Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 718012 (CVE-2019-15942)

Summary: <media-video/ffmpeg-4.2.1: Conditional jump depending on uninitialised value (CVE-2019-15942)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://trac.ffmpeg.org/ticket/8093
See Also: https://github.com/gentoo/gentoo/pull/16793
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 711144, 727450    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-18 08:15:06 UTC
Description:
"FFmpeg through 4.2 has a "Conditional jump or move depends on uninitialised value" issue in h2645_parse because alloc_rbsp_buffer in libavcodec/h2645_parse.c mishandles rbsp_buffer."

Bug: https://trac.ffmpeg.org/ticket/8093
Comment 1 Larry the Git Cow gentoo-dev 2020-07-27 16:40:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aad0c4b02393043056f044fa39114bc1aa595ae

commit 5aad0c4b02393043056f044fa39114bc1aa595ae
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-23 21:06:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 16:40:18 +0000

    media-video/ffmpeg: security cleanup (drop <4.2.4)
    
    Bug: https://bugs.gentoo.org/711144
    Bug: https://bugs.gentoo.org/718012
    Bug: https://bugs.gentoo.org/719940
    Bug: https://bugs.gentoo.org/727450
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/ffmpeg/Manifest                        |   2 -
 media-video/ffmpeg/ffmpeg-3.4.6-r1.ebuild          | 490 ------------------
 media-video/ffmpeg/ffmpeg-4.2.3.ebuild             | 556 ---------------------
 media-video/ffmpeg/files/chromium.patch            |  36 --
 ...mpeg-3.4.6-fix-building-against-fdk-aac-2.patch |  74 ---
 media-video/ffmpeg/metadata.xml                    |   1 -
 6 files changed, 1159 deletions(-)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:03 UTC
This issue was resolved and addressed in
 GLSA 202007-58 at https://security.gentoo.org/glsa/202007-58
by GLSA coordinator Sam James (sam_c).