Bug 31677 - ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2024-3661[58]
Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-094...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 33338
Blocks:
  Show dependency treegraph
 
Reported: 2023-03-15 15:29 CET by David Walser
Modified: 2026-04-16 21:00 CEST (History)
1 user (show)

See Also:
Source RPM: ffmpeg-5.1.6-1.5.mga9.src.rpm
CVE:
Status comment: Fixed upstream in 7.0

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-15 15:29:43 CET 
+++ This bug was initially created as a clone of Bug #31675 +++

Fedora has issued an advisory today (March 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FTSFKF7VKRUQBG3BV5JUKE7ZZLGPI34D/

The issues are fixed upstream in 6.0.

Mageia 8 is also affected.

These CVEs came from Chrome.  I don't see any added patches in the Chromium source code, though they might have just updated the ffmpeg source itself.

Leaving this bug for when/if we get any additional information on these CVEs.
David Walser 2023-03-15 15:29:54 CET

Status comment: (none) => Fixed upstream in 6.0

David Walser 2023-04-13 18:19:53 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31796

Nicolas Salguero 2024-03-13 15:39:31 CET

Whiteboard: (none) => MGA9TOO
CC: (none) => nicolas.salguero

Nicolas Salguero 2024-03-13 15:46:20 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=32964

Comment 1 Nicolas Salguero 2024-05-02 11:47:41 CEST 
SUSE has issued an advisory on April 29:
https://lwn.net/Articles/971733/

Status comment: Fixed upstream in 6.0 => Fixed upstream in 7.0
Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7] => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578

Comment 2 Nicolas Salguero 2024-06-18 09:51:33 CEST 
Debian has issued an advisory on June 15:
https://lwn.net/Articles/978677/

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2023-51798, CVE-2024-31578, CVE-2024-31585

Nicolas Salguero 2024-06-18 09:51:53 CEST

Source RPM: ffmpeg-5.1.2-3.mga9.src.rpm => ffmpeg-5.1.4-2.1.mga10.src.rpm

Comment 3 Nicolas Salguero 2024-06-27 16:21:43 CEST 
If I understand correctly the information I found from Debian, version 5.1.5 should solve CVE-2023-50010, CVE-2023-5179[3458] and CVE-2024-31585.

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2023-51798, CVE-2024-31578, CVE-2024-31585 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2024-31578, CVE-2024-31585

Nicolas Salguero 2024-06-27 16:47:47 CEST

Depends on: (none) => 33338

Comment 4 Nicolas Salguero 2024-06-27 16:48:47 CEST 
CVE-2023-50010, CVE-2023-5179[3458] and CVE-2024-31585 in bug 33338.

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2023-50010, CVE-2023-5179[3458], CVE-2024-31578, CVE-2024-31585 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578

Nicolas Salguero 2025-02-11 14:15:54 CET

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: ffmpeg-5.1.4-2.1.mga10.src.rpm => ffmpeg-5.1.6-1.1.mga9.src.rpm

Comment 5 Nicolas Salguero 2025-02-13 10:30:31 CET 
CVE-2023-49502 and CVE-2024-31578 in bug 34015.

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2023-49502, CVE-2024-31578 => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7]
Source RPM: ffmpeg-5.1.6-1.1.mga9.src.rpm => ffmpeg-5.1.6-1.2.mga9.src.rpm

Comment 6 Nicolas Salguero 2025-06-02 16:10:26 CEST 
openSUSE has issued an advisory on May 31:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/H2PRVBAR3CBT6GKTR4CK3DX6YQQ2NP5D/

CVE-2024-36616 and CVE-2024-36617 are already fixed.  CVE-2024-36619 does not affect version 5.1.x.

Summary: ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7] => ffmpeg new security issues CVE-2023-092[7-9], CVE-2023-093[0-3], CVE-2023-0941, CVE-2023-121[3-9], CVE-2023-122[0-7], CVE-2024-3661[58]
Source RPM: ffmpeg-5.1.6-1.2.mga9.src.rpm => ffmpeg-5.1.6-1.5.mga9.src.rpm

Comment 7 Lewis Smith 2026-04-16 21:00:23 CEST 
This got lost because it was assigned to Stig, who I think is no longer with us.
Various packagers do ffmpeg, so re-assigning it globally.
We have in Cauldron 7.1.1, 2, 3

Assignee: smelror => pkg-bugs
Note You need to log in before you can comment on or make changes to this bug.