Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763315 (CVE-2020-35964, CVE-2020-35965) - <media-video/ffmpeg-4.3.2: Multiple vulnerabilities (CVE-2020-{35964,35965})
Summary: <media-video/ffmpeg-4.3.2: Multiple vulnerabilities (CVE-2020-{35964,35965})
Alias: CVE-2020-35964, CVE-2020-35965
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [stable]
Keywords: CC-ARCHES
Depends on: 772134
  Show dependency tree
Reported: 2021-01-03 19:53 UTC by Sam James
Modified: 2021-02-26 14:33 UTC (History)
5 users (show)

See Also:
Package list:
media-video/ffmpeg-4.3.2 media-sound/sndio-1.7.0-r1
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-03 19:53:46 UTC
"track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing."
Comment 1 Sam James archtester gentoo-dev Security 2021-01-04 01:52:36 UTC
* CVE-2020-35965

"decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of an integer overflow when attempting to operate on data locations outside of an OpenEXR image."

Comment 2 Larry the Git Cow gentoo-dev 2021-02-22 07:25:01 UTC
The bug has been referenced in the following commit(s):

commit eea9d1778f1da14be9293fd1a85b20cdd1c9666c
Author:     Sam James <>
AuthorDate: 2021-02-22 05:35:25 +0000
Commit:     Sam James <>
CommitDate: 2021-02-22 07:23:51 +0000

    media-video/ffmpeg: (security) bump to 4.3.2
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <>

 media-video/ffmpeg/Manifest            |   1 +
 media-video/ffmpeg/ffmpeg-4.3.2.ebuild | 557 +++++++++++++++++++++++++++++++++
 2 files changed, 558 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2021-02-22 07:33:49 UTC Comment hidden (obsolete)
Comment 4 Sergei Trofimovich gentoo-dev 2021-02-25 08:54:45 UTC
ppc/ppc64/sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-02-26 08:09:33 UTC
x86 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 08:48:57 UTC
amd64 stable
Comment 7 NATTkA bot gentoo-dev 2021-02-26 14:29:07 UTC Comment hidden (obsolete)