Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 886497 (CVE-2022-3109)

Summary: <media-video/ffmpeg-5.1: null pointer dereference
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: jorge+git, media-video, pacho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=2153551
Whiteboard: A3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-17 21:30:57 UTC
CVE-2022-3109 (https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568):

An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause the null pointer dereference, impacting confidentiality and availability.

Bit weird to refer to 3.0 when the issue was fixed in 5.1. Not sure
how a crash could affect confidentiality, either. Doesn't seem to have
been backported.
Comment 1 Pacho Ramos gentoo-dev 2023-05-02 13:59:40 UTC
Ubuntu should have backported patches:
https://ubuntu.com/security/notices/USN-5958-1

But I cannot locate them... I guess they are "closed" behind that ESM stuff? :S