886497 – (CVE-2022-3109) <media-video/ffmpeg-5.1: null pointer dereference

Bug 886497 (CVE-2022-3109) - <media-video/ffmpeg-5.1: null pointer dereference

Summary: <media-video/ffmpeg-5.1: null pointer dereference

Status:	CONFIRMED

Alias:	CVE-2022-3109

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [upstream/ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2022-12-17 21:30 UTC by John Helmert III
Modified:	2023-05-04 13:19 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-17 21:30:57 UTC

CVE-2022-3109 (https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568):

An issue was discovered in the FFmpeg through 3.0. vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause the null pointer dereference, impacting confidentiality and availability.

Bit weird to refer to 3.0 when the issue was fixed in 5.1. Not sure
how a crash could affect confidentiality, either. Doesn't seem to have
been backported.

Comment 1 Pacho Ramos gentoo-dev

2023-05-02 13:59:40 UTC

Ubuntu should have backported patches:
https://ubuntu.com/security/notices/USN-5958-1

But I cannot locate them... I guess they are "closed" behind that ESM stuff? :S