| Summary: | <media-video/ffmpeg-4.3.2: Multiple vulnerabilities (CVE-2020-{35964,35965}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | contact, media-video, proxy-maint |
| Priority: | Normal | Flags: | nattka:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7 | ||
| Whiteboard: | A2 [glsa+ cve] | ||
| Package list: |
media-video/ffmpeg-4.3.2
media-sound/sndio-1.7.0-r1
|
Runtime testing required: | --- |
| Bug Depends on: | 772134 | ||
| Bug Blocks: | |||
|
Description
Sam James
2021-01-03 19:53:46 UTC
* CVE-2020-35965 Description: "decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of an integer overflow when attempting to operate on data locations outside of an OpenEXR image." Patch: https://github.com/FFmpeg/FFmpeg/commit/b0a8b40294ea212c1938348ff112ef1b9bf16bb3 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eea9d1778f1da14be9293fd1a85b20cdd1c9666c commit eea9d1778f1da14be9293fd1a85b20cdd1c9666c Author: Sam James <sam@gentoo.org> AuthorDate: 2021-02-22 05:35:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-22 07:23:51 +0000 media-video/ffmpeg: (security) bump to 4.3.2 Bug: https://bugs.gentoo.org/763315 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> media-video/ffmpeg/Manifest | 1 + media-video/ffmpeg/ffmpeg-4.3.2.ebuild | 557 +++++++++++++++++++++++++++++++++ 2 files changed, 558 insertions(+) Sanity check failed:
> media-video/ffmpeg-4.3.2
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
> depend amd64 stable profile default/linux/amd64/17.1 (12 total)
> media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-)]
> depend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
> media-sound/sndio:=[abi_x86_64(-)]
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
> rdepend amd64 stable profile default/linux/amd64/17.1 (12 total)
> media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-)]
> rdepend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
> media-sound/sndio:=[abi_x86_64(-)]
> depend arm stable profile default/linux/arm/17.0 (37 total)
> media-sound/sndio:=
> depend arm dev profile default/linux/arm/17.0/armv4 (37 total)
> media-sound/sndio:=
> rdepend arm stable profile default/linux/arm/17.0 (37 total)
> media-sound/sndio:=
> rdepend arm dev profile default/linux/arm/17.0/armv4 (37 total)
> media-sound/sndio:=
> depend x86 stable profile default/linux/x86/17.0 (11 total)
> media-sound/sndio:=[abi_x86_32(-)]
> rdepend x86 stable profile default/linux/x86/17.0 (11 total)
> media-sound/sndio:=[abi_x86_32(-)]
ppc/ppc64/sparc stable x86 stable amd64 stable Unable to check for sanity:
> no match for package: media-sound/sndio-1.7.0
arm64 done arm done all arches done Please cleanup. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202105-24 at https://security.gentoo.org/glsa/202105-24 by GLSA coordinator Thomas Deutschmann (whissi). |