SUSE has issued an advisory on January 2: https://lists.suse.com/pipermail/sle-security-updates/2023-January/013408.html The issue is fixed upstream in 5.1 in the following commit: https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568
openSUSE has issued an advisory for this on January 2: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XCDK2I3GYMXMRGZFHL65TE2YCUOUX2VA/
Status comment: (none) => Patches available from upstream and openSUSE
Stig looks after 'ffmpeg', so assigning to you. We already have ffmpeg-5.1.2 in Cauldron, so just for M8.
Assignee: bugsquad => smelror
Advisory ======== Backported upstream patch to fix CVE-2022-3109. CVE-2022-3109: An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3109 Files ===== Uploaded to core/updates_testing lib64avformat58-4.3.5-1.1.mga8 lib64swscaler5-4.3.5-1.1.mga8 lib64avutil56-4.3.5-1.1.mga8 lib64avresample4-4.3.5-1.1.mga8 lib64postproc55-4.3.5-1.1.mga8 lib64swresample3-4.3.5-1.1.mga8 lib64ffmpeg-devel-4.3.5-1.1.mga8 lib64avfilter7-4.3.5-1.1.mga8 ffmpeg-4.3.5-1.1.mga8 lib64avcodec58-4.3.5-1.1.mga8 lib64ffmpeg-static-devel-4.3.5-1.1.mga8 Uploaded to tainted/updates_testing lib64avformat58-4.3.5-1.1.mga8.tainted lib64swscaler5-4.3.5-1.1.mga8.tainted lib64avutil56-4.3.5-1.1.mga8.tainted lib64avresample4-4.3.5-1.1.mga8.tainted lib64postproc55-4.3.5-1.1.mga8.tainted lib64swresample3-4.3.5-1.1.mga8.tainted lib64ffmpeg-devel-4.3.5-1.1.mga8.tainted lib64avfilter7-4.3.5-1.1.mga8.tainted ffmpeg-4.3.5-1.1.mga8.tainted lib64avcodec58-4.3.5-1.1.mga8.tainted lib64ffmpeg-static-devel-4.3.5-1.1.mga8.tainted from ffmpeg-4.3.5-1.1.mga8.src.rpm
Assignee: smelror => qa-bugs
mga8, x64 Tainted versions already installed so going with that. Waiting for mirror to sync.
CC: (none) => tarazed25
Following the CVE chain found a reference which indicated that the null pointer reference problem had already been fixed in an earlier 5.1 version. https://bugzilla.redhat.com/show_bug.cgi?id=2153551 Clean update of all packages. Generated an MP4 file from a Matroska container file: $ ffmpeg -i <file>.mkv test.mp4 The test output played fine in vlc - sound and video. Add a subtitle track to an MP4 file. $ ffmpeg -n -i TheLaxeyWheel.mp4 -f srt -i TheLaxeyWheel.srt \ -c:s mov_text -metadata:s:s:0 language=eng -c:v copy -c:a copy new.mp4 ffmpeg version 4.3.5 Copyright (c) 2000-2022 the FFmpeg developers built with gcc 10 (Mageia 10.4.0-3.mga8) [...] Stream mapping: Stream #0:0 -> #0:0 (copy) Stream #0:1 -> #0:1 (copy) Stream #1:0 -> #0:2 (subrip (srt) -> mov_text (native)) Press [q] to stop, [?] for help frame=13350 fps=0.0 q=-1.0 Lsize= 167693kB time=00:04:26.98 bitrate=5145.5kbits/s speed=1.42e+03x video:163269kB audio:4172kB subtitle:3kB other streams:0kB global headers:0kB muxing overhead: 0.149105% The new.mp4 file played in parole with subtitles superimposed on the video. `urpmq --whatrequires ffmpeg` reports that get_iplayer uses ffmpeg but a simple programme download does not show any evidence of that nor does downloading a particular programme. $ strace -o bbc.trace get_iplayer --subtitles --modes=best 3661 --get --force $ ffmpeg TheGreatStTriniansTrainRobbery.m2t StTrinians.avi Interrupted this but the AVI file played OK in parole albeit without sound. ffmpeg appears to function well on its own.
A recurring question - nothing obvious on the Mageia wiki. How do we switch back to free packages without damaging the system? # rpm -e --nodeps lib64avformat58-4.3.5-1.1.mga8.tainted That worked. # rpm -e lib64swscaler5 error: Failed dependencies: lib64swscaler5 = 4.3.5-1.1.mga8.tainted is needed by (installed) lib64ffmpeg-devel-4.3.5-1.1.mga8.tainted.x86_64 [...] libswscale.so.5(LIBSWSCALE_5)(64bit) is needed by (installed) lib64avfilter7-4.3.5-1.1.mga8.tainted.x86_64 libswscale.so.5(LIBSWSCALE_5)(64bit) is needed by (installed) ffmpeg-4.3.5-1.1.mga8.tainted.x86_64 Some of the dependencies like vlc-plugin-common are themselves tainted so vlc might be in trouble. Is there a clean way to do this? Posting this here to provide a common reference for future ffmpeg update tests.
The only way I know of is to manually download the core replacements and install them with rpm -Uvh --force.
Remove the tainted packages using "rpm -e --nodeps package1,package2" and then install the core version of the packages.
CC: (none) => davidwhodgins
We've had a few times in the past where by mistake only the core versions of an update were offered for testing, QA didn't catch it, and the update went through. I can remember at least one time with VLC, and it seems like there were a couple of others. The result was that the users' older tainted version was updated to the new core version. Using that experience, what I usually do is first use qarepo with tainted testing repos disabled to get the core package list, use drakrpm-update to update from tainted to core, and test the core versions. If those pass, I'll go back to qarepo, enable tainted testing repos, and go after the list of tainted packages. (If the developer doesn't provide a separate list of tainted packages, I use the core list, appending ".tainted" to the end of each name, after the "mga8") Then I update to them, and test again. So far, this seems to work, as long as I test the core version first, and if I want the tainted version to remain installed at the end of the test. My plan has always been that if a conflict arises during the process, like "X cannot be selected because of missing XX" I would come back to the bug and ask for assistance, but so far this hasn't happened.
CC: (none) => andrewsfarm
MGA8-64 MATE on Acer Aspire 5253 No installation issues for core updates. Ref bug 31067 for testing. Same remark for an mp4 file: plays OK with parole, vlc, Video, not with mplayer where the sound lags behind. So OK. Also tested converting with ffmulticonverter, mpg to and from avi. Continuing for tainted.
CC: (none) => herman.viaene
In reply to Thomas Andrews in comment 9: Sounds like a plan TJ. Shall take that route next time. Meanwhile it looks like the free version is OK. Tainted is OK for me.
Same result on the tainted rpm's. Regarding Len's test in Comment 5, I give it the OK.
Whiteboard: (none) => MGA8-64-OK
For checking if tainted is needed, I use "urpmq -i ffmpeg|grep Source|sort -uV" If any of the lines are for tainted and the last one isn't, then the tainted build is missing.
In reply to Dave Hodgins, comment 13. Astonishing. One for the notebook.
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0004.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED