Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 795696 (CVE-2021-33815, CVE-2021-38171, CVE-2021-38291)

Summary: <media-video/ffmpeg-4.4.1: multiple vulnerabilities (CVE-2021-{33815,38171,38291})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://trac.ffmpeg.org/ticket/9312
Whiteboard: A3 [stable?]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2021-06-13 03:53:39 UTC
Description:
"dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked."

https://github.com/FFmpeg/FFmpeg/commit/26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:47 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:56 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:54 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:46:01 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:01:58 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:10:17 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III gentoo-dev Security 2021-08-12 23:38:34 UTC
CVE-2021-38291:

FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.

Unreleased patch: https://github.com/ffmpeg/ffmpeg/commit/e01d306c647b5827102260b885faa223b646d2d1
Comment 8 John Helmert III gentoo-dev Security 2021-08-26 02:02:48 UTC
CVE-2021-38171:

adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

Patch: https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6
Comment 9 Larry the Git Cow gentoo-dev 2021-10-26 04:35:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf

commit 22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-26 04:33:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-26 04:34:11 +0000

    media-video/ffmpeg: add 4.4.1
    
    Not yet verified if all the CVEs are fixed.
    
    Bug: https://bugs.gentoo.org/795696
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/ffmpeg/Manifest            |   1 +
 media-video/ffmpeg/ffmpeg-4.4.1.ebuild | 555 +++++++++++++++++++++++++++++++++
 2 files changed, 556 insertions(+)