Summary: | <media-video/ffmpeg-4.2.3: Multiple vulnerabilities (CVE-2019-13312, CVE-2020-12284) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | media-video |
Priority: | Normal | Keywords: | CC-ARCHES, PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/FFmpeg/FFmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=711144 https://github.com/gentoo/gentoo/pull/15927 https://github.com/gentoo/gentoo/pull/16793 |
||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
=media-video/ffmpeg-4.2.3
|
Runtime testing required: | --- |
Bug Depends on: | 727450 | ||
Bug Blocks: |
Description
Sam James
2020-04-28 15:05:40 UTC
@maintainer(s), please apply the supplied patch. CVE-2020-12284 (https://nvd.nist.gov/vuln/detail/CVE-2020-12284): cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a heap-based buffer overflow during JPEG_MARKER_SOS handling because of a missing length check. A collection of other flaws found by oss-fuzz were fixed in 4.2.3. @maintainer(s): fixed in 4.2.3. Please bump. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbf1dc0a317be65d039d8b9ff171571b6c721840 commit fbf1dc0a317be65d039d8b9ff171571b6c721840 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-05-22 15:03:03 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-05-23 20:05:21 +0000 media-video/ffmpeg: Security bump to 4.2.3 Bug: https://bugs.gentoo.org/719940 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> media-video/ffmpeg/Manifest | 1 + media-video/ffmpeg/ffmpeg-4.2.3.ebuild | 551 +++++++++++++++++++++++++++++++++ 2 files changed, 552 insertions(+) ppc/ppc64 stable amd64 stable sparc stable arm stable x86 stable arm64 stable ---- @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aad0c4b02393043056f044fa39114bc1aa595ae commit 5aad0c4b02393043056f044fa39114bc1aa595ae Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-07-23 21:06:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 16:40:18 +0000 media-video/ffmpeg: security cleanup (drop <4.2.4) Bug: https://bugs.gentoo.org/711144 Bug: https://bugs.gentoo.org/718012 Bug: https://bugs.gentoo.org/719940 Bug: https://bugs.gentoo.org/727450 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-video/ffmpeg/Manifest | 2 - media-video/ffmpeg/ffmpeg-3.4.6-r1.ebuild | 490 ------------------ media-video/ffmpeg/ffmpeg-4.2.3.ebuild | 556 --------------------- media-video/ffmpeg/files/chromium.patch | 36 -- ...mpeg-3.4.6-fix-building-against-fdk-aac-2.patch | 74 --- media-video/ffmpeg/metadata.xml | 1 - 6 files changed, 1159 deletions(-) Unable to check for sanity:
> no match for package: =media-video/ffmpeg-4.2.3
GLSA vote: yes, with bug 718012. This issue was resolved and addressed in GLSA 202007-58 at https://security.gentoo.org/glsa/202007-58 by GLSA coordinator Sam James (sam_c). |