34015 – ffmpeg new security issues CVE-2023-49502 and CVE-2024-31578

Bug 34015 - ffmpeg new security issues CVE-2023-49502 and CVE-2024-31578

Summary: ffmpeg new security issues CVE-2023-49502 and CVE-2024-31578

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-02-13 10:29 CET by Nicolas Salguero
Modified:	2025-02-14 23:56 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	ffmpeg-5.1.6-1.1.mga9.src.rpm
CVE:	CVE-2023-49502, CVE-2024-31578
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-13 10:29:54 CET

SUSE has issued an advisory on April 29:
https://lwn.net/Articles/971733/

Nicolas Salguero 2025-02-13 10:30:55 CET

CVE: (none) => CVE-2023-49502, CVE-2024-31578
Source RPM: (none) => ffmpeg-5.1.6-1.1.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-02-13 10:53:55 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component. (CVE-2023-49502)

FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. (CVE-2024-31578)

References:
https://lists.suse.com/pipermail/sle-updates/2024-April/035125.html
========================

Updated packages in core/updates_testing:
========================
ffmpeg-5.1.6-1.2.mga9
lib(64)avcodec59-5.1.6-1.2.mga9
lib(64)avfilter8-5.1.6-1.2.mga9
lib(64)avformat59-5.1.6-1.2.mga9
lib(64)avutil57-5.1.6-1.2.mga9
lib(64)ffmpeg-devel-5.1.6-1.2.mga9
lib(64)ffmpeg-static-devel-5.1.6-1.2.mga9
lib(64)postproc56-5.1.6-1.2.mga9
lib(64)swresample4-5.1.6-1.2.mga9
lib(64)swscaler6-5.1.6-1.2.mga9

from SRPM:
ffmpeg-5.1.6-1.2.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
ffmpeg-5.1.6-1.2.mga9.tainted
lib(64)avcodec59-5.1.6-1.2.mga9.tainted
lib(64)avfilter8-5.1.6-1.2.mga9.tainted
lib(64)avformat59-5.1.6-1.2.mga9.tainted
lib(64)avutil57-5.1.6-1.2.mga9.tainted
lib(64)ffmpeg-devel-5.1.6-1.2.mga9.tainted
lib(64)ffmpeg-static-devel-5.1.6-1.2.mga9.tainted
lib(64)postproc56-5.1.6-1.2.mga9.tainted
lib(64)swresample4-5.1.6-1.2.mga9.tainted
lib(64)swscaler6-5.1.6-1.2.mga9.tainted

from SRPM:
ffmpeg-5.1.6-1.2.mga9.tainted.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 2 PC LX 2025-02-13 16:51:26 CET

Installed and tested tainted version without issues.

Tested:
- X11 desktop capture;
- V4L2 USB camera video/audio capture;
- ALSA and Pulse audio capture;
- converting video/audio files to/from various codecs (e.g. AV1, VP9, x265, x264, Opus, OGG, MP3, AAC);
- remuxing video/audio files to mkv, and mp4.
- downloading file from m3u8 URL.
All OK.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.74-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jan 25 12:11:40 UTC 2025 x86_64 GNU/Linux
$ rpm -qa | grep '5.1.6-1.2' | sort
ffmpeg-5.1.6-1.2.mga9.tainted
lib64avcodec59-5.1.6-1.2.mga9.tainted
lib64avfilter8-5.1.6-1.2.mga9.tainted
lib64avformat59-5.1.6-1.2.mga9.tainted
lib64avutil57-5.1.6-1.2.mga9.tainted
lib64postproc56-5.1.6-1.2.mga9.tainted
lib64swresample4-5.1.6-1.2.mga9.tainted
lib64swscaler6-5.1.6-1.2.mga9.tainted

CC: (none) => mageia

katnatek 2025-02-13 23:35:26 CET

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2025-02-14 17:17:32 CET

MGA9-64 "Untainted" VirtualBox Plasma guest.

Installed the coming ffmulticonverter update, and attempted to convert a video or two. That was unsuccessful, until I remembered that you need the tainted version of ffmpeg to convert to some of the newer, more efficient codecs. When I did a conversion using the defaults, it worked OK.

No installation issues with the core ffmpeg update. Ran ffmulticonverter again, converted another video from avi to mkv using the defaults, and it was successful. The resulting video played OK in vlc, which identified the codec used as mpeg-4.

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2025-02-14 17:32:45 CET

switching to real MGA9-64 hardware to test the tainted version.

No installation issues. Tested with ffmulticonverter once more, this time using a codec not available with the core version of ffmpeg. The video converted OK, and played well in vlc.

Comment 5 Brian Rockwell 2025-02-14 19:11:57 CET

MGA9-64, Cinnamon, i7 M620, nvidia GT218M (Nouveau), laptop 

The following 8 packages are going to be installed:

- ffmpeg-5.1.6-1.2.mga9.tainted.x86_64
- lib64avcodec59-5.1.6-1.2.mga9.tainted.x86_64
- lib64avfilter8-5.1.6-1.2.mga9.tainted.x86_64
- lib64avformat59-5.1.6-1.2.mga9.tainted.x86_64
- lib64avutil57-5.1.6-1.2.mga9.tainted.x86_64
- lib64postproc56-5.1.6-1.2.mga9.tainted.x86_64
- lib64swresample4-5.1.6-1.2.mga9.tainted.x86_64
- lib64swscaler6-5.1.6-1.2.mga9.tainted.x86_64

8B of disk space will be freed.

10MB of packages will be retrieved.


---  

Video conversion to x264 and x265 all working

CC: (none) => brtians1

Comment 6 Thomas Andrews 2025-02-14 22:15:13 CET

This looks good to go. Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2025-02-14 23:56:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0067.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.