Note that there are core and tainted builds for this package.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8065#c6
https://bugs.mageia.org/show_bug.cgi?id=14042#c6

Advisory:
========================

Updated ffmpeg packages fix security vulnerabilities:

This update provides ffmpeg version 4.1.6, which fixes several security
vulnerabilities and other bugs which were corrected upstream.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13904
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.6
http://ffmpeg.org/download.html
http://ffmpeg.org/security.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
ffmpeg-4.1.6-1.mga7
libavcodec58-4.1.6-1.mga7
libpostproc55-4.1.6-1.mga7
libavformat58-4.1.6-1.mga7
libavutil56-4.1.6-1.mga7
libavresample4-4.1.6-1.mga7
libswscaler5-4.1.6-1.mga7
libavfilter7-4.1.6-1.mga7
libswresample3-4.1.6-1.mga7
libffmpeg-devel-4.1.6-1.mga7
libffmpeg-static-devel-4.1.6-1.mga7

from ffmpeg-4.1.6-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

MGA7-64 Plasma on Lenovo B50
No installation issues.
Used mplayer to play one of my self-created mpg's. Plays OK, but this is not sufficient as test, because the video has no sound (capture of old 8mm BW film)
Played with mplayer:
$ mplayer Swamplands\ USA.m2t (file captured from TV): sound and image OK.
Converting
$ ffmpeg -i Swamplands\ USA.m2t Swamplands\ USA.avi
then playing
$ mplayer Swamplands\ USA.avi 
MPlayer 1.4-1.mga7.tainted-8.3.1 (C) 2000-2019 MPlayer Team
do_connect: could not connect to socket
connect: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing Swamplands USA.avi.
libavformat version 58.20.100 (external)
AVI file format detected.
[aviheader] Video stream found, -vid 0
[aviheader] Audio stream found, -aid 1
VIDEO:  [FMP4]  720x576  24bpp  25.000 fps  999.1 kbps (122.0 kbyte/s)
etc......
Plays OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

@Herman: Noted that you used mplayer tainted - ffmpeg tainted as well?
Adding my two cents-worth.
mga7, x64

Tainted packages in place - testing these first.

Ran fine before updating - successfully converted an MKV file to MP4.
The 'strict -2' option worked this time.

CVE-2020-12284
The buffer overflow issue can be tested with a version of ffmpeg built with fuzzer target code and asan so this is out of bounds for QA.

CVE-2020-13904
https://trac.ffmpeg.org/ticket/8673
Use after free issue with MP3 files.
PoC file: https://trac.ffmpeg.org/attachment/ticket/8673/input
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATIONèî #EXT-X-MEDIA-SEQUENCE:0
#EXTINF:.82,
au_to0.ts
EXT-X-ENDLIST

$ ffmpeg -i poc.13904
ffmpeg version 4.1.5 Copyright (c) 2000-2020 the FFmpeg developers
  built with gcc 8.3.1 (Mageia 8.3.1-0.20190524.1.mga7) 20190524
  configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64
[...]
  libswresample   3.  3.100 /  3.  3.100
  libpostproc    55.  3.100 / 55.  3.100
[hls,applehttp @ 0xd56800] Opening 'au_to0.ts' for reading
[hls,applehttp @ 0xd56800] Failed to open segment 0 of playlist 0
[hls,applehttp @ 0xd56800] Error when loading first segment 'au_to0.ts'
poc.13904: Invalid data found when processing input

This differs from the upstream listing, probably because that was run in an asan test framework.
---------------------------------------------------------------------------
Enabled tainted updates testing and ran MageiaUpdate..
Installed 11 packages.
Sampling:
$ rpm -q ffmpeg lib64avcodec58 lib64ffmpeg-devel
ffmpeg-4.1.6-1.mga7.tainted
lib64avcodec58-4.1.6-1.mga7.tainted
lib64ffmpeg-devel-4.1.6-1.mga7.tainted

CVE-2020-13904
$ ffmpeg -i poc.13904
This produced the same output as the previous test apart from the ffmpeg version number.
Fixed already possibly.

Tests on music and video files:
$ ffmpeg -i HandelTrumpetConcerto_in_D.mkv -strict -2 -c:a copy -c:v libxvid output.mp4
$ ffmpeg -i HandelTrumpetConcerto_in_D.mkv -strict -2 -c:a copy -c:v libxvid output.mp4
ffmpeg version 4.1.6 Copyright (c) 2000-2020 the FFmpeg developers
  built with gcc 8.4.0 (Mageia 8.4.0-1.mga7)
  configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64 
[...]
  libswresample   3.  3.100 /  3.  3.100
  libpostproc    55.  3.100 / 55.  3.100
Input #0, matroska,webm, from 'HandelTrumpetConcerto_in_D.mkv':
  Metadata:
    COMPATIBLE_BRANDS: iso6avc1mp41
[...]
frame=17961 fps=547 q=31.0 Lsize=   36109kB time=00:09:58.76 bitrate= 494.0kbits/s speed=18.2x    
video:25792kB audio:9841kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 1.332974%
$ ll
-rw-r--r-- 1 lcl lcl 50911340 Oct 29  2018 HandelTrumpetConcerto_in_D.mkv
-rw-r--r-- 1 lcl lcl 36975246 Jul  8 13:56 output.mp4

output.mp4 played fine in vlc tainted - sound and video.

$ ffmpeg -i ESOCAST2_POD.m4v esocast.avi
Worked fine and parole played it OK.
Likewise:
$ ffmpeg -i NOVR.mkv novr.wmv

$ ffmpeg -i NOVR.mkv -an scodec copy novr.wmv
failed.
This worked:
$ ffmpeg -i TouringVestasCraters.mov tour.flv

Giving tainted updates the OK.

CC: (none) => tarazed25

Continuing this, tried to replace the tainted packages by core packages before updating and hit a snag.  First of all it was impossible to remove the current packages because they depended on packages which are older than the ones installed.
Tried for instance:
# urpme --nodeps lib64avcodec58
and that offered to remove 75 other packages, which seemed undesirable.

Would downgrade do it?
# urpmi --downgrade lib64avcodec58
The following package has to be removed for others to be upgraded:
lib64avcodec58-4.1.5-1.mga7.tainted.x86_64
 (in order to install lib64avcodec58-4.1.5-1.mga7.x86_64) (y/N) y
    $MIRRORLIST: media/core/updates/lib64avcodec58-4.1.5-1.mga7.x86_64.rpm
installing lib64avcodec58-4.1.5-1.mga7.x86_64.rpm from /var/cache/urpmi/rpms   
Preparing...                     #############################################
      1/1: lib64avcodec58        #############################################
      1/1: removing lib64avcodec58-4.1.5-1.mga7.tainted.x86_64

That worked although it does not sound like a downgrade, just a change from tainted to core at the same version level.  Ah well.
Replaced the whole stack but there was a glitch with the devel package - it wanted to install half of the 78 packages from tainted updates, which was disabled.  Said No and it proceeded to install all of them from core and updates.  So very confusing but looks like it is sorted now.  Going for updates testing now.

$ urpmi.update -a
$ MageiaUpdate
11 packages - clean install.

Converted HD music video and played the resulting AVI file in tainted vlc.
$ ffmpeg -i Corelli...mkv corelli.avi
The sound was fine but the video a little "watery".
Tried an MKV to WMV conversion on a 4K video.
It was played in HD format with a 4K codec with noticeable video degradation.

WAV to MP4 conversion does not work.

$ ffmpeg -i AsLongAsICanSeeTheLight.wav creedence.mp4
....
Automatic encoder selection failed for output stream #0:0. Default encoder for format mp4 (codec aac) is probably disabled. Please choose an encoder manually.
Error selecting an encoder for stream 0:0
Automatic encoder selection failed for output stream #0:0. Default encoder for format mp4 (codec aac) is probably disabled. Please choose an encoder manually.
Error selecting an encoder for stream 0:0
(It works in tainted because the aac codec is available.)
It does howvever work for straight audio:
$ ffmpeg -i AsLongAsICanSeeTheLight.wav creedence.mp3
$ ffmpeg -i AsLongAsICanSeeTheLight.wav creedence.flac
$ ffmpeg -i AsLongAsICanSeeTheLight.wav creedence.ogg
$ ffmpeg -i creedence.flac creedence_2.ogg
$ ffmpeg -i creedence_2.ogg creedence_2.wav
$ ll AsLongAsICanSeeTheLight.wav creedence_2.wav
-rw-r--r-- 1 lcl lcl 36839420 Jan 10  2011 AsLongAsICanSeeTheLight.wav
-rw-r--r-- 1 lcl lcl 36840270 Jul  8 17:50 creedence_2.wav

The files indicated in bug 14042 do not seem to be available on line any more but there is a copy here in the QA archives.
$ ffmpeg -i Fashion_DivX720p_ASP.divx fashion.avi
Sound and video work fine.

This should be enough to confirm the OK.

Just a thought, Len... In many cases it might be adequate (and easier) to create a vbox guest with tainted repos disabled for testing purposes. That way you wouldn't run into much of the dependency hell you saw.

Validating. Advisory in Comment 1. (Whoever pushes this, please remember to push both non-tainted and tainted packages.)

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

@TJ, comment 6.
Yes, that sounds a good idea but I have trouble maintaining my VMs.  Never seem to find the time.  However I do need to get a grip on that side of things and also make sure there is at least one viable i586 vbox.  Thanks.

With reference to comment 5 - should have made it clear that the second report was for the core updates version.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0290.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

I don't see tainted srpm in the advisory.  Deja vu? Anyway, applet wants to remove my tainted ffmpeg packages to do this update.  Confused.  Thanks.

CC: (none) => rolfpedersen

Nicolas, you forgot tainted again.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

And after I put a reminder in Comment 6, too.

And I mentioned it above the advisory (as I try to do with these dual-repository ones) and in the standard place above the rpms list.

Of course it would help if we could get someone on the QA team again doing the SVN advisories.  When we devised this system originally, that was how it was supposed to work.  We abused tmb for years letting him do it instead.

Looking back about two years, in QA there were three people at least who started to look at preparing advisories.  That fizzled out.  I had particular difficulties with configuring things so the advisories could be pushed and gave up in the end.  Now I would not have the time.

ffmpeg-4.1.6-1.mga7.tainted.src.rpm still has to be moved from
Mageia 7 tainted updates testing to tainted updates.

Assignee: qa-bugs => sysadmin-bugs
CC: (none) => davidwhodgins

Still supposed to be assigned to qa-bugs.  Has the SVN advisory been fixed?

Assignee: sysadmin-bugs => qa-bugs

(In reply to David Walser from comment #16)
> Still supposed to be assigned to qa-bugs.  Has the SVN advisory been fixed?

Yes.

$ head -n 11 mageia-advisories/advisories/26917.adv |tail -n 6
src:
  7:
   core:
     - ffmpeg-4.1.6-1.mga7
   tainted:
     - ffmpeg-4.1.6-1.mga7.tainted

done

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

CVE-2020-22049 was also fixed in 4.1.6:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/

CVE-2020-24020 was also fixed in 4.1.6:
https://security-tracker.debian.org/tracker/CVE-2020-24020