Ubuntu alert USN-6449-2 (ffmpeg) [LWN.net]

admin 






From:
 
Nick Galanis <nick.galanis@canonical.com>




To:
 
ubuntu-security-announce@lists.ubuntu.com




Subject:
 
[USN-6449-2] FFmpeg regression




Date:
 
Wed, 15 Nov 2023 09:55:11 +0000




Message-ID:
 
<9a1bd2ee-844f-42aa-a8bb-12b55992987f@canonical.com>





==========================================================================

Ubuntu Security Notice USN-6449-2

November 15, 2023



ffmpeg regression

==========================================================================



A security issue affects these releases of Ubuntu and its derivatives:



– Ubuntu 22.04 LTS (Available with Ubuntu Pro)

– Ubuntu 20.04 LTS (Available with Ubuntu Pro)

– Ubuntu 18.04 LTS (Available with Ubuntu Pro)



Summary:



USN-6449-1 introduced a regression in FFmpeg



Software Description:

– ffmpeg: Tools for transcoding, streaming and playing of multimedia files



Details:



USN-6449-1 fixed vulnerabilities in FFmpeg. Unfortunately that update

could introduce a regression in tools using an FFmpeg library, like VLC.



This updated fixes the problem. We apologize for the inconvenience.



Original advisory details:



It was discovered that FFmpeg incorrectly managed memory resulting

in a memory leak. An attacker could possibly use this issue to cause

a denial of service via application crash. This issue only

affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038)



It was discovered that FFmpeg incorrectly handled certain input files,

leading to an integer overflow. An attacker could possibly use this issue

to cause a denial of service via application crash. This issue only

affected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090,

CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094)



It was discovered that FFmpeg incorrectly managed memory, resulting in

a memory leak.  If a user or automated system were tricked into

processing a specially crafted input file, a remote attacker could

possibly use this issue to cause a denial of service, or execute

arbitrary code. (CVE-2022-48434)



Update instructions:



The problem can be corrected by updating your system to the following

package versions:



Ubuntu 22.04 LTS (Available with Ubuntu Pro):

   ffmpeg                          7:4.4.2-0ubuntu0.22.04.1+esm3

   libavcodec-extra                7:4.4.2-0ubuntu0.22.04.1+esm3

   libavcodec-extra58              7:4.4.2-0ubuntu0.22.04.1+esm3

   libavcodec58                    7:4.4.2-0ubuntu0.22.04.1+esm3

   libavdevice58                   7:4.4.2-0ubuntu0.22.04.1+esm3

   libavfilter-extra               7:4.4.2-0ubuntu0.22.04.1+esm3

   libavfilter-extra7              7:4.4.2-0ubuntu0.22.04.1+esm3

   libavfilter7                    7:4.4.2-0ubuntu0.22.04.1+esm3

   libavformat-extra               7:4.4.2-0ubuntu0.22.04.1+esm3

   libavformat-extra58             7:4.4.2-0ubuntu0.22.04.1+esm3

   libavformat58                   7:4.4.2-0ubuntu0.22.04.1+esm3

   libavutil56                     7:4.4.2-0ubuntu0.22.04.1+esm3

   libpostproc55                   7:4.4.2-0ubuntu0.22.04.1+esm3

   libswresample3                  7:4.4.2-0ubuntu0.22.04.1+esm3

   libswscale5                     7:4.4.2-0ubuntu0.22.04.1+esm3



Ubuntu 20.04 LTS (Available with Ubuntu Pro):

   ffmpeg                          7:4.2.7-0ubuntu0.1+esm4

   libavcodec-extra                7:4.2.7-0ubuntu0.1+esm4

   libavcodec-extra58              7:4.2.7-0ubuntu0.1+esm4

   libavcodec58                    7:4.2.7-0ubuntu0.1+esm4

   libavdevice58                   7:4.2.7-0ubuntu0.1+esm4

   libavfilter-extra               7:4.2.7-0ubuntu0.1+esm4

   libavfilter-extra7              7:4.2.7-0ubuntu0.1+esm4

   libavfilter7                    7:4.2.7-0ubuntu0.1+esm4

   libavformat58                   7:4.2.7-0ubuntu0.1+esm4

   libavresample4                  7:4.2.7-0ubuntu0.1+esm4

   libavutil-dev                   7:4.2.7-0ubuntu0.1+esm4

   libavutil56                     7:4.2.7-0ubuntu0.1+esm4

   libpostproc55                   7:4.2.7-0ubuntu0.1+esm4

   libswresample3                  7:4.2.7-0ubuntu0.1+esm4

   libswscale5                     7:4.2.7-0ubuntu0.1+esm4



Ubuntu 18.04 LTS (Available with Ubuntu Pro):

   ffmpeg                          7:3.4.11-0ubuntu0.1+esm4

   libavcodec-extra                7:3.4.11-0ubuntu0.1+esm4

   libavcodec-extra57              7:3.4.11-0ubuntu0.1+esm4

   libavcodec57                    7:3.4.11-0ubuntu0.1+esm4

   libavdevice-dev                 7:3.4.11-0ubuntu0.1+esm4

   libavdevice57                   7:3.4.11-0ubuntu0.1+esm4

   libavfilter-dev                 7:3.4.11-0ubuntu0.1+esm4

   libavfilter-extra               7:3.4.11-0ubuntu0.1+esm4

   libavfilter-extra6              7:3.4.11-0ubuntu0.1+esm4

   libavfilter6                    7:3.4.11-0ubuntu0.1+esm4

   libavformat57                   7:3.4.11-0ubuntu0.1+esm4

   libavresample3                  7:3.4.11-0ubuntu0.1+esm4

   libavutil-dev                   7:3.4.11-0ubuntu0.1+esm4

   libavutil55                     7:3.4.11-0ubuntu0.1+esm4

   libpostproc54                   7:3.4.11-0ubuntu0.1+esm4

   libswresample2                  7:3.4.11-0ubuntu0.1+esm4

   libswscale4                     7:3.4.11-0ubuntu0.1+esm4



In general, a standard system update will make all the necessary changes.



References:

   ubuntu.com/security/notices/USN-6449-2

   ubuntu.com/security/notices/USN-6449-1

   launchpad.net/bugs/2042743





           (Log in to post comments)
           


Read more here: Source link