+++ This bug was initially created as a clone of Bug #28433 +++ FFmpeg 4.4 has been released on April 8 2021: http://ffmpeg.org/security.html This fixes: CVE-2020-13904, 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc CVE-2020-13904, b5e39880fb7269b1b3577cee288e06aa3dc1dfa2 CVE-2020-14212, 0b3bd001ac1745d9d008a2d195817df57d7d1d14 CVE-2020-20450, 5400e4a50c61e53e1bc50b3e77201649bbe9c510, ticket/7993 CVE-2020-21041, 5d9f44da460f781a1604d537d0555b78e29438ba, ticket/7989 CVE-2020-22038, 7c32e9cf93b712f8463573a59ed4e98fd10fa013, ticket/8285 CVE-2020-22042, 426c16d61a9b5056a157a1a2a057a4e4d13eef84, ticket/8267 CVE-2020-24020, 584f396132aa19d21bb1e38ad9a5d428869290cb, ticket/8718 CVE-2020-35965, 3e5959b3457f7f1856d997261e6ac672bba49e8b CVE-2020-35965, b0a8b40294ea212c1938348ff112ef1b9bf16bb3 Cauldron not affected as already released there by David Geiger: r1716290 | daviddavid | 2021-04-17 14:44:19 +0200 (sam. 17 avril 2021) | 4 lignes - new version: 4.4 - remove merged upstream patches - remove old Obsoletes (SILENT) Waiting for upstream releasing eventually a 4.3.3 version. Assigning globally.
Summary: FFmpeg new security issues CVE-2020-14212, CVE-2020-20450, CVE-2020-21041, CVE-2020-22038, CVE-2020-22042, CVE-2020-24020, CVE-2020-35965 => ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-22038, CVE-2020-22042, CVE-2020-24020Source RPM: (none) => ffmpeg-4.3.2-1.mga8.src.rpm
Four more CVEs fixed post-4.4 are in this SUSE advisory: https://lists.suse.com/pipermail/sle-security-updates/2021-July/009140.html
Summary: ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-22038, CVE-2020-22042, CVE-2020-24020 => ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[38], CVE-2020-22042, CVE-2020-24020
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MM55YS6XXAKFK3J35CDODMYMAZO6JX3S/
CC: (none) => luigiwalser
One new CVE we haven't fixed yet in this advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/
Summary: ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[38], CVE-2020-22042, CVE-2020-24020 => ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[38], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114
One more CVE in this openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQYGWX5BP3LA5ULPF6C7O7URBPXWRNFJ/
Summary: ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[38], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114 => ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[38], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114, CVE-2021-38171
Adding CVE-2020-20453, CVE-2020-22037, CVE-2021-38291: https://www.debian.org/security/2021/dsa-4990 All were fixed in git after 4.4.
Summary: ffmpeg new security issues CVE-2020-20450, CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[38], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114, CVE-2021-38171 => ffmpeg new security issues CVE-2020-2045[03], CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[378], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291
Version 4.3.3 does not talk about CVE-2020-22033 and CVE-2020-22038.
CC: (none) => nicolas.salgueroSummary: ffmpeg new security issues CVE-2020-2045[03], CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[378], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291 => ffmpeg new security issues CVE-2020-20446, CVE-2020-2045[03], CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[378], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291
Ooops, only CVE-2020-22038 because CVE-2020-22033 is fixed in 4.3.3.
ffmpeg-4.3.3-2.mga8 also contains a patch for CVE-2020-22038.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service. (CVE-2020-20446) FFmpeg 4.2 is affected by null pointer dereference passed as argument to libavformat/aviobuf.c, which could cause a Denial of Service. (CVE-2020-20450) FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service. (CVE-2020-20453) Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service. (CVE-2020-21041) Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code. (CVE-2020-22015) Buffer Overflow vulnerability in FFmpeg 4.2 at convolution_y_10bit in libavfilter/vf_vmafmotion.c, which could let a remote malicious user cause a Denial of Service. (CVE-2020-22019) Buffer Overflow vulnerability in FFmpeg 4.2 at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service. (CVE-2020-22021) A heap-based Buffer Overflow Vulnerability exists FFmpeg 4.2 at libavfilter/vf_vmafmotion.c in convolution_y_8bit, which could let a remote malicious user cause a Denial of Service. (CVE-2020-22033) A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in avcodec_alloc_context3 at options.c. (CVE-2020-22037) A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_v4l2_m2m_create_context function in v4l2_m2m.c. (CVE-2020-22038) A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak is affected by: memory leak in the link_filter_inouts function in libavfilter/graphparser.c. (CVE-2020-22042) Buffer Overflow vulnerability in FFMpeg 4.2.3 in dnn_execute_layer_pad in libavfilter/dnn/dnn_backend_native_layer_pad.c due to a call to memcpy without length checks, which could let a remote malicious user execute arbitrary code. (CVE-2020-24020) libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868. (CVE-2021-38114) adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. (CVE-2021-38171) FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c. (CVE-2021-38291) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20450 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20453 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21041 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22038 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38114 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38291 http://ffmpeg.org/security.html https://lists.suse.com/pipermail/sle-security-updates/2021-July/009140.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MM55YS6XXAKFK3J35CDODMYMAZO6JX3S/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQYGWX5BP3LA5ULPF6C7O7URBPXWRNFJ/ https://www.debian.org/security/2021/dsa-4990 ======================== Updated packages in core/updates_testing: ======================== lib(64)swresample3-4.3.3-2.mga8 lib(64)postproc55-4.3.3-2.mga8 lib(64)avresample4-4.3.3-2.mga8 lib(64)avutil56-4.3.3-2.mga8 lib(64)swscaler5-4.3.3-2.mga8 lib(64)ffmpeg-devel-4.3.3-2.mga8 lib(64)avformat58-4.3.3-2.mga8 lib(64)avfilter7-4.3.3-2.mga8 ffmpeg-4.3.3-2.mga8 lib(64)avcodec58-4.3.3-2.mga8 lib(64)ffmpeg-static-devel-4.3.3-2.mga8 from SRPM: ffmpeg-4.3.3-2.mga8.src.rpm Updated packages in tainted/updates_testing: ======================== lib(64)avfilter7-4.3.3-2.mga8.tainted ffmpeg-4.3.3-2.mga8.tainted lib(64)avformat58-4.3.3-2.mga8.tainted lib(64)ffmpeg-devel-4.3.3-2.mga8.tainted lib(64)avutil56-4.3.3-2.mga8.tainted lib(64)swscaler5-4.3.3-2.mga8.tainted lib(64)avresample4-4.3.3-2.mga8.tainted lib(64)postproc55-4.3.3-2.mga8.tainted lib(64)swresample3-4.3.3-2.mga8.tainted lib(64)avcodec58-4.3.3-2.mga8.tainted lib(64)ffmpeg-static-devel-4.3.3-2.mga8.tainted from SRPM: ffmpeg-4.3.3-2.mga8.tainted.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
We're actually missing the fix for CVE-2020-21041: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5d9f44da460f781a1604d537d0555b78e29438ba CVE-2020-24020 was fixed previously, so it can be removed from this advisory.
Summary: ffmpeg new security issues CVE-2020-20446, CVE-2020-2045[03], CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[378], CVE-2020-22042, CVE-2020-24020, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291 => ffmpeg new security issues CVE-2020-20446, CVE-2020-2045[03], CVE-2020-21041, CVE-2020-2201[59], CVE-2020-22021, CVE-2020-2203[378], CVE-2020-22042, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291
MG8-64 The following 12 packages are going to be installed: - ffmpeg-4.3.3-2.mga8.tainted.x86_64 - lib64avcodec58-4.3.3-2.mga8.tainted.x86_64 - lib64avfilter7-4.3.3-2.mga8.tainted.x86_64 - lib64avformat58-4.3.3-2.mga8.tainted.x86_64 - lib64avresample4-4.3.3-2.mga8.tainted.x86_64 - lib64avutil56-4.3.3-2.mga8.tainted.x86_64 - lib64opencore-amr0-0.1.5-3.mga8.tainted.x86_64 - lib64postproc55-4.3.3-2.mga8.tainted.x86_64 - lib64swresample3-4.3.3-2.mga8.tainted.x86_64 - lib64swscaler5-4.3.3-2.mga8.tainted.x86_64 - lib64vo-amrwbenc0-0.1.3-4.mga8.tainted.x86_64 - lib64xvidcore4-1.3.7-1.mga8.tainted.x86_64 1.3MB of additional disk space will be used. converted a video using command line no issues reported and video converted properly
Suggested advisory: ======================== The updated packages fix security vulnerabilities: FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service. (CVE-2020-20446) FFmpeg 4.2 is affected by null pointer dereference passed as argument to libavformat/aviobuf.c, which could cause a Denial of Service. (CVE-2020-20450) FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service. (CVE-2020-20453) Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service. (CVE-2020-21041) Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code. (CVE-2020-22015) Buffer Overflow vulnerability in FFmpeg 4.2 at convolution_y_10bit in libavfilter/vf_vmafmotion.c, which could let a remote malicious user cause a Denial of Service. (CVE-2020-22019) Buffer Overflow vulnerability in FFmpeg 4.2 at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service. (CVE-2020-22021) A heap-based Buffer Overflow Vulnerability exists FFmpeg 4.2 at libavfilter/vf_vmafmotion.c in convolution_y_8bit, which could let a remote malicious user cause a Denial of Service. (CVE-2020-22033) A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in avcodec_alloc_context3 at options.c. (CVE-2020-22037) A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_v4l2_m2m_create_context function in v4l2_m2m.c. (CVE-2020-22038) A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak is affected by: memory leak in the link_filter_inouts function in libavfilter/graphparser.c. (CVE-2020-22042) libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868. (CVE-2021-38114) adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. (CVE-2021-38171) FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c. (CVE-2021-38291) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20450 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20453 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21041 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22038 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38114 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38291 http://ffmpeg.org/security.html https://lists.suse.com/pipermail/sle-security-updates/2021-July/009140.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MM55YS6XXAKFK3J35CDODMYMAZO6JX3S/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RHYNSW2TAJSSTZPOYXQXGZDI6LYBWIT4/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UQYGWX5BP3LA5ULPF6C7O7URBPXWRNFJ/ https://www.debian.org/security/2021/dsa-4990 ======================== Updated packages in core/updates_testing: ======================== lib(64)swresample3-4.3.3-3.mga8 lib(64)postproc55-4.3.3-3.mga8 lib(64)avresample4-4.3.3-3.mga8 lib(64)avutil56-4.3.3-3.mga8 lib(64)swscaler5-4.3.3-3.mga8 lib(64)ffmpeg-devel-4.3.3-3.mga8 lib(64)avformat58-4.3.3-3.mga8 lib(64)avfilter7-4.3.3-3.mga8 ffmpeg-4.3.3-3.mga8 lib(64)avcodec58-4.3.3-3.mga8 lib(64)ffmpeg-static-devel-4.3.3-3.mga8 from SRPM: ffmpeg-4.3.3-3.mga8.src.rpm Updated packages in tainted/updates_testing: ======================== lib(64)avfilter7-4.3.3-3.mga8.tainted ffmpeg-4.3.3-3.mga8.tainted lib(64)avformat58-4.3.3-3.mga8.tainted lib(64)ffmpeg-devel-4.3.3-3.mga8.tainted lib(64)avutil56-4.3.3-3.mga8.tainted lib(64)swscaler5-4.3.3-3.mga8.tainted lib(64)avresample4-4.3.3-3.mga8.tainted lib(64)postproc55-4.3.3-3.mga8.tainted lib(64)swresample3-4.3.3-3.mga8.tainted lib(64)avcodec58-4.3.3-3.mga8.tainted lib(64)ffmpeg-static-devel-4.3.3-3.mga8.tainted from SRPM: ffmpeg-4.3.3-3.mga8.tainted.src.rpm
MGA8-64 The following 9 packages are going to be installed: - ffmpeg-4.3.3-3.mga8.x86_64 - lib64avcodec58-4.3.3-3.mga8.x86_64 - lib64avfilter7-4.3.3-3.mga8.x86_64 - lib64avformat58-4.3.3-3.mga8.x86_64 - lib64avresample4-4.3.3-3.mga8.x86_64 - lib64avutil56-4.3.3-3.mga8.x86_64 - lib64postproc55-4.3.3-3.mga8.x86_64 - lib64swresample3-4.3.3-3.mga8.x86_64 - lib64swscaler5-4.3.3-3.mga8.x86_64 -- confirmed installed convert a video a couple of ways to validate - working
CC: (none) => brtians1
MGA8-64 tainted The following 9 packages are going to be installed: - ffmpeg-4.3.3-3.mga8.tainted.x86_64 - lib64avcodec58-4.3.3-3.mga8.tainted.x86_64 - lib64avfilter7-4.3.3-3.mga8.tainted.x86_64 - lib64avformat58-4.3.3-3.mga8.tainted.x86_64 - lib64avresample4-4.3.3-3.mga8.tainted.x86_64 - lib64avutil56-4.3.3-3.mga8.tainted.x86_64 - lib64postproc55-4.3.3-3.mga8.tainted.x86_64 - lib64swresample3-4.3.3-3.mga8.tainted.x86_64 - lib64swscaler5-4.3.3-3.mga8.tainted.x86_64 test video conversion - worked as expected.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 12.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0495.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED