Focus Determines Reality
Upgrade FFmpeg for Mastodon/fediverse.
Published:
Updated:

Table of Contents

Join our open fedi relay!

relay.disobey.net

Introduction

FFmpeg is used to play video files by a wide range of web applications. That includes probably all of the fediverse server applications such as Mastodon, Peertube, Pixelfed, Loops, etc. It's important to keep image processing software patched server-side. If a user were to upload a malicious video file to their Mastodon server, and that file gets federated to thousands of other Mastodon servers that then processes the malicious video file, the potential impact could be huge.

I'm using Ubuntu 22.04 LTS for my server OS. I build Mastodon from source, not Docker.

FFmpeg application security

As you should know as a fediverse server admin, FFmpeg recently disclosed CVE-2024-7055, a critical, remotely-exploitable bug:

7.0.2

Fixes following vulnerabilities:

CVE-2024-7055

NIST makes clear that all versions up to 7.0.1 are affected:

A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.

Versions of FFmpeg in Ubuntu and Debian

The version of FFmpeg in Ubuntu server 22.04 LTS is version 4.1 and it has not been patched:
https://ubuntu.com/security/CVE-2024-7055

The version of FFmpeg in Debian has been patched in Bookworm:
https://security-tracker.debian.org/tracker/CVE-2024-7055

FFmpeg Patching

Due to the complexity of installing FFmpeg from source, I wanted to find a better way. I found FFmpeg-build-script: https://github.com/markus-perl/ffmpeg-build-script.

This build script has been maintained for years and is a way simpler way of upgrading FFmpeg, and by people who known way more about this stuff than me.

FFmpeg-build-script Installation

I opted to use the "With GPL and non-free codes" version, and have had no issue with Mastodon -- both 4.2.x and 4.3.x. Please follow the directions from the Github page. I am copying what I did here only as a reference.

bash <(curl -s "https://raw.githubusercontent.com/markus-perl/ffmpeg-build-script/master/web-install-gpl-and-non-free.sh?v1")

After running the script and waiting for all of the builds to take place, this was the last part of the install. Note the "user" directory which will be unique to your user.

Successfully built binary for linux-gnu: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3bb8f2ea5272ffeed84a597359143c4d052fd806, for GNU/Linux 3.2.0, stripped

Building done. The following binaries can be found here:
- ffmpeg: /home/user/ffmpeg-build/workspace/bin/ffmpeg
- ffprobe: /home/user/ffmpeg-build/workspace/bin/ffprobe
- ffplay: /home/user/ffmpeg-build/workspace/bin/ffplay

Install these binaries to your /usr/local folder? Existing binaries will be replaced. [Y/n] y
Done. FFmpeg is now installed to your system.

Check which version is installed prior to completing the installation:

/usr/bin/ffmpeg -version

Now all you have to do is copy over the binaries to the existing production locations:

sudo cp /home/user/ffmpeg-build/workspace/bin/ffmpeg /usr/bin/ffmpeg

sudo cp /home/user/ffmpeg-build/workspace/bin/ffprobe /usr/bin/ffprobe

sudo cp /home/user/ffmpeg-build/workspace/bin/ffplay /usr/bin/ffplay

Validate v7.1 is now installed:

/usr/bin/ffmpeg -version

ffmpeg version 7.1 Copyright (c) 2000-2024 the FFmpeg developers
built with gcc 11 (Ubuntu 11.4.0-1ubuntu1~22.04)
configuration: --enable-nonfree --enable-gpl --enable-openssl --enable-libdav1d --enable-libsvtav1 --enable-librav1e --enable-libx264 --enable-libx265 --enable-libvpx --enable-libxvid --enable-libvidstab --enable-libaom --enable-libzimg --enable-lv2 --enable-libopencore_amrnb --enable-libopencore_amrwb --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libtheora --enable-libfdk-aac --enable-libjxl --enable-libwebp --enable-libfreetype --enable-libsrt --enable-libzvbi --disable-ffnvcodec --enable-amf --disable-debug --disable-shared --enable-pthreads --enable-static --enable-version3 --extra-cflags='-I/home/user/ffmpeg-build/workspace/include -Wno-int-conversion -I/home/user/ffmpeg-build/workspace/include/lilv-0' --extra-ldexeflags= --extra-ldflags=-L/home/user/ffmpeg-build/workspace/lib --extra-libs='-ldl -lpthread -lm -lz' --pkgconfigdir=/home/user/ffmpeg-build/workspace/lib/pkgconfig --pkg-config-flags=--static --prefix=/home/user/ffmpeg-build/workspace --extra-version=
libavutil      59. 39.100 / 59. 39.100
libavcodec     61. 19.101 / 61. 19.101
libavformat    61.  7.100 / 61.  7.100
libavdevice    61.  3.100 / 61.  3.100
libavfilter    10.  4.100 / 10.  4.100
libswscale      8.  3.100 /  8.  3.100
libswresample   5.  3.100 /  5.  3.100
libpostproc    58.  3.100 / 58.  3.100

Notice all of the configuration flags. There are several that specify build locations from the /home/user/ffmpeg-build/ directory, or from wherever you built FFmpeg from via the script. That's a positive sign that the version in use is the one you built from source via FFmpeg-build-script.

Finally, restart Mastodon:

sudo systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming

Navigae to:

https://<your_domain>/admin/dashboard

Scroll down to the bottom of the page and verify the upgraded version of FFmpeg:

Old screenshot with older version number

Maintenance

Ubuntu eventually patched its version of FFmpeg. To prevent Ubuntu from reinstalling a patched version 4.x, perform the following:

sudo apt-mark hold ffmpeg libavcodec58:amd64 libavdevice58:amd64 libavfilter7:amd64 libavformat58:amd64 libavutil56:amd64 libpostproc55:amd64 libswresample3:amd64 libswscale5:amd64

Validate which patches are held:

dpkg --get-selections | grep hold

Output:

ffmpeg						hold
libavcodec58:amd64				hold
libavdevice58:amd64				hold
libavfilter7:amd64				hold
libavformat58:amd64				hold
libavutil56:amd64				hold
libpostproc55:amd64				hold
libswresample3:amd64				hold
libswscale5:amd64				hold

If you wish to unhold these packages:

sudo apt-mark unhold ffmpeg libavcodec58:amd64 libavdevice58:amd64 libavfilter7:amd64 libavformat58:amd64 libavutil56:amd64 libpostproc55:amd64 libswresample3:amd64 libswscale5:amd64

If you want to check all of FFmpeg's dependencies:

ldd /usr/bin/ffmpeg

	linux-vdso.so.1 (0x00007ffd47607000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f443ab3f000)
	libxcb.so.1 => /lib/x86_64-linux-gnu/libxcb.so.1 (0x00007f443ab15000)
	libxcb-shm.so.0 => /lib/x86_64-linux-gnu/libxcb-shm.so.0 (0x00007f443ab10000)
	libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f443a8e4000)
	libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f443a8d1000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f443a8b1000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f443a686000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f443a65b000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f444174e000)
	libmvec.so.1 => /lib/x86_64-linux-gnu/libmvec.so.1 (0x00007f443a55e000)
	libXau.so.6 => /lib/x86_64-linux-gnu/libXau.so.6 (0x00007f443a558000)
	libXdmcp.so.6 => /lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007f443a550000)
	libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007f443a536000)
	libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007f443a529000)

I do not hold any other dependencies.

Thanks for keeping the fediverse secure for the users ^_^

yawnbox