Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC
Bug 727450 (CVE-2020-13904, CVE-2020-14212) - <media-video/ffmpeg-4.2.4: Multiple vulnerabilities (CVE-2020-{13904,14212})
Summary: <media-video/ffmpeg-4.2.4: Multiple vulnerabilities (CVE-2020-{13904,14212})
Alias: CVE-2020-13904, CVE-2020-14212
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks: CVE-2019-15942 CVE-2019-13312, CVE-2020-12284
  Show dependency tree
Reported: 2020-06-07 19:20 UTC by Sam James
Modified: 2020-07-28 19:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-07 19:20:43 UTC
"FFmpeg 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in /libavformat/format.c."

Comment 1 Sam James gentoo-dev Security 2020-06-16 23:11:30 UTC
* CVE-2020-14212

"FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in libavformat/aviobuf.c because dnn_backend_native.c calls ff_dnn_load_model_native and a certain index check is omitted."

Comment 2 Sam James gentoo-dev Security 2020-07-12 02:27:04 UTC
We'll stabilise this shortly if no objections?
Comment 3 Sam James gentoo-dev Security 2020-07-16 13:00:49 UTC
arm64 stable
Comment 4 Sam James gentoo-dev Security 2020-07-17 00:47:14 UTC
arm stable
Comment 5 Sam James gentoo-dev Security 2020-07-17 03:21:03 UTC
ppc64 stable
Comment 6 Sam James gentoo-dev Security 2020-07-17 14:48:22 UTC
ppc stable
Comment 7 Sam James gentoo-dev Security 2020-07-18 00:30:35 UTC
x86 stable
Comment 8 Sam James gentoo-dev Security 2020-07-18 13:32:42 UTC
amd64 stable
Comment 9 Sam James gentoo-dev Security 2020-07-19 01:49:30 UTC
sparc stable. Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-07-27 16:40:41 UTC
The bug has been referenced in the following commit(s):

commit 5aad0c4b02393043056f044fa39114bc1aa595ae
Author:     John Helmert III <>
AuthorDate: 2020-07-23 21:06:52 +0000
Commit:     Sam James <>
CommitDate: 2020-07-27 16:40:18 +0000

    media-video/ffmpeg: security cleanup (drop <4.2.4)
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: John Helmert III <>
    Signed-off-by: Sam James <>

 media-video/ffmpeg/Manifest                        |   2 -
 media-video/ffmpeg/ffmpeg-3.4.6-r1.ebuild          | 490 ------------------
 media-video/ffmpeg/ffmpeg-4.2.3.ebuild             | 556 ---------------------
 media-video/ffmpeg/files/chromium.patch            |  36 --
 ...mpeg-3.4.6-fix-building-against-fdk-aac-2.patch |  74 ---
 media-video/ffmpeg/metadata.xml                    |   1 -
 6 files changed, 1159 deletions(-)
Comment 11 Sam James gentoo-dev Security 2020-07-27 16:49:47 UTC
GLSA vote: yes, with bug 718012.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:20 UTC
This issue was resolved and addressed in
 GLSA 202007-58 at
by GLSA coordinator Sam James (sam_c).