Focus Determines Reality
Upgrade FFmpeg for Mastodon/fediverse.
Posted on

Table of Contents

Introduction

FFmpeg is used to play video files by a wide range of web applications. That includes probably all of the fediverse server applications such as Mastodon, Peertube, Pixelfed, Loops, etc. It's important to keep image processing software patched server-side. If a user were to upload a malicious video file to their Mastodon server, and that file gets federated to thousands of other Mastodon servers that then processes the malicious video file, the potential impact could be huge.

I'm using Ubuntu 22.04 LTS for my server OS. I build Mastodon from source, not Docker.

FFmpeg application security

As you should know as a fediverse server admin, FFmpeg recently disclosed CVE-2024-7055, a critical, remotely-exploitable bug:

7.0.2

Fixes following vulnerabilities:

CVE-2024-7055

NIST makes clear that all versions up to 7.0.1 are affected:

A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.

Versions of FFmpeg in Ubuntu and Debian

The version of FFmpeg in Ubuntu server 22.04 LTS is version 4.1 and it has not been patched:
https://ubuntu.com/security/CVE-2024-7055

The version of FFmpeg in Debian has been patched in Bookworm:
https://security-tracker.debian.org/tracker/CVE-2024-7055

FFmpeg patching

Due to the complexity of installing FFmpeg from source, I wanted to find a better way. Enter: the FFmpeg-build-script: https://github.com/markus-perl/ffmpeg-build-script.

This build script has been maintained for years and is a way simpler way of upgrading FFmpeg, and by people who known way more about this stuff than me. I opted to use the "With GPL and non-free codes" version, and have had no issue with Mastodon -- both 4.2.12 and the newest 4.3.0-beta1.

After running the script and waiting for all of the builds to take place, all you have to do is copy over the binaries to the existing production locations:

sudo cp /home/<user>/.local/bin/ffmpeg /usr/bin/ffmpeg sudo cp /home/<user>/.local/bin/ffplay /usr/bin/ffplay sudo cp /home/<user>/.local/bin/ffprobe /usr/bin/ffprobe

Validate v7.0.2 is now installed:

/usr/bin/ffmpeg -version

ffmpeg version 7.0.2 Copyright (c) 2000-2024 the FFmpeg developers
built with gcc 11 (Ubuntu 11.4.0-1ubuntu1~22.04)
configuration: --enable-nonfree --enable-gpl --enable-openssl --enable-libdav1d --enable-libsvtav1 --enable-libx264 --enable-libx265 --enable-libvpx --enable-libxvid --enable-libvidstab --enable-libaom --enable-libzimg --enable-lv2 --enable-libopencore_amrnb --enable-libopencore_amrwb --enable-libmp3lame --enable-libopus --enable-libvorbis --enable-libtheora --enable-libfdk-aac --enable-libjxl --enable-libwebp --enable-libfreetype --enable-libsrt --enable-libzvbi --disable-ffnvcodec --enable-amf --disable-debug --disable-shared --enable-pthreads --enable-static --enable-version3 --extra-cflags='-I/home/user/ffmpeg-build/workspace/include -Wno-int-conversion -I/home/user/ffmpeg-build/workspace/include/lilv-0' --extra-ldexeflags= --extra-ldflags=-L/home/user/ffmpeg-build/workspace/lib --extra-libs='-ldl -lpthread -lm -lz' --pkgconfigdir=/home/user/ffmpeg-build/workspace/lib/pkgconfig --pkg-config-flags=--static --prefix=/home/user/ffmpeg-build/workspace --extra-version=
libavutil      59.  8.100 / 59.  8.100
libavcodec     61.  3.100 / 61.  3.100
libavformat    61.  1.100 / 61.  1.100
libavdevice    61.  1.100 / 61.  1.100
libavfilter    10.  1.100 / 10.  1.100
libswscale      8.  1.100 /  8.  1.100
libswresample   5.  1.100 /  5.  1.100
libpostproc    58.  1.100 / 58.  1.100

Notice all of the configuration flags. There are several that specify build locations from the /home/user/ffmpeg-build/ directory, or from whereever you built FFmpeg from via the script. That's a positive sign that the version in use is the one you built from source via FFmpeg-build-script.

Finally, restart Mastodon:

sudo systemctl restart mastodon-web mastodon-sidekiq mastodon-streaming

Navigae to:

https://<your_domain>/admin/dashboard

Scroll down to the bottom of the page and verify the upgraded version of FFmpeg:

1

Thanks for keeping the fediverse secure for the users ^_^

yawnbox