Fedora has issued an advisory today (March 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FTSFKF7VKRUQBG3BV5JUKE7ZZLGPI34D/ The issues are fixed upstream in 6.0. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 6.0
From the upstream security page: http://ffmpeg.org/security.html Adding CVE-2022-2566 (fixed also in 5.1.1, Cauldron not affected) and CVE-2022-3965. CVE-2022-3964 was already fixed in Bug 31175.
Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7] => ffmpeg new security issues CVE-2022-2566, CVE-2022-3965, CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7]
Stig looks after ffmpeg, so passing this to you.
Assignee: bugsquad => smelror
CVE-2022-2566 is for ffmpeg 5.1 and later and as mentioned was fixed in 5.1.1, hence mga8 not affected. Here are my findings. The following are all related to Google Chrome and not ffmpeg. Please correct me if I'm wrong. CVE-2023-0927 Chrome CVE-2023-0928 Chrome CVE-2023-0929 Chrome CVE-2023-0930 Chrome CVE-2023-0931 Chrome CVE-2023-0932 Chrome CVE-2023-0933 Chrome CVE-2023-0941 Chrome CVE-2023-1213 Chrome CVE-2023-1214 Chrome CVE-2023-1215 Chrome CVE-2023-1216 Chrome CVE-2023-1217 Chrome CVE-2023-1218 Chrome CVE-2023-1219 Chrome CVE-2023-1220 Chrome CVE-2023-1221 Chrome CVE-2023-1222 Chrome CVE-2023-1223 Chrome CVE-2023-1224 Chrome CVE-2023-1225 Chrome CVE-2023-1226 Chrome CVE-2023-1227 Chrome CVE-2022-3965 is the only valid CVE for ffmpeg and applies to the source without issues.
Chrome bundles a lot of third party libraries and they often don't specify what they're actually fixing with their CVEs, so I am guessing that Fedora mentioned them for a reason. Sometimes we have to pull patches from Chromium source.
I get "Permission denied" when I try accessing CVE-2023-0927 - https://bugs.chromium.org/p/chromium/issues/detail?id=1414738
Yes, Google is very not helpful when it comes to getting information out to distributors like us that want to pick up the security fixes they make to open-source libraries.
Removing Chromium CVEs. Moved those to Bug 31677. Removing CVE-2022-2566, which the CVE description says only affects 5.1. Leaving this bug for CVE-2022-3965 from: http://ffmpeg.org/security.html
Summary: ffmpeg new security issues CVE-2022-2566, CVE-2022-3965, CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7] => ffmpeg new security issue CVE-2022-3965
Asked on #ffmpeg-dev if they're up to backporting the fix for CVE-2022-3965 and release version 4.3.6. It will most likely happen as Debian Stable is also using it. David and I have decided to wait for for the new release.
11:10 <@michaelni> kekePower, CVE-2022-3965, 13c13109759090b7f7182480d075e13b36ed8edd is for the smc encoder, the smc encoder, which was added in 5.0 so prior versions are not affected 11:10 <@michaelni> so 4.3 doesnt need this, its not affected
Whiteboard: MGA8TOO => (none)
And you already patched this in Cauldron.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED