Bug 31460

Summary: ffmpeg new security issue CVE-2022-3341
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ffmpeg-4.3.5-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-01-27 00:15:06 CET 
SUSE has issued an advisory today (January 26):
https://lists.suse.com/pipermail/sle-security-updates/2023-January/013546.html

Mageia 8 is also affected.
David Walser 2023-01-27 00:15:22 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2023-01-27 11:29:48 CET 
Hi,

After verifying here: https://security-tracker.debian.org/tracker/CVE-2022-3341 and checking the code, I can confirm only Mageia 8 is affected by that CVE.

Best regards,

Nico.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: ffmpeg-5.1.2-3.mga9.src.rpm => ffmpeg-4.3.5-1.1.mga8.src.rpm
CC: (none) => nicolas.salguero

Comment 2 David Walser 2023-01-27 16:25:34 CET 
(In reply to David Walser from comment #0)
> SUSE has issued an advisory today (January 26):
> https://lists.suse.com/pipermail/sle-security-updates/2023-January/013546.
> html
> 
> Mageia 8 is also affected.

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JWZZIMFVNIVI2WC4FQWKH6CT5CTUP7N/
Comment 3 Marja Van Waes 2023-02-04 23:09:01 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => smelror
CC: (none) => marja11

Comment 4 Stig-Ørjan Smelror 2023-02-05 13:49:01 CET 
Advisory
========

An upstream patch to fix CVE-2022-3341 has be backported.

CVE-2022-3341: A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2022-3341
https://security-tracker.debian.org/tracker/CVE-2022-3341

Files
=====

Uploaded to core/updates_testing
lib64swresample3-4.3.5-1.2.mga8
lib64postproc55-4.3.5-1.2.mga8
lib64avresample4-4.3.5-1.2.mga8
lib64avutil56-4.3.5-1.2.mga8
lib64swscaler5-4.3.5-1.2.mga8
lib64ffmpeg-devel-4.3.5-1.2.mga8
lib64avformat58-4.3.5-1.2.mga8
lib64avfilter7-4.3.5-1.2.mga8
ffmpeg-4.3.5-1.2.mga8
lib64avcodec58-4.3.5-1.2.mga8
lib64ffmpeg-static-devel-4.3.5-1.2.mga8

from ffmpeg-4.3.5-1.2.mga8.src.rpm

Uploaded to tainted/updates_testing
lib64swresample3-4.3.5-1.2.mga8.tainted
lib64postproc55-4.3.5-1.2.mga8.tainted
lib64avresample4-4.3.5-1.2.mga8.tainted
lib64avutil56-4.3.5-1.2.mga8.tainted
lib64swscaler5-4.3.5-1.2.mga8.tainted
lib64ffmpeg-devel-4.3.5-1.2.mga8.tainted
lib64avformat58-4.3.5-1.2.mga8.tainted
lib64avfilter7-4.3.5-1.2.mga8.tainted
ffmpeg-4.3.5-1.2.mga8.tainted
lib64avcodec58-4.3.5-1.2.mga8.tainted
lib64ffmpeg-static-devel-4.3.5-1.2.mga8.tainted

from ffmpeg-4.3.5-1.2.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 5 Len Lawrence 2023-02-06 11:26:40 CET 
mga8, x64
ffmpeg tainted had been working fine on this machine for earlier versions.
No regressions noted for the updated version.
Updated all the packages and ran similar tests to those in earlier ffmpeg updates.

$ ffmpeg -L
shows the licence and the configuration options for compiling with gcc plus the libraries which are needed.

Add a subtitle stream to a video file:
$ ffmpeg -report -n -i Byzantium.mp4 -f srt -i Byzantium.srt -c:s mov_text \
-metadata:s:s:0 language=eng -c:v copy -c:a copy Byzantium_st.mp4 

ffmpeg version 4.3.5 Copyright (c) 2000-2022 the FFmpeg developers
  built with gcc 10 (Mageia 10.4.0-3.mga8)
[...]
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2avc1mp41
    media_type      : 10
 [...]
 frame=151816 fps=60721 q=-1.0 size= 1926400kB time=00:50:42.04 bitrate=5187.7kbiframe=178602 fps=59882 q=-1.0 Lsize= 2267615kB time=00:59:32.01 bitrate=5200.5kbits/s speed=1.2e+03x    
video:2207326kB audio:55813kB subtitle:39kB other streams:0kB global headers:0kB muxing overhead: 0.196034%

Byzantium_st.mp4 played fine with vlc and subtitles were available.
The command line output can be saved by including -report in the command.  In this case the output went to ffmpeg-20230206-091234.log.

Converted an AVI file to MP4.  It takes a while and uses all the CPU cores at about 70% - resulting file plays OK in totem.  In contrast with bug 31067  sound worked after this conversion, no codecs specified.

Ran ffmulticonverter under strace (Thanks TJ).  Conversion from MP4 to WMV was very quick but the video degraded somewhat.  The trace showed the ffmpeg binary being used.

The tainted version works without problems.

CC: (none) => tarazed25

Comment 6 Herman Viaene 2023-02-07 11:15:03 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Used ffmulticonverter with Core versions to convert an mpg to ogg.
Used ffmulticonverter with tainted versions to convert an avi to mpg.
All resulting files display OK
Together with Len's tests, good to go for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-02-07 17:38:47 CET 
Thanks, guys. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-14 21:13:20 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-02-14 23:44:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0043.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED