Bug 842267 (CVE-2022-1475)

Summary:	<media-video/ffmpeg-{4.2.7,4.4.2}: integer overflow vulnerability
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	media-video
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://trac.ffmpeg.org/ticket/9651
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	848879, 876400
Bug Blocks:

Description John Helmert III archtester

2022-05-03 00:38:55 UTC

CVE-2022-1475:
https://bugzilla.redhat.com/show_bug.cgi?id=2076764

An integer overflow vulnerability was found in FFmpeg 5.0.1 and in previous versions in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file.

Patch: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=757da974b21833529cc41bdcc9684c29660cdfa8

Comment 1 Larry the Git Cow gentoo-dev

2022-05-03 01:12:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb33595d7124b0e0ce9f569c2383dea5215203fc

commit bb33595d7124b0e0ce9f569c2383dea5215203fc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-03 01:11:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-03 01:11:11 +0000

    media-video/ffmpeg: add 4.4.2
    
    Bug: https://bugs.gentoo.org/842267
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/ffmpeg/Manifest            |   2 +
 media-video/ffmpeg/ffmpeg-4.4.2.ebuild | 581 +++++++++++++++++++++++++++++++++
 2 files changed, 583 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-09-03 05:27:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31baf58256ca04e305510ce86df9f6d83948f853

commit 31baf58256ca04e305510ce86df9f6d83948f853
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-03 05:24:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-03 05:25:22 +0000

    media-video/ffmpeg: add 4.2.7
    
    Fixes a bunch of CVEs that we've had fixed in newer versions
    for a while, but until we can clean up 4.2.x, we may as well
    bump to the latest in that series...
    
    Bug: https://bugs.gentoo.org/842267
    Bug: https://bugs.gentoo.org/795696
    Bug: https://bugs.gentoo.org/781146
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/ffmpeg/Manifest                        |   1 +
 media-video/ffmpeg/ffmpeg-4.2.7.ebuild             | 556 +++++++++++++++++++++
 .../ffmpeg-4.2.7-libsdl2-new-version-scheme.patch  |  26 +
 3 files changed, 583 insertions(+)

Comment 3 John Helmert III archtester

2022-10-10 15:33:21 UTC

Oops, typo'd the bug number:

commit 411e3759c45ffb1060a5f00a6a50755862b2e80d
Author: John Helmert III <ajak@gentoo.org>
Date:   Mon Oct 10 10:26:17 2022 -0500

    media-video/ffmpeg: drop 4.2.4-r2

    Bug: https://bugs.gentoo.org/847267
    Bug: https://bugs.gentoo.org/795696
    Bug: https://bugs.gentoo.org/781146
    Signed-off-by: John Helmert III <ajak@gentoo.org>

Comment 4 Larry the Git Cow gentoo-dev

2023-12-23 11:07:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=054115a94fa38350f4468052ec239cbacb5b8e26

commit 054115a94fa38350f4468052ec239cbacb5b8e26
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-23 11:07:01 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-23 11:07:29 +0000

    [ GLSA 202312-14 ] FFmpeg: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/795696
    Bug: https://bugs.gentoo.org/842267
    Bug: https://bugs.gentoo.org/881523
    Bug: https://bugs.gentoo.org/903805
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-14.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)