Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 795696 (CVE-2021-33815, CVE-2021-38171, CVE-2021-38291) - <media-video/ffmpeg-4.4.1: multiple vulnerabilities (CVE-2021-{33815,38171,38291})
Summary: <media-video/ffmpeg-4.4.1: multiple vulnerabilities (CVE-2021-{33815,38171,38...
Alias: CVE-2021-33815, CVE-2021-38171, CVE-2021-38291
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa? cleanup]
Depends on: 829389
  Show dependency tree
Reported: 2021-06-13 03:53 UTC by Sam James
Modified: 2021-12-20 20:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 03:53:39 UTC
"dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked."
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:47 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:56 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:54 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:46:01 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:01:58 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:10:17 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-12 23:38:34 UTC

FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.

Unreleased patch:
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-26 02:02:48 UTC

adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

Comment 9 Larry the Git Cow gentoo-dev 2021-10-26 04:35:52 UTC
The bug has been referenced in the following commit(s):

commit 22ec1c3c5fb7ee32bde1a8a0eed2b884884521bf
Author:     Sam James <>
AuthorDate: 2021-10-26 04:33:43 +0000
Commit:     Sam James <>
CommitDate: 2021-10-26 04:34:11 +0000

    media-video/ffmpeg: add 4.4.1
    Not yet verified if all the CVEs are fixed.
    Signed-off-by: Sam James <>

 media-video/ffmpeg/Manifest            |   1 +
 media-video/ffmpeg/ffmpeg-4.4.1.ebuild | 555 +++++++++++++++++++++++++++++++++
 2 files changed, 556 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-20 20:29:30 UTC
Please cleanup.