Merge branch 'master' into nextPR

terriko · web-flow · commit d2777d8594a6 · 2019-10-30T11:51:34.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,4 @@ __pycache__/
 htmlcov/
 .coverage
 build/
+.eggs/*
diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
@@ -3,6 +3,7 @@
     "bluez",
     "curl",
     "expat",
+    "ffmpeg",
     "gnutls",
     "icu",
     "kerberos",
diff --git a/cve_bin_tool/checkers/ffmpeg.py b/cve_bin_tool/checkers/ffmpeg.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python3
+
+"""
+CVE checker for ffmpeg
+
+References:
+https://www.ffmpeg.org/
+https://www.cvedetails.com/vulnerability-list/vendor_id-3611/Ffmpeg.html
+
+Note: Some of the "first vulnerable in" data may not be entered correctly.
+"""
+from ..util import regex_find
+
+
+def get_version(lines, filename):
+    """returns version information for ffmpeg as found in a given file.
+    The version info is returned as a tuple:
+        [modulename, is_or_contains, version]
+
+    modulename will be ffmpeg if ffmpeg is found (and blank otherwise)
+    is_or_contains indicates if the file is a copy of ffmpeg or contains one
+    version gives the actual version number
+
+    VPkg: ffmpeg, ffmpeg
+    """
+    is_ffmpeg = "Codec '%s' is not recognized by FFmpeg." in lines
+    version_regex = [r"%s version ([0-9]+\.[0-9]+\.[0-9]+)"]
+    version_info = dict()
+    if filename[::-1].startswith(("ffmpeg")[::-1]):
+        version_info["is_or_contains"] = "is"
+    else:
+        version_info["is_or_contains"] = "contains"
+
+    if "is_or_contains" in version_info:
+        version_info["modulename"] = "ffmpeg"
+        version_info["version"] = regex_find(lines, *version_regex)
+
+    return version_info
diff --git a/test/binaries/test-ffmpeg-4.1.4.c b/test/binaries/test-ffmpeg-4.1.4.c
@@ -0,0 +1,12 @@
+#include <stdio.h>
+
+int main() {
+	printf("This program is designed to test the cve-bin-tool checker.");
+	printf("It outputs a few strings normally associated with ffmepg 4.1.3.");
+	printf("They appear below this line.");
+	printf("------------------");
+	printf("Codec '%s' is not recognized by FFmpeg.", "whatever");
+	printf("%s version 4.1.4", "FFmpeg");
+
+	return 0;
+}
diff --git a/test/test_scanner.py b/test/test_scanner.py
@@ -229,6 +229,22 @@ def test_expat_deb_2_2_0(self):
             "2.2.0",
         )
 
+    def test_ffmpeg_4_1_4(self):
+        """Scanning test-ffmpeg-4.1.4.out"""
+        self._binary_test(
+            "test-ffmpeg-4.1.4.out",
+            "ffmpeg",
+            "4.1.4",
+            [
+                # known cves in 4.1.4
+                "CVE-2019-12730"
+            ],
+            [
+                # an older cve from before 4.1.4
+                "CVE-2019-11339"
+            ],
+        )
+
     def test_jpeg_2_0_1(self):
         """Scanning test-libjpeg-turbo-2.0.1"""
         self._binary_test(
