Table of Contents
- Shameless Advert
- Introduction
- FFmpeg application security
- Versions of FFmpeg in Ubuntu and Debian
- FFmpeg patching
Shameless Advert
Join our open fedi relay! relay.disobey.net
Introduction
FFmpeg is used to play video files by a wide range of web applications. That includes probably all of the fediverse server applications such as Mastodon, Peertube, Pixelfed, Loops, etc. It's important to keep image processing software patched server-side. If a user were to upload a malicious video file to their Mastodon server, and that file gets federated to thousands of other Mastodon servers that then processes the malicious video file, the potential impact could be huge.
I'm using Ubuntu 22.04 LTS for my server OS. I build Mastodon from source, not Docker.
FFmpeg application security
As you should know as a fediverse server admin, FFmpeg recently disclosed CVE-2024-7055, a critical, remotely-exploitable bug:
7.0.2
Fixes following vulnerabilities:
CVE-2024-7055
NIST makes clear that all versions up to 7.0.1 are affected:
A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.
Versions of FFmpeg in Ubuntu and Debian
The version of FFmpeg in Ubuntu server 22.04 LTS is version 4.1 and it has not been patched:
https://ubuntu.com/security/CVE-2024-7055
The version of FFmpeg in Debian has been patched in Bookworm:
https://security-tracker.debian.org/tracker/CVE-2024-7055
FFmpeg patching
Due to the complexity of installing FFmpeg from source, I wanted to find a better way. Enter: the FFmpeg-build-script: https://github.com/markus-perl/ffmpeg-build-script.
This build script has been maintained for years and is a way simpler way of upgrading FFmpeg, and by people who known way more about this stuff than me. I opted to use the "With GPL and non-free codes" version, and have had no issue with Mastodon -- both 4.2.12 and the newest 4.3.0-beta1.
After running the script and waiting for all of the builds to take place, all you have to do is copy over the binaries to the existing production locations:
sudo cp /home/<user>/.local/bin/ffmpeg /usr/bin/ffmpeg sudo cp /home/<user>/.local/bin/ffplay /usr/bin/ffplay sudo cp /home/<user>/.local/bin/ffprobe /usr/bin/ffprobe
Validate v7.0.2 is now installed:
/usr/bin/ffmpeg -version
ffmpeg version 7.0.2 Copyright (c) 2000-2024 the FFmpeg developers
built with gcc 11 (Ubuntu 11.4.0-1ubuntu1~22.04)
configuration: --enable-nonfree --enable-gpl --enable-openssl --enable-libdav1d --enable-libsvtav1 --enable-libx264 --enable-libx265 --enable-libvpx --enable-libxvid --enable-libvidstab --enable-libaom --enable-libzimg --enable-lv2 --enable-libopencore_amrnb --enable-libopencore_amrwb --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libtheora --enable-libfdk-aac --enable-libjxl --enable-libwebp --enable-libfreetype --enable-libsrt --enable-libzvbi --disable-ffnvcodec --enable-amf --disable-debug --disable-shared --enable-pthreads --enable-static --enable-version3 --extra-cflags='-I/home/user/ffmpeg-build/workspace/include -Wno-int-conversion -I/home/user/ffmpeg-build/workspace/include/lilv-0' --extra-ldexeflags= --extra-ldflags=-L/home/user/ffmpeg-build/workspace/lib --extra-libs='-ldl -lpthread -lm -lz' --pkgconfigdir=/home/user/ffmpeg-build/workspace/lib/pkgconfig --pkg-config-flags=--static --prefix=/home/user/ffmpeg-build/workspace --extra-version=
libavutil 59. 8.100 / 59. 8.100
libavcodec 61. 3.100 / 61. 3.100
libavformat 61. 1.100 / 61. 1.100
libavdevice 61. 1.100 / 61. 1.100
libavfilter 10. 1.100 / 10. 1.100
libswscale 8. 1.100 / 8. 1.100
libswresample 5. 1.100 / 5. 1.100
libpostproc 58. 1.100 / 58. 1.100
Notice all of the configuration flags. There are several that specify build locations from the /home/user/ffmpeg-build/ directory, or from whereever you built FFmpeg from via the script. That's a positive sign that the version in use is the one you built from source via FFmpeg-build-script.
Finally, restart Mastodon:
sudo systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming
Navigae to:
https://<your_domain>/admin/dashboard
Scroll down to the bottom of the page and verify the upgraded version of FFmpeg:
Thanks for keeping the fediverse secure for the users ^_^
yawnbox