Summary: | <media-video/ffmpeg-4.2.4: Multiple vulnerabilities (CVE-2020-{13904,14212}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | media-video |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://trac.ffmpeg.org/ticket/8673 | ||
See Also: | https://github.com/gentoo/gentoo/pull/16793 | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
=media-video/ffmpeg-4.2.4
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 718012, 719940 |
Description
Sam James
2020-06-07 19:20:43 UTC
* CVE-2020-14212 Description: "FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in libavformat/aviobuf.c because dnn_backend_native.c calls ff_dnn_load_model_native and a certain index check is omitted." Bug: https://trac.ffmpeg.org/ticket/8716 We'll stabilise this shortly if no objections? arm64 stable arm stable ppc64 stable ppc stable x86 stable amd64 stable sparc stable. Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aad0c4b02393043056f044fa39114bc1aa595ae commit 5aad0c4b02393043056f044fa39114bc1aa595ae Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-07-23 21:06:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 16:40:18 +0000 media-video/ffmpeg: security cleanup (drop <4.2.4) Bug: https://bugs.gentoo.org/711144 Bug: https://bugs.gentoo.org/718012 Bug: https://bugs.gentoo.org/719940 Bug: https://bugs.gentoo.org/727450 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> media-video/ffmpeg/Manifest | 2 - media-video/ffmpeg/ffmpeg-3.4.6-r1.ebuild | 490 ------------------ media-video/ffmpeg/ffmpeg-4.2.3.ebuild | 556 --------------------- media-video/ffmpeg/files/chromium.patch | 36 -- ...mpeg-3.4.6-fix-building-against-fdk-aac-2.patch | 74 --- media-video/ffmpeg/metadata.xml | 1 - 6 files changed, 1159 deletions(-) GLSA vote: yes, with bug 718012. This issue was resolved and addressed in GLSA 202007-58 at https://security.gentoo.org/glsa/202007-58 by GLSA coordinator Sam James (sam_c). |