Description: "track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing."
* CVE-2020-35965 Description: "decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of an integer overflow when attempting to operate on data locations outside of an OpenEXR image." Patch: https://github.com/FFmpeg/FFmpeg/commit/b0a8b40294ea212c1938348ff112ef1b9bf16bb3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eea9d1778f1da14be9293fd1a85b20cdd1c9666c commit eea9d1778f1da14be9293fd1a85b20cdd1c9666c Author: Sam James <sam@gentoo.org> AuthorDate: 2021-02-22 05:35:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-22 07:23:51 +0000 media-video/ffmpeg: (security) bump to 4.3.2 Bug: https://bugs.gentoo.org/763315 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> media-video/ffmpeg/Manifest | 1 + media-video/ffmpeg/ffmpeg-4.3.2.ebuild | 557 +++++++++++++++++++++++++++++++++ 2 files changed, 558 insertions(+)
Sanity check failed: > media-video/ffmpeg-4.3.2 > depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)] > depend amd64 stable profile default/linux/amd64/17.1 (12 total) > media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-)] > depend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total) > media-sound/sndio:=[abi_x86_64(-)] > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)] > rdepend amd64 stable profile default/linux/amd64/17.1 (12 total) > media-sound/sndio:=[abi_x86_32(-),abi_x86_64(-)] > rdepend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total) > media-sound/sndio:=[abi_x86_64(-)] > depend arm stable profile default/linux/arm/17.0 (37 total) > media-sound/sndio:= > depend arm dev profile default/linux/arm/17.0/armv4 (37 total) > media-sound/sndio:= > rdepend arm stable profile default/linux/arm/17.0 (37 total) > media-sound/sndio:= > rdepend arm dev profile default/linux/arm/17.0/armv4 (37 total) > media-sound/sndio:= > depend x86 stable profile default/linux/x86/17.0 (11 total) > media-sound/sndio:=[abi_x86_32(-)] > rdepend x86 stable profile default/linux/x86/17.0 (11 total) > media-sound/sndio:=[abi_x86_32(-)]
ppc/ppc64/sparc stable
x86 stable
amd64 stable
Unable to check for sanity: > no match for package: media-sound/sndio-1.7.0
arm64 done
arm done all arches done
Please cleanup.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202105-24 at https://security.gentoo.org/glsa/202105-24 by GLSA coordinator Thomas Deutschmann (whissi).