
+		--libdir=/usr/$(get_libdir) \
+		--shlibdir=/usr/$(get_libdir) \
+		--mandir=/usr/share/man \
+		--enable-static --enable-shared \
+		"--cc=$(tc-getCC)" \
+		${myconf} || die "configure failed"
+
+	emake -j1 depend || die "depend failed"
+	emake || die "make failed"
+}
+
+src_install() {
+	emake -j1 LDCONFIG=true DESTDIR=${D} install || die "Install Failed"
+
+	use doc && emake -j1 documentation
+	dodoc Changelog README INSTALL
+	dodoc doc/*
+}
+
+# Never die for now...
+src_test() {
+	cd ${S}/tests
+	for t in "codectest libavtest test-server" ; do
+		make ${t} || ewarn "Some tests in ${t} failed"
+	done
+}
+
+pkg_postinst() {
+	ewarn "ffmpeg may have had ABI changes, if ffmpeg based programs"
+	ewarn "like xine-lib or vlc stop working as expected please"
+	ewarn "rebuild them."
+}
diff --git a/media-video/ffmpeg/files/CVE-2008-3162.patch b/media-video/ffmpeg/files/CVE-2008-3162.patch
new file mode 100644
index 000000000000..032a3e7016b3
--- /dev/null
+++ b/media-video/ffmpeg/files/CVE-2008-3162.patch
@@ -0,0 +1,63 @@
+CVE-2008-3162:
+Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c
+in FFmpeg before r13993 allows remote attackers to cause a denial of service 
+(application crash) or execute arbitrary code via a crafted STR file that interleaves
+audio and video sectors.
+
+Patch from
+http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993
+
+Index: ffmpeg/libavformat/psxstr.c
+===================================================================
+--- ffmpeg.orig/libavformat/psxstr.c
++++ ffmpeg/libavformat/psxstr.c
+@@ -276,12 +276,23 @@ static int str_read_packet(AVFormatConte
+                 int current_sector = AV_RL16(&sector[0x1C]);
+                 int sector_count   = AV_RL16(&sector[0x1E]);
+                 int frame_size = AV_RL32(&sector[0x24]);
+-                int bytes_to_copy;
++
++                if(!(   frame_size>=0
++                     && current_sector < sector_count
++                     && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
++                    av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
++                    return AVERROR_INVALIDDATA;
++                }
++
+ //        printf("%d %d %d\n",current_sector,sector_count,frame_size);
+                 /* if this is the first sector of the frame, allocate a pkt */
+                 pkt = &str->tmp_pkt;
+-                if (current_sector == 0) {
+-                    if (av_new_packet(pkt, frame_size))
++
++                if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
++                    if(pkt->data)
++                        av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
++                    av_free_packet(pkt);
++                    if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+                         return AVERROR_IO;
+ 
+                     pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
+@@ -295,15 +306,15 @@ static int str_read_packet(AVFormatConte
+                        str->pts += (90000 / 15);
+                 }
+ 
+-                /* load all the constituent chunks in the video packet */
+-                bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+-                if (bytes_to_copy>0) {
+-                    if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+-                    memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+-                        sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+-                }
++                memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
++                       sector + VIDEO_DATA_HEADER_SIZE,
++                       VIDEO_DATA_CHUNK_SIZE);
++
+                 if (current_sector == sector_count-1) {
++                    pkt->size= frame_size;
+                     *ret_pkt = *pkt;
++                    pkt->data= NULL;
++                    pkt->size= -1;
+                     return 0;
+                 }
+
author	Alexis Ballier <aballier@gentoo.org>	2008-07-17 07:53:58 +0000
committer	Alexis Ballier <aballier@gentoo.org>	2008-07-17 07:53:58 +0000
commit	d82df42633be22dce3824c8308358c4fa3e53da8 (patch)
tree	8eeca310f490b77b45bd73c3244f7c0b7aa92274 /media-video
parent	Fix up SRC_URI, upstream calls gnu-classpath by just classpath (diff)
download	gentoo-2-d82df42633be22dce3824c8308358c4fa3e53da8.tar.gz gentoo-2-d82df42633be22dce3824c8308358c4fa3e53da8.tar.bz2 gentoo-2-d82df42633be22dce3824c8308358c4fa3e53da8.zip