Bug 31796

Summary: ffmpeg new security issues CVE-2022-2566 and CVE-2022-48434
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Stig-Ørjan Smelror <smelror>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=31677
Whiteboard:
Source RPM: ffmpeg-4.3.5-1.2.mga8.src.rpm CVE:
Status comment: Fixed upstream in 6.0

Description David Walser 2023-04-13 18:19:34 CEST 
Fedora has issued an advisory today (April 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PQHNSWXFUN3VJ3AO2AEJUK3BURSGM5G2/

It claims that CVE-2022-48434 is fixed upstream in 5.1.3, but upstream's page only shows that being fixed in 6.0, so we should double check that for Cauldron.  Upstream's page also shows CVE-2022-2566 fixed in 6.0, which we haven't addressed yet.
http://ffmpeg.org/security.html

There are other issues fixed in 6.0 in Bug 31677.
David Walser 2023-04-13 18:19:53 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31677

Comment 1 Lewis Smith 2023-04-13 21:49:09 CEST 
Another ffmpeg CVE fix for Stig.

Assignee: bugsquad => smelror
Status comment: (none) => ? fixed in 6.0

David Walser 2023-04-14 01:12:29 CEST

Status comment: ? fixed in 6.0 => Fixed upstream in 6.0

Comment 2 David Walser 2023-05-06 23:39:01 CEST 
SUSE has issued an advisory for CVE-2022-48434 on May 2:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014717.html

They back ported a fix to FFmpeg 4.4.x.
Comment 3 Nicolas Salguero 2024-03-13 15:38:32 CET 
Mageia 8 EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => nicolas.salguero