Debian-LTS has issued an advisory on January 31: https://www.debian.org/lts/security/2021/dla-2537 The issue will be fixed in 4.1.7 and 4.3.2. Debian has commit links: https://security-tracker.debian.org/tracker/CVE-2020-35965
Status comment: (none) => Patches available from upstreamWhiteboard: (none) => MGA8TOO, MGA7TOO
fixed in cauldron.
CC: (none) => mageiaVersion: Cauldron => 7Whiteboard: MGA8TOO, MGA7TOO => (none)
Different paople have commited this, so asigning the bug globally; CC'ing Stig who has done it several times.
Assignee: bugsquad => pkg-bugsCC: (none) => smelror
Source RPM: ffmpeg-4.3.1-4.mga8.src.rpm => ffmpeg-4.1.6-1.mga7.src.rpm
Note that there are core and tainted builds for this package. Advisory: ======================== Updated ffmpeg packages fix security vulnerability: An out-of-bounds write in decode_frame in libavcodec/exr.c because of errors in calculations of when to perform memset zero operations (CVE-2020-35965). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35965 https://www.debian.org/lts/security/2021/dla-2537 ======================== Updated packages in {core,tainted}/updates_testing: ======================== ffmpeg-4.1.6-1.1.mga7 libavcodec58-4.1.6-1.1.mga7 libpostproc55-4.1.6-1.1.mga7 libavformat58-4.1.6-1.1.mga7 libavutil56-4.1.6-1.1.mga7 libavresample4-4.1.6-1.1.mga7 libswscaler5-4.1.6-1.1.mga7 libavfilter7-4.1.6-1.1.mga7 libswresample3-4.1.6-1.1.mga7 libffmpeg-devel-4.1.6-1.1.mga7 libffmpeg-static-devel-4.1.6-1.1.mga7 from ffmpeg-4.1.6-1.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Patches available from upstream => (none)
MGA7-64 Plasma on Lenovo B50 First installed the free versions, which removed the previous tainted versions of the packages. Disabled tainted repos. Ref bug 26917 for testing. $ ffmpeg -i Swamplands\ USA.m2t Swamplands\ USA.avi ffmpeg version 4.1.6 Copyright (c) 2000-2020 the FFmpeg developers built with gcc 8.4.0 (Mageia 8.4.0-1.mga7) configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-runtime-cpudetect --enable-libaom --enable-libdc1394 --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libgsm --enable-libcelt --enable-libopus --enable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-avresample --enable-opencl --enable-libmp3lame --enable-sndio --enable-libdav1d --disable-decoder=aac --disable-encoder=aac libavutil 56. 22.100 / 56. 22.100 libavcodec 58. 35.100 / 58. 35.100 libavformat 58. 20.100 / 58. 20.100 libavdevice 58. 5.100 / 58. 5.100 libavfilter 7. 40.101 / 7. 40.101 libavresample 4. 0. 0 / 4. 0. 0 libswscale 5. 3.100 / 5. 3.100 libswresample 3. 3.100 / 3. 3.100 libpostproc 55. 3.100 / 55. 3.100 [mpeg2video @ 0xf05c00] Invalid frame dimensions 0x0. Last message repeated 2 times [mpegts @ 0xf00bc0] PES packet size mismatch Input #0, mpegts, from 'Swamplands USA.m2t': Duration: 00:00:36.40, start: 59185.420200, bitrate: 6032 kb/s Program 4128 Stream #0:0[0x1021]: Video: mpeg2video (Main) ([2][0][0][0] / 0x0002), yuv420p(tv, top first), 720x576 [SAR 64:45 DAR 16:9], 25 fps, 25 tbr, 90k tbn, 50 tbc Stream #0:1[0x1022]: Audio: mp2 ([3][0][0][0] / 0x0003), 48000 Hz, stereo, fltp, 192 kb/s and more ...... then $ mplayer Swamplands\ USA.avi MPlayer 1.4-1.mga7.tainted-8.3.1 (C) 2000-2019 MPlayer Team do_connect: could not connect to socket connect: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing Swamplands USA.avi. libavformat version 58.20.100 (external) AVI file format detected. [aviheader] Video stream found, -vid 0 [aviheader] Audio stream found, -aid 1 VIDEO: [FMP4] 720x576 24bpp 25.000 fps 999.1 kbps (122.0 kbyte/s) ========================================================================== Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family libavcodec version 58.35.100 (external) Selected video codec: [ffodivx] vfm: ffmpeg (FFmpeg MPEG-4) ========================================================================== Clip info: Software: Lavf58.20.100 Load subtitles in ./ and more... flie plays OK. Note there doesn't exist an free version of mplayer on the repos as they are now. Lookks OK, continuing test of tainted versions....
CC: (none) => herman.viaene
Installing the tainted versions removes the free versions, then repeating the same commands. $ ffmpeg -i Swamplands\ USA.m2t Swamplands\ USAtaint.avi ffmpeg version 4.1.6 Copyright (c) 2000-2020 the FFmpeg developers built with gcc 8.4.0 (Mageia 8.4.0-1.mga7) et..... $ mplayer Swamplands\ USAtaint.avi MPlayer 1.4-1.mga7.tainted-8.3.1 (C) 2000-2019 MPlayer Team do_connect: could not connect to socket connect: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing Swamplands USAtaint.avi. etc... fle plays OK. All OK for me.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => ouaurelienCVE: (none) => CVE-2020-35965Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0273.html
Status: NEW => RESOLVEDResolution: (none) => FIXED