Vulnerability

[wqh17101]

IMPORTANT: Be sure to replace all template sections {{ like this }} or your issue may be discarded.

Overview

the components in 9.0.2 whl package has many vulnerabilities.

speex 1.2.0

CVE-2020-23903
CVE-2020-23904

vorbis 1.3.6 (latest is 1.3.7)

CVE-2018-10392
CVE-2018-10393

libass 0.14.0 (latest is 0.15.2)

CVE-2020-26682

libxml2 2.9.12 (update to 2.9.13 to fix)

CVE-2022-23308

Expected behavior

Clear or update some components to the latest one

Investigation

{{ What you did to isolate the problem. }}

Reproduction

{{ Steps to reproduce the behavior. If the problem is media specific, include a link to it. Only send media that you have the rights to. }}

Versions

• OS: linux
• PyAV runtime: 9.0.2

Research

I have done the following:

• Checked the PyAV documentation
• Searched on Google
• Searched on Stack Overflow
• Looked through old GitHub issues
• Asked on PyAV Gitter
• ... and waited 72 hours for a response.

[jlaine]

What's the fix for speex, is there a newer version?

EDIT:

• CVE-2020-23903 does not apply to use, it's not in the library but in the speexenc demo
• CVE-2020-23904 is the same, it's in the speexenc demo

[jlaine]

Here's a PR for this PyAV-Org/pyav-ffmpeg#52

[wqh17101]

For speex , maybe checkout whether the code is in the demo and not in the lib? And when you build,you do not include the demo.

[jlaine]

For speex , maybe checkout whether the code is in the demo and not in the lib? And when you build,you do not include the demo.

Just follow the links from the CVEs you provided and you will end up on:

• speexenc encode wav file dos vulnerability xiph/speex#13
• speexenc stack buffer overflow  xiph/speex#14

[jlaine]

Updating ass is going to be harder than expected, more recent versions depend on harfbuzz..

By the way how come you did not raise these vulnerabilities in your previous report?

[wqh17101]

@jlaine I do not know, maybe the vulnerabilities list or tools is updating dynamically.
But this vulnerability's score for ass is 8.8 High means that it is a serious problem. It's better for you to fix.

[jlaine]

You're welcome to help out by the way..

[wqh17101]

So what is the problem now? Hard to build harfbuzz?

[jlaine]

So what is the problem now? Hard to build harfbuzz?

It's not a question of being "hard", it's time consuming and you seem to assume I have unlimited time. I appreciate you reporting these vulnerabilies, but you could also have submitted a PR against https://github.com/PyAV-Org/pyav-ffmpeg.

[wqh17101]

All right , I am glad to help you to make it better.
So, what is the pipeline to do this? Just submit the code and trigger the CI to validate?
Or run some scripts to validate locally first?
No docs for https://github.com/PyAV-Org/pyav-ffmpeg to show how to work.

[jlaine]

Here's a followup PR for libass PyAV-Org/pyav-ffmpeg#53

You can trigger a local build by running:

python3 scripts/build-ffmpeg.py /tmp/vendor

After that you are right PRs and commits to the main branch are automatically run by CI on all platforms.

[wqh17101]

Attention that
the vul for ffmpeg 4.4.1 CVE-2021-38291 is fixed in https://ffmpeg.org/releases/ffmpeg-4.4.1.tar.gz.
Because it just affected up to 2021-06-30 on the https://nvd.nist.gov/vuln/detail/CVE-2021-38291,and this package above released on 2021-10-24.