SUSE has issued an advisory today (January 26): https://lists.suse.com/pipermail/sle-security-updates/2023-January/013546.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Hi, After verifying here: https://security-tracker.debian.org/tracker/CVE-2022-3341 and checking the code, I can confirm only Mageia 8 is affected by that CVE. Best regards, Nico.
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: ffmpeg-5.1.2-3.mga9.src.rpm => ffmpeg-4.3.5-1.1.mga8.src.rpmCC: (none) => nicolas.salguero
(In reply to David Walser from comment #0) > SUSE has issued an advisory today (January 26): > https://lists.suse.com/pipermail/sle-security-updates/2023-January/013546. > html > > Mageia 8 is also affected. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JWZZIMFVNIVI2WC4FQWKH6CT5CTUP7N/
Assigning to the registered maintainer.
Assignee: bugsquad => smelrorCC: (none) => marja11
Advisory ======== An upstream patch to fix CVE-2022-3341 has be backported. CVE-2022-3341: A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash. References ========== https://nvd.nist.gov/vuln/detail/CVE-2022-3341 https://security-tracker.debian.org/tracker/CVE-2022-3341 Files ===== Uploaded to core/updates_testing lib64swresample3-4.3.5-1.2.mga8 lib64postproc55-4.3.5-1.2.mga8 lib64avresample4-4.3.5-1.2.mga8 lib64avutil56-4.3.5-1.2.mga8 lib64swscaler5-4.3.5-1.2.mga8 lib64ffmpeg-devel-4.3.5-1.2.mga8 lib64avformat58-4.3.5-1.2.mga8 lib64avfilter7-4.3.5-1.2.mga8 ffmpeg-4.3.5-1.2.mga8 lib64avcodec58-4.3.5-1.2.mga8 lib64ffmpeg-static-devel-4.3.5-1.2.mga8 from ffmpeg-4.3.5-1.2.mga8.src.rpm Uploaded to tainted/updates_testing lib64swresample3-4.3.5-1.2.mga8.tainted lib64postproc55-4.3.5-1.2.mga8.tainted lib64avresample4-4.3.5-1.2.mga8.tainted lib64avutil56-4.3.5-1.2.mga8.tainted lib64swscaler5-4.3.5-1.2.mga8.tainted lib64ffmpeg-devel-4.3.5-1.2.mga8.tainted lib64avformat58-4.3.5-1.2.mga8.tainted lib64avfilter7-4.3.5-1.2.mga8.tainted ffmpeg-4.3.5-1.2.mga8.tainted lib64avcodec58-4.3.5-1.2.mga8.tainted lib64ffmpeg-static-devel-4.3.5-1.2.mga8.tainted from ffmpeg-4.3.5-1.2.mga8.src.rpm
Assignee: smelror => qa-bugs
mga8, x64 ffmpeg tainted had been working fine on this machine for earlier versions. No regressions noted for the updated version. Updated all the packages and ran similar tests to those in earlier ffmpeg updates. $ ffmpeg -L shows the licence and the configuration options for compiling with gcc plus the libraries which are needed. Add a subtitle stream to a video file: $ ffmpeg -report -n -i Byzantium.mp4 -f srt -i Byzantium.srt -c:s mov_text \ -metadata:s:s:0 language=eng -c:v copy -c:a copy Byzantium_st.mp4 ffmpeg version 4.3.5 Copyright (c) 2000-2022 the FFmpeg developers built with gcc 10 (Mageia 10.4.0-3.mga8) [...] Metadata: major_brand : isom minor_version : 512 compatible_brands: isomiso2avc1mp41 media_type : 10 [...] frame=151816 fps=60721 q=-1.0 size= 1926400kB time=00:50:42.04 bitrate=5187.7kbiframe=178602 fps=59882 q=-1.0 Lsize= 2267615kB time=00:59:32.01 bitrate=5200.5kbits/s speed=1.2e+03x video:2207326kB audio:55813kB subtitle:39kB other streams:0kB global headers:0kB muxing overhead: 0.196034% Byzantium_st.mp4 played fine with vlc and subtitles were available. The command line output can be saved by including -report in the command. In this case the output went to ffmpeg-20230206-091234.log. Converted an AVI file to MP4. It takes a while and uses all the CPU cores at about 70% - resulting file plays OK in totem. In contrast with bug 31067 sound worked after this conversion, no codecs specified. Ran ffmulticonverter under strace (Thanks TJ). Conversion from MP4 to WMV was very quick but the video degraded somewhat. The trace showed the ffmpeg binary being used. The tainted version works without problems.
CC: (none) => tarazed25
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Used ffmulticonverter with Core versions to convert an mpg to ogg. Used ffmulticonverter with tainted versions to convert an avi to mpg. All resulting files display OK Together with Len's tests, good to go for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Thanks, guys. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0043.html
Status: NEW => RESOLVEDResolution: (none) => FIXED