Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 881523 (CVE-2022-3964, CVE-2022-3965)

Summary: <media-video/ffmpeg-4.4.4-r6: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-16 17:04:51 UTC 
CVE-2022-3964 (https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984):

A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.

CVE-2022-3965 (https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd):

A vulnerability classified as problematic was found in ffmpeg. This vulnerability affects the function smc_encode_stream of the file libavcodec/smcenc.c of the component QuickTime Graphics Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. The attack can be initiated remotely. The name of the patch is 13c13109759090b7f7182480d075e13b36ed8edd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213544.

Seems like the patches are not in any release.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-22 07:24:38 UTC 
After a bit of spelunking in ffmpeg.git and the current releases I have determined that these fixes are present in all ffmpeg versions that are currently in the gentoo tree. I'm not sure when exactly this was backported to ffmpeg 4 so I'll just use the current versions to determine the "fixed" version.
Comment 2 Larry the Git Cow gentoo-dev 2023-12-23 11:07:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=054115a94fa38350f4468052ec239cbacb5b8e26

commit 054115a94fa38350f4468052ec239cbacb5b8e26
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-23 11:07:01 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-23 11:07:29 +0000

    [ GLSA 202312-14 ] FFmpeg: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/795696
    Bug: https://bugs.gentoo.org/842267
    Bug: https://bugs.gentoo.org/881523
    Bug: https://bugs.gentoo.org/903805
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-14.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)