Bug 31677

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Stig-Ørjan Smelror <smelror>
Status: NEW --- QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=31796
https://bugs.mageia.org/show_bug.cgi?id=32964
Whiteboard: MGA9TOO
Source RPM: ffmpeg-5.1.4-2.1.mga10.src.rpm CVE:
Status comment: Fixed upstream in 7.0
Bug Depends on: 33338    
Bug Blocks:    

Description David Walser 2023-03-15 15:29:43 CET 
+++ This bug was initially created as a clone of Bug #31675 +++

Fedora has issued an advisory today (March 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FTSFKF7VKRUQBG3BV5JUKE7ZZLGPI34D/

The issues are fixed upstream in 6.0.

Mageia 8 is also affected.

These CVEs came from Chrome.  I don't see any added patches in the Chromium source code, though they might have just updated the ffmpeg source itself.

Leaving this bug for when/if we get any additional information on these CVEs.
David Walser 2023-03-15 15:29:54 CET

Status comment: (none) => Fixed upstream in 6.0

David Walser 2023-04-13 18:19:53 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31796

Nicolas Salguero 2024-03-13 15:39:31 CET

Whiteboard: (none) => MGA9TOO
CC: (none) => nicolas.salguero

Nicolas Salguero 2024-03-13 15:46:20 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=32964

Comment 1 Nicolas Salguero 2024-05-02 11:47:41 CEST 
SUSE has issued an advisory on April 29:
https://lwn.net/Articles/971733/

Status comment: Fixed upstream in 6.0 => Fixed upstream in 7.0
Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7] => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578

Comment 2 Nicolas Salguero 2024-06-18 09:51:33 CEST 
Debian has issued an advisory on June 15:
https://lwn.net/Articles/978677/

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2023-51798, CVE-2024-31578, CVE-2024-31585

Nicolas Salguero 2024-06-18 09:51:53 CEST

Source RPM: ffmpeg-5.1.2-3.mga9.src.rpm => ffmpeg-5.1.4-2.1.mga10.src.rpm

Comment 3 Nicolas Salguero 2024-06-27 16:21:43 CEST 
If I understand correctly the information I found from Debian, version 5.1.5 should solve CVE-2023-50010, CVE-2023-5179[3458] and CVE-2024-31585.

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2023-51798, CVE-2024-31578, CVE-2024-31585 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2024-31578, CVE-2024-31585

Nicolas Salguero 2024-06-27 16:47:47 CEST

Depends on: (none) => 33338

Comment 4 Nicolas Salguero 2024-06-27 16:48:47 CEST 
CVE-2023-50010, CVE-2023-5179[3458] and CVE-2024-31585 in bug 33338.

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2024-31578, CVE-2024-31585 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578