Summary: | <media-video/ffmpeg-{4.2.7,4.4.1}: multiple vulnerabilities (CVE-2021-{33815,38171,38291}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://trac.ffmpeg.org/ticket/9312 | ||
Whiteboard: | A3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 829389, 876400 | ||
Bug Blocks: |
Description
Sam James
2021-06-13 03:53:39 UTC
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. CVE-2021-38291: FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c. Unreleased patch: https://github.com/ffmpeg/ffmpeg/commit/e01d306c647b5827102260b885faa223b646d2d1 CVE-2021-38171: adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. Patch: https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf commit 22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf Author: Sam James <sam@gentoo.org> AuthorDate: 2021-10-26 04:33:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-10-26 04:34:11 +0000 media-video/ffmpeg: add 4.4.1 Not yet verified if all the CVEs are fixed. Bug: https://bugs.gentoo.org/795696 Signed-off-by: Sam James <sam@gentoo.org> media-video/ffmpeg/Manifest | 1 + media-video/ffmpeg/ffmpeg-4.4.1.ebuild | 555 +++++++++++++++++++++++++++++++++ 2 files changed, 556 insertions(+) Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31baf58256ca04e305510ce86df9f6d83948f853 commit 31baf58256ca04e305510ce86df9f6d83948f853 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-09-03 05:24:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-09-03 05:25:22 +0000 media-video/ffmpeg: add 4.2.7 Fixes a bunch of CVEs that we've had fixed in newer versions for a while, but until we can clean up 4.2.x, we may as well bump to the latest in that series... Bug: https://bugs.gentoo.org/842267 Bug: https://bugs.gentoo.org/795696 Bug: https://bugs.gentoo.org/781146 Signed-off-by: Sam James <sam@gentoo.org> media-video/ffmpeg/Manifest | 1 + media-video/ffmpeg/ffmpeg-4.2.7.ebuild | 556 +++++++++++++++++++++ .../ffmpeg-4.2.7-libsdl2-new-version-scheme.patch | 26 + 3 files changed, 583 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fff3d30f49f081c89ab5d0154509d32550ae1a9c commit fff3d30f49f081c89ab5d0154509d32550ae1a9c Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-10-10 15:26:17 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-10 15:31:58 +0000 media-video/ffmpeg: drop 4.2.4-r2 Bug: https://bugs.gentoo.org/847267 Bug: https://bugs.gentoo.org/795696 Bug: https://bugs.gentoo.org/781146 Signed-off-by: John Helmert III <ajak@gentoo.org> media-video/ffmpeg/Manifest | 1 - media-video/ffmpeg/ffmpeg-4.2.4-r2.ebuild | 555 ------------------------------ 2 files changed, 556 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=054115a94fa38350f4468052ec239cbacb5b8e26 commit 054115a94fa38350f4468052ec239cbacb5b8e26 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-12-23 11:07:01 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-12-23 11:07:29 +0000 [ GLSA 202312-14 ] FFmpeg: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/795696 Bug: https://bugs.gentoo.org/842267 Bug: https://bugs.gentoo.org/881523 Bug: https://bugs.gentoo.org/903805 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202312-14.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) |