Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763315 (CVE-2020-35964, CVE-2020-35965) - <media-video/ffmpeg-4.3.2: Multiple vulnerabilities (CVE-2020-{35964,35965})
Summary: <media-video/ffmpeg-4.3.2: Multiple vulnerabilities (CVE-2020-{35964,35965})
Alias: CVE-2020-35964, CVE-2020-35965
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+ cve]
Depends on: 772134
  Show dependency tree
Reported: 2021-01-03 19:53 UTC by Sam James
Modified: 2021-05-26 09:50 UTC (History)
3 users (show)

See Also:
Package list:
media-video/ffmpeg-4.3.2 media-sound/sndio-1.7.0-r1
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-03 19:53:46 UTC
"track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing."
Comment 1 Sam James archtester gentoo-dev Security 2021-01-04 01:52:36 UTC
* CVE-2020-35965

"decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of an integer overflow when attempting to operate on data locations outside of an OpenEXR image."

Comment 2 Larry the Git Cow gentoo-dev 2021-02-22 07:25:01 UTC
The bug has been referenced in the following commit(s):

commit eea9d1778f1da14be9293fd1a85b20cdd1c9666c
Author:     Sam James <>
AuthorDate: 2021-02-22 05:35:25 +0000
Commit:     Sam James <>
CommitDate: 2021-02-22 07:23:51 +0000

    media-video/ffmpeg: (security) bump to 4.3.2
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <>

 media-video/ffmpeg/Manifest            |   1 +
 media-video/ffmpeg/ffmpeg-4.3.2.ebuild | 557 +++++++++++++++++++++++++++++++++
 2 files changed, 558 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2021-02-22 07:33:49 UTC Comment hidden (obsolete)
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-25 08:54:45 UTC
ppc/ppc64/sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-02-26 08:09:33 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 08:48:57 UTC
amd64 stable
Comment 7 NATTkA bot gentoo-dev 2021-02-26 14:29:07 UTC Comment hidden (obsolete)
Comment 8 Sam James archtester gentoo-dev Security 2021-02-26 21:57:04 UTC
arm64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-03-29 14:49:48 UTC
arm done

all arches done
Comment 10 Sam James archtester gentoo-dev Security 2021-03-29 15:27:37 UTC
Please cleanup.
Comment 11 Thomas Deutschmann gentoo-dev Security 2021-05-24 00:06:30 UTC
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 09:50:47 UTC
This issue was resolved and addressed in
 GLSA 202105-24 at
by GLSA coordinator Thomas Deutschmann (whissi).