| Summary: | FFmpeg 4.3.2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, ouaurelien, smelror, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | ffmpeg-4.3.1-4.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-02-24 17:17:00 CET
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
mageia, ouaurelien, smelror The fix for the CVE's that's included in 4.3.2 are already in MGA8, however I plan on pushing 4.3.2 as an update as soon as Mageia 8 is released. Cheers, Stig Assignee:
pkg-bugs =>
smelror Thanks, yeah there's almost always security fixes without CVEs. Some might get CVEs later. Note that there are core and tainted builds for this package. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8065#c6 https://bugs.mageia.org/show_bug.cgi?id=14042#c6 Advisory: ======================== Updated ffmpeg packages fix security vulnerabilities: This update provides ffmpeg version 4.3.2, which fixes several security vulnerabilities and other bugs which were corrected upstream. References: https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.3.2 http://ffmpeg.org/download.html http://ffmpeg.org/security.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-4.3.2-1.mga8 libavcodec58-4.3.2-1.mga8 libavfilter7-4.3.2-1.mga8 libavformat58-4.3.2-1.mga8 libavutil56-4.3.2-1.mga8 libffmpeg-devel-4.3.2-1.mga8 libswscaler5-4.3.2-1.mga8 libavresample4-4.3.2-1.mga8 libswresample3-4.3.2-1.mga8 libpostproc55-4.3.2-1.mga8 libffmpeg-static-devel-4.3.2-1.mga8 from ffmpeg-4.3.2-1.mga8.src.rpm Assignee:
smelror =>
qa-bugs Packages may need to be resubmitted ... The following packages have bad signatures ffmpeg-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avcodec58-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avfilter7-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avformat58-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avresample4-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64avutil56-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64postproc55-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64swresample3-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) lib64swscaler5-4.3.2-1.mga8.tainted.x86_64.rpm: Missing signature (OK ((none))) Reported on sysadmin-discuss ml too. CC:
(none) =>
davidwhodgins Sysadmins, please remove these packages from updates_testing so they can be resubmitted as-is. Assignee:
qa-bugs =>
sysadmin-bugs removed and re-submitted Assignee:
sysadmin-bugs =>
qa-bugs Tested ffplay with an AVI file I recorded years ago with my TV card (core/updates_testing version) and it works fine on Mageia 8 x86_64. Someone needs to test the tainted version. Testing: $ rpm -qa | grep ffmpeg ffmpeg-4.3.2-1.mga8.tainted No more missing signature as per comment 5 to 7. Installed over existing version OK. Reading and encoding files OK. Giving this OK for tainted version. As core version OK'ed in comment 8, MGA8-64-OK. Thus, validating. (and reassigning as security bug, per advisory) QA Contact:
(none) =>
security Un-validating: April 8th, 2021, FFmpeg 4.4 "Rao" released with fixed vulnerabilities: Fixes following vulnerabilities: CVE-2020-13904, 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc CVE-2020-13904, b5e39880fb7269b1b3577cee288e06aa3dc1dfa2 CVE-2020-14212, 0b3bd001ac1745d9d008a2d195817df57d7d1d14 CVE-2020-20450, 5400e4a50c61e53e1bc50b3e77201649bbe9c510, ticket/7993 CVE-2020-21041, 5d9f44da460f781a1604d537d0555b78e29438ba, ticket/7989 CVE-2020-22038, 7c32e9cf93b712f8463573a59ed4e98fd10fa013, ticket/8285 CVE-2020-22042, 426c16d61a9b5056a157a1a2a057a4e4d13eef84, ticket/8267 CVE-2020-24020, 584f396132aa19d21bb1e38ad9a5d428869290cb, ticket/8718 CVE-2020-35965, 3e5959b3457f7f1856d997261e6ac672bba49e8b CVE-2020-35965, b0a8b40294ea212c1938348ff112ef1b9bf16bb3 @David, do we need to push this and open a new bug report on this? Keywords:
advisory, validated_update =>
(none) We don't update to newer ffmpeg branches on stable releases, as it breaks things. We'll expect security fixes to get backported to a 4.3.3 release upstream. If needed, we can ask Michael N., the upstream maintainer, to produce such an update. (In reply to David Walser from comment #11) > We don't update to newer ffmpeg branches on stable releases, as it breaks > things. We'll expect security fixes to get backported to a 4.3.3 release > upstream. If needed, we can ask Michael N., the upstream maintainer, to > produce such an update. So let's push this version 4.3.2 to core/updates and open a new bug report for fixes in FFmpeg 4.4. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0350.html Resolution:
(none) =>
FIXED CVE-2020-21688 and CVE-2020-21697 were also fixed in 4.3.2: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/ CVE-2020-35965 was fixed in 4.3.2: https://security-tracker.debian.org/tracker/CVE-2020-35965 |